38 questions and answers about GDPR

Lately we’ve organized a webinar about the new EU regulation GDPR (General Data Protection Regulation). This regulation affects every company and public institution in the European Union as well as foreign companies doing business within the EU. At the webinar we received more questions than we could possibly have answered and so here are answers:

 

Is there a document available online which lists everything that is considered personal data?

In the GDPR regulation, the definition of personal data is formulated very generally. We cite particular examples and the most common types of personal data on our website, but unfortunately, given the breadth of the regulation, it is not easy to list all the types of data that are considered personal. What can be said is that the regulation applies to any kind of data concerning a determinate or determinable individual.

I keep a record of names, surnames and emails of individuals in a web application. Do these data come under the competence of GDPR? And do both the operator of the web application and I need to treat them that way?

Yes. Contact data of a natural person are considered personal data. And personal data come under the competence of GDPR. You and the operator of the web app both have to approach them accordingly.

 How does GDPR apply to the data rendered to police (DNA, fingerprints, etc.)?

Data which is required by a particular legal act (such as in a police investigation) can be collected without the explicit consent of the subject. But of course, the data must adhere to other requirements of GDPR. For example, they have to be secured against being misused by police.

Is the right to be forgotten absolute? If a customer orders goods, and I need his information to complete the order, do I have to delete that information upon request?

The right to be forgotten is not an absolute right. It is possible to put it into effect only if the data is no longer necessary for the purpose it was originally gathered or processed for. Another case in which personal data cannot be deleted is when there is another legal obligation or law that directly obstructs the deletion (for instance the archiving law – which requires some documents containing personal data to be kept for a time period defined by law)

In CRM we keep record of email addresses and phone numbers of our customers’ employees. Will we now need to ask for explicit permission to store them?

It depends on if you already asked for consent when collecting the information, and also on why you collected it. If you must process the data in order to provide products or services, then the data can also be minimally processed without consent. For example you definitely need an address to be able to send a product to a customer. In your case, you have to consider whether or not you really need the contact information of each customer – it depends on your purposes.

It’s been mentioned that parental consent is required to process the data of children younger than 16. In this sense, do all services have to keep a record of the age of users? Is it sufficient to ask the user to state his/her age, or is it also necessary to verify the stated age?

Yes, it is essential to verify the stated age of the person who gives consent for data processing.

Parental consent is required when processing personal data of persons up to the age range of 13-16. The particular upper age limit is set by each country in the EU must be selected based on the respective country.

Do you have troubles with preparation for GDPR? Contact us and find out how Safetica can help your company to secure sensitive personal data in compliance with GDPR.

I need help with GDPR

The right to data portability is complimentary – is a bank obliged to provide me with information free of charge?

Yes, they are obliged to provide you with information free of charge.

Who regulates/controls wording of the Consent for personal data processing document?

There is no particular, regulated, consent language. Yu can refer to EU language recommendations, or preferably, consult with legal offices that provide consultancy services.

Who exactly does the GDPR apply to? How about an e-shop which only has 2 employees, but processes data of hundreds of customers?

Any e-shop that processes personal customer data must comply with GDPR. Basically, any organization with at least 1 employee has to process personal data of employees, and hence it has to protect that data too.

Do employment agencies have to designate a Data Protection Officer (DPO)?

With regard to the amount and character of personal data, we dare to say that employment agencies will have the obligation to designate a DPO.

GDPR states that processing personal data on a ”large scale” triggers the designation of a DPO. How is ”large scale” defined? Is there a certain amount of data specified?

Term ”large scale” is not clearly defined in the regulation. According to guidelines from Working Party 29, ”large scale” is defined by several factors: number of individuals, data volume, duration of data processing, and territory range. One example of large scale processing is the processing of patients’ data as a part of routine hospital activities (unlike patient data processing by an individual doctor – this is not considered ”large scale”). Other examples of large scale processing are the use of search engines to target personal data for advertising, and processing customer data as a part of the routine sales activities of an insurance company or a bank.

If we use an outsourced DPO, how often does he have to do a control?

The handling of personal data should be constantly monitored. Each company should decide for itself whether to designate an internal or external DPO.

Who bears the responsibility in case of an incident? And who pays the fine? The administrator or the processor?

There is no definite answer to this question. It depends on if the incident happens at the administrator or processor side. We recommend a very precise definition of responsibility of both subjects in a contract.

How does GDPR apply to company employees?

GDPR requirements apply to organizations, but data protection responsibilities also naturally pass on to employees who work with the data.

Does the processor himself have the responsibility to comply with GDPR?

If the processor has employees and hence processes their personal data, then the processor of course has to comply with GDPR. Such a company can then have two roles – for its clients it can serve as processor, while for its employees it serves as administrator.

If our GDPR management is conducted by an external company, who would be fined in the event of a personal data leak? Is the responsibility born by us, or can it be contractually transferred to the provider?

