Lately we've organized a webinar about the new EU regulation GDPR (General Data Protection Regulation). This regulation affects every company and public institution in the European Union as well as foreign companies doing business within the EU. At the webinar we received more questions than we could possibly have answered and so here are answers:
Is there a document available online which lists everything that is considered personal data?
In the GDPR regulation, the definition of personal data is formulated very generally. We cite particular examples and the most common types of personal data on our website, but unfortunately, given the breadth of the regulation, it is not easy to list all the types of data that are considered personal. What can be said is that the regulation applies to any kind of data concerning a determinate or determinable individual.
I keep a record of names, surnames and emails of individuals in a web application. Do these data come under the competence of GDPR? And do both the operator of the web application and I need to treat them that way?
Yes. Contact data of a natural person are considered personal data. And personal data come under the competence of GDPR. You and the operator of the web app both have to approach them accordingly.
How does GDPR apply to the data rendered to police (DNA, fingerprints, etc.)?
Data which is required by a particular legal act (such as in a police investigation) can be collected without the explicit consent of the subject. But of course, the data must adhere to other requirements of GDPR. For example, they have to be secured against being misused by police.
Is the right to be forgotten absolute? If a customer orders goods, and I need his information to complete the order, do I have to delete that information upon request?
The right to be forgotten is not an absolute right. It is possible to put it into effect only if the data is no longer necessary for the purpose it was originally gathered or processed for. Another case in which personal data cannot be deleted is when there is another legal obligation or law that directly obstructs the deletion (for instance the archiving law – which requires some documents containing personal data to be kept for a time period defined by law)
In CRM we keep record of email addresses and phone numbers of our customers’ employees. Will we now need to ask for explicit permission to store them?
It depends on if you already asked for consent when collecting the information, and also on why you collected it. If you must process the data in order to provide products or services, then the data can also be minimally processed without consent. For example you definitely need an address to be able to send a product to a customer. In your case, you have to consider whether or not you really need the contact information of each customer - it depends on your purposes.
It's been mentioned that parental consent is required to process the data of children younger than 16. In this sense, do all services have to keep a record of the age of users? Is it sufficient to ask the user to state his/her age, or is it also necessary to verify the stated age?
Yes, it is essential to verify the stated age of the person who gives consent for data processing.
Parental consent is required when processing personal data of persons up to the age range of 13-16. The particular upper age limit is set by each country in the EU must be selected based on the respective country.
Do you have troubles with preparation for GDPR? Contact us and find out how Safetica can help your company to secure sensitive personal data in compliance with GDPR.
The right to data portability is complimentary - is a bank obliged to provide me with information free of charge?
Yes, they are obliged to provide you with information free of charge.
Who regulates/controls wording of the Consent for personal data processing document?
There is no particular, regulated, consent language. Yu can refer to EU language recommendations, or preferably, consult with legal offices that provide consultancy services.
Who exactly does the GDPR apply to? How about an e-shop which only has 2 employees, but processes data of hundreds of customers?
Any e-shop that processes personal customer data must comply with GDPR. Basically, any organization with at least 1 employee has to process personal data of employees, and hence it has to protect that data too.
Do employment agencies have to designate a Data Protection Officer (DPO)?
With regard to the amount and character of personal data, we dare to say that employment agencies will have the obligation to designate a DPO.
GDPR states that processing personal data on a ''large scale'' triggers the designation of a DPO. How is ''large scale'' defined? Is there a certain amount of data specified?
Term ''large scale'' is not clearly defined in the regulation. According to guidelines from Working Party 29, ''large scale'' is defined by several factors: number of individuals, data volume, duration of data processing, and territory range. One example of large scale processing is the processing of patients’ data as a part of routine hospital activities (unlike patient data processing by an individual doctor - this is not considered ''large scale''). Other examples of large scale processing are the use of search engines to target personal data for advertising, and processing customer data as a part of the routine sales activities of an insurance company or a bank.
If we use an outsourced DPO, how often does he have to do a control?
The handling of personal data should be constantly monitored. Each company should decide for itself whether to designate an internal or external DPO.
Who bears the responsibility in case of an incident? And who pays the fine? The administrator or the processor?
There is no definite answer to this question. It depends on if the incident happens at the administrator or processor side. We recommend a very precise definition of responsibility of both subjects in a contract.
How does GDPR apply to company employees?
GDPR requirements apply to organizations, but data protection responsibilities also naturally pass on to employees who work with the data.