According to GDPR, the obligation to protect personal data applies to both administrator, and processor (external company processing the data). Hence, both entities are responsible for their protection, since they both work with the data – even if the administrator only collects the data and sends it to the processor.

Can Privacy policy be handled similarly to Cookie policy – by placing a banner with a link to the whole Privacy policy on the web?

For a company that processes personal data, the privacy policy is one of their most important documents. We recommend entrusting the preparation of the directive into the hands of lawyers.

I’ve read that in case that a visitor doesn’t give consent for personal data processing, his access to the website should be completely denied. Is this true?

One of the new principles that GDPR brings is the necessity to acquire unambiguous and unconditional consent for personal data processing from a data subject. If a data subject does not grant their consent to the administrator of a service, it does not justify the failure to provide the service, unless the consent is a requirement of the provider of the service itself. Here is an example from an e-shop environment: if I provide an e-shop operator with personal data that is essential for purchasing a product, the e-shop operator cannot cancel my order just because I did not give him permission to send me marketing emails.

Can a customer prevent us from collecting his/her personal data? For example by saying he/she does not want his/her phone number or IP address to be stored by us?

It depends on the legal purpose for processing his/her personal data. If the purpose is given by, for instance, a public interest, then the customer can not explicitly prohibit you from collecting the information. But by employing the right of subject access, the customer can raise an objection/question on why a particular type of information is being processed. The processing must always take place on the grounds of the customer’s consent – so the customer is the one who decides which data will be processed.

 

Follow us on Facebook so that you will know about all the seminars and webinars coming. We hold webinars on GDPR and DPO courses as well.

I want to be up to date

 

 Are a customer’s business phone number, business email address and business IP address also considered to be personal data?

Yes, if it is possible to identify a particular natural person on the grounds of this information.

Can a company have contracts with more than one DPO?

The management of personal data takes teamwork, but companies are obliged to provide contact information for only one person performing the DPO’s function. This will be the main contact person, for example, the supervisory authority.

Our company already complies with ISO 27001. Is this sufficient?

First of all, it is necessary to examine the extent of ISMS to find out if it really applies to all kinds of personal data processing in the organization. One of the important points within ISO 27001 is compliance with legal acts – including GDPR. Last but not least, GDPR does not apply to personal data security alone, but also to many other areas (rights of data subjects, transfer of personal data abroad, etc.) – so make sure that the processes are also set correctly when it comes to these areas.

Safetica DLP handles a lot of data. How does it help to comply with GDPR?

Safetica is only a tool (system) which collects and processes personal data. The security of the system alone is supported by encryption of Safetica’s components themselves, as well as the encryption of communication and personal logs storing. Since GDPR places demands also on organizational and personal requirements beyond the scope of the software solution, for these specifics we give recommendations about what steps to take to use our products in accordance with the regulation.

Does Safetica also work on Mac OS?

Up to now it works only on Windows, but support for Mac OS is planned soon. At the moment we also offer solutions for Android, iOS and Windows Phone.

I am building an e-shop hosted by a third party (webhosting). Who has the role of DPO? Me, the webhost, or the contract owner?

DPO is a stand-alone entity responsible for the processing of personal data in an organization. You can find more information about DPOs here.

Does a video surveillance solution for public places come under GDPR?

Yes, video surveillance systems also process personal data (identifying activities of a natural person), so they also come under GDPR. Getting permission of the people is of course not physically possible in these cases. That is why it is important to identify the legal base for the processing of video recordings, and then choose a transparent approach towards the privacy of citizens (the primary condition being suitable notification in the monitored area). Further GDPR requirements are of course valid.

How far into the backup and archive history do the right to be forgotten requirements apply?

If there is no legal act that requires you to archive personal data, then you should delete them from all memory files, including archives.

We keep record of data and store them in cloud services, for example Google Suite. There are data protection tools provided and security rules can be set. But who has the responsibility for securing them – us or Google?

Providers of these kind of services of course have to ensure compliance of their services with GDPR. Both Google and Microsoft have recently announced that they are working hard to bring their services into compliance with GDPR. However, it’s important to mention that by using these services you are not automatically freeing yourself from your own responsibility for complying with GDPR. GDPR impacts your whole organization and by just transferring all personal data to G-Suite you are not doing enough to comply with it.

Is employee attendance also considered to be personal data?

Certainly, yes. An employee is a natural person and if a record of his/her attendance is unambiguously connected with his/her identifier, then it is considered to be personal data.

After GDPR comes into force, can we continue declaring that papers and identifiers which a candidate has provided us with for the purpose of selection procedure will not returned?

Each company determines the rules of selection procedures itself, but it has to meet the obligations set by GDPR about handling and processing personal data. We are not sure what exact kind of documents the question is referring to, but companies are obliged to protect all documents that contain the personal data of natural persons.

Does GDPR apply also to contact information collected before the regulation comes into force? Do we have to ask our customers for their permission again, so that the new requirements are met?