Does the processor himself have the responsibility to comply with GDPR?
If the processor has employees and hence processes their personal data, then the processor of course has to comply with GDPR. Such a company can then have two roles - for its clients it can serve as processor, while for its employees it serves as administrator.
If our GDPR management is conducted by an external company, who would be fined in the event of a personal data leak? Is the responsibility born by us, or can it be contractually transferred to the provider?
According to GDPR, the obligation to protect personal data applies to both administrator, and processor (external company processing the data). Hence, both entities are responsible for their protection, since they both work with the data – even if the administrator only collects the data and sends it to the processor.
I've read that in case that a visitor doesn't give consent for personal data processing, his access to the website should be completely denied. Is this true?
One of the new principles that GDPR brings is the necessity to acquire unambiguous and unconditional consent for personal data processing from a data subject. If a data subject does not grant their consent to the administrator of a service, it does not justify the failure to provide the service, unless the consent is a requirement of the provider of the service itself. Here is an example from an e-shop environment: if I provide an e-shop operator with personal data that is essential for purchasing a product, the e-shop operator cannot cancel my order just because I did not give him permission to send me marketing emails.
Can a customer prevent us from collecting his/her personal data? For example by saying he/she does not want his/her phone number or IP address to be stored by us?
It depends on the legal purpose for processing his/her personal data. If the purpose is given by, for instance, a public interest, then the customer can not explicitly prohibit you from collecting the information. But by employing the right of subject access, the customer can raise an objection/question on why a particular type of information is being processed. The processing must always take place on the grounds of the customer's consent - so the customer is the one who decides which data will be processed.
Follow us on Facebook so that you will know about all the seminars and webinars coming. We hold webinars on GDPR and DPO courses as well.
Are a customer’s business phone number, business email address and business IP address also considered to be personal data?
Yes, if it is possible to identify a particular natural person on the grounds of this information.
Can a company have contracts with more than one DPO?
The management of personal data takes teamwork, but companies are obliged to provide contact information for only one person performing the DPO's function. This will be the main contact person, for example, the supervisory authority.
Our company already complies with ISO 27001. Is this sufficient?
First of all, it is necessary to examine the extent of ISMS to find out if it really applies to all kinds of personal data processing in the organization. One of the important points within ISO 27001 is compliance with legal acts - including GDPR. Last but not least, GDPR does not apply to personal data security alone, but also to many other areas (rights of data subjects, transfer of personal data abroad, etc.) - so make sure that the processes are also set correctly when it comes to these areas.
Safetica DLP handles a lot of data. How does it help to comply with GDPR?
Safetica is only a tool (system) which collects and processes personal data. The security of the system alone is supported by encryption of Safetica's components themselves, as well as the encryption of communication and personal logs storing. Since GDPR places demands also on organizational and personal requirements beyond the scope of the software solution, for these specifics we give recommendations about what steps to take to use our products in accordance with the regulation.
Does Safetica also work on Mac OS?
Up to now it works only on Windows, but support for Mac OS is planned soon. At the moment we also offer solutions for Android, iOS and Windows Phone.
I am building an e-shop hosted by a third party (webhosting). Who has the role of DPO? Me, the webhost, or the contract owner?
DPO is a stand-alone entity responsible for the processing of personal data in an organization. You can find more information about DPOs here.
Does a video surveillance solution for public places come under GDPR?
Yes, video surveillance systems also process personal data (identifying activities of a natural person), so they also come under GDPR. Getting permission of the people is of course not physically possible in these cases. That is why it is important to identify the legal base for the processing of video recordings, and then choose a transparent approach towards the privacy of citizens (the primary condition being suitable notification in the monitored area). Further GDPR requirements are of course valid.
How far into the backup and archive history do the right to be forgotten requirements apply?
If there is no legal act that requires you to archive personal data, then you should delete them from all memory files, including archives.
We keep record of data and store them in cloud services, for example Google Suite. There are data protection tools provided and security rules can be set. But who has the responsibility for securing them - us or Google?
Providers of these kind of services of course have to ensure compliance of their services with GDPR. Both Google and Microsoft have recently announced that they are working hard to bring their services into compliance with GDPR. However, it's important to mention that by using these services you are not automatically freeing yourself from your own responsibility for complying with GDPR. GDPR impacts your whole organization and by just transferring all personal data to G-Suite you are not doing enough to comply with it.
Is employee attendance also considered to be personal data?
Certainly, yes. An employee is a natural person and if a record of his/her attendance is unambiguously connected with his/her identifier, then it is considered to be personal data.
After GDPR comes into force, can we continue declaring that papers and identifiers which a candidate has provided us with for the purpose of selection procedure will not returned?
Each company determines the rules of selection procedures itself, but it has to meet the obligations set by GDPR about handling and processing personal data. We are not sure what exact kind of documents the question is referring to, but companies are obliged to protect all documents that contain the personal data of natural persons.
Does GDPR apply also to contact information collected before the regulation comes into force? Do we have to ask our customers for their permission again, so that the new requirements are met?
Yes, GDPR does apply to information collected before May 25th, 2018. We recommend you to revise all consents gathered up to this point, and to make sure they are unambiguous and designated for the particular purpose of processing. If data have to be processed for some other legally ordained purpose (for instance public interest), then the consent is not required. It could be useful to run a company audit of legal titles which the data processing is based on.
I've been wondering about PR agencies. They have media lists (lists of reporters with their contact information) and they process personal data for their own functioning. Do they also come under GDPR? And how do I ensure permission for using a reporter's email address, if this information is publicly available online?
If the information is publicly accessible on the website of the person in question, so that people can contact him/her, you don't have to ask the person for permission. But if you intend to use this piece of information for other reasons (let's say direct marketing of your services), then we recommend asking for the person’s consent.
Let's take a model example - I am a dentist who processes personal and medical record of patients. According to law, I have to keep record of this documentation for 10 years - either in print form or electronically with an electronic signature. The right to be forgotten does not apply to me. I have two options: to store the data in the software on my computer in my dentist's office, or to store the data online - in the cloud. Do I understand it right that in either of these options I will de facto transfer the burden of GDPR (to the cloud provider/to the administrator of the data - the software producer)?
In the case when archiving is demanded from you by a particular legal act, the right to be forgotten does not apply to you - you're right in this part.
To answer the other part - by using either of the two options you named, you do not transfer the burden of GDPR to anybody else. It is you who is considered to be the data administrator and who carries the responsibility for GDPR, the provider remains solely a provider.
Is there information available on what materials will need to be presented (next year) for audits investigating whether an organization complies with GDPR?
It's anticipated that compliance with GDPR will, with time, become one of the audited items in companies. But at this point in time, when the regulation is not yet in force, there is no information on this available yet.
Can the consent for personal data processing be granted to us over the phone?
Yes, but this consent has to be recorded and documentable for cases of a control by a supervisory authority, and it has to meet all the GDPR requirements for correct consent granting.
We keep records about our employees, partners and their employees from around the world. Records are stored on servers in the USA using SAP and Microsoft Cloud (not sure where these MS Cloud servers are located). What are our duties to protect data when servers are out of our reach?
This is very complex topic but GDPR rules still apply since you are storing personal data. The most important part for you are rules about moving records out of EU borders, since your servers are located in the USA and in the cloud. So this is first thing you need to learn – where your data are actually stored.
Next, you should analyze the current state of how personal data are being processed. This should map how your organization handles personal data and give you clear recommendations on improving processes, organizational transformation or technical measures.
For more information go to www.safetica.com/gdpr
We have a family pension where we are obliged by law to report personal data on our guests to authorities. Do we need to anonymize these data?
Anonymization is not required for every scenario of handling personal data. GDPR article #32 doesn’t provide a complete list of scenarios for anonymization– it is rather a list of areas your company should focus on. If a specific law applies to your business then you should follow it.
Yes, GDPR regulation applies to your case of personal data processing. You should go step by step through all GDPR requirements and do a gap analysis to make sure that you are compliant. In your case, it might be very quick and easy to do (e.g. right to be deleted upon a customer’s request can be done by removing a single line in an Excel Spreadsheet).
Here are some tips:
- You are analyzing or collecting data to the necessary extent required for your business
- Is collecting IP address really necessary?
- You guarantee the safety of personal data (e.g. data are encrypted and access is password-protected to certain roles)
- You are ready for rights of data subjects (e.g. request to remove any records related to a customer or export data in a universal format readable by a machine – see right for data portability)
- You are removing personal data no longer needed on regular basis
- You’ve documented how you handle personal data (all parts required by GDPR)
Do you want to know more about GDPR?
Safetica Technologies has made every attempt to ensure the accuracy and reliability of the information provided in the article and the discussion below. However, the information is provided "as is" without warranty of any kind. Safetica Technologies does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in the article.