Yes, GDPR does apply to information collected before May 25th, 2018. We recommend you to revise all consents gathered up to this point, and to make sure they are unambiguous and designated for the particular purpose of processing. If data have to be processed for some other legally ordained purpose (for instance public interest), then the consent is not required. It could be useful to run a company audit of legal titles which the data processing is based on.

I’ve been wondering about PR agencies. They have media lists (lists of reporters with their contact information) and they process personal data for their own functioning. Do they also come under GDPR? And how do I ensure permission for using a reporter’s email address, if this information is publicly available online?

If the information is publicly accessible on the website of the person in question, so that people can contact him/her, you don’t have to ask the person for permission. But if you intend to use this piece of information for other reasons (let’s say direct marketing of your services), then we recommend asking for the person’s consent.

Let’s take a model example – I am a dentist who processes personal and medical record of patients. According to law, I have to keep record of this documentation for 10 years – either in print form or electronically with an electronic signature. The right to be forgotten does not apply to me. I have two options: to store the data in the software on my computer in my dentist’s office, or to store the data online – in the cloud. Do I understand it right that in either of these options I will de facto transfer the burden of GDPR (to the cloud provider/to the administrator of the data – the software producer)?

In the case when archiving is demanded from you by a particular legal act, the right to be forgotten does not apply to you – you’re right in this part.

To answer the other part – by using either of the two options you named, you do not transfer the burden of GDPR to anybody else. It is you who is considered to be the data administrator and who carries the responsibility for GDPR, the provider remains solely a provider.

Is there information available on what materials will need to be presented (next year) for audits investigating whether an organization complies with GDPR?

It’s anticipated that compliance with GDPR will, with time, become one of the audited items in companies. But at this point in time, when the regulation is not yet in force, there is no information on this available yet.

Can the consent for personal data processing be granted to us over the phone?

Yes, but this consent has to be recorded and documentable for cases of a control by a supervisory authority, and it has to meet all the GDPR requirements for correct consent granting.

We keep records about our employees, partners and their employees from around the world. Records are stored on servers in the USA using SAP and Microsoft Cloud (not sure where these MS Cloud servers are located). What are our duties to protect data when servers are out of our reach?

This is very complex topic but GDPR rules still apply since you are storing personal data. The most important part for you are rules about moving records out of EU borders, since your servers are located in the USA and in the cloud. So this is first thing you need to learn – where your data are actually stored.

Next, you should analyze the current state of how personal data are being processed. This should map how your organization handles personal data and give you clear recommendations on improving processes, organizational transformation or technical measures.
For more information go to www.safetica.com/gdpr

We have a family pension where we are obliged by law to report personal data on our guests to authorities. Do we need to anonymize these data?
Anonymization is not required for every scenario of handling personal data. GDPR article #32 doesn’t provide a complete list of scenarios for anonymization– it is rather a list of areas your company should focus on. If a specific law applies to your business then you should follow it.

I’m working in an online services business and I collect the email addresses and IP addresses of my customers. I use these email addresses to send promotional messages. I use a cloud email tool to mass email. Do I need to extend my Terms of Use with an agreement of processing personal data or do I need to take additional steps to protect email addresses?

Yes, GDPR regulation applies to your case of personal data processing. You should go step by step through all GDPR requirements and do a gap analysis to make sure that you are compliant. In your case, it might be very quick and easy to do (e.g. right to be deleted upon a customer’s request can be done by removing a single line in an Excel Spreadsheet).
Here are some tips:

  • You are analyzing or collecting data to the necessary extent required for your business
  • Is collecting IP address really necessary?
  • You guarantee the safety of personal data (e.g. data are encrypted and access is password-protected to certain roles)
  • You are ready for rights of data subjects (e.g. request to remove any records related to a customer or export data in a universal format readable by a machine – see right for data portability)
  • You are removing personal data no longer needed on regular basis
  • You’ve documented how you handle personal data (all parts required by GDPR)

 

Do you want to know more about GDPR?

Join us at the webinar

 


Safetica Technologies has made every attempt to ensure the accuracy and reliability of the information provided in the article and the discussion below. However, the information is provided “as is” without warranty of any kind. Safetica Technologies does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in the article.

This article has 66 comments

  1. Teodora Reply

    Hello. I want to find out if we implement this GDPR at my company, it is mandatory to transfer all physical documents in digital format? If I have a physical contract for example, do I a have to put it in digital format?
    Thank you!

    • Matej Zachar Reply

      Hello Teodora,

      No, GDPR does not require you to transfer any physical documents to digital form. It requires you to protect personal data in both physical and digital forms adequately.

      Best,
      Matej Zachar

  2. Teodora Reply

    I have one more question. Could you suggest me modalities to implement this GDPR for my company? I found steps on the internet from other companies, but they don’t give me something to develop. They just write down some general steps. Thank you again!

    • Matej Zachar Reply

      Hello Teodora,

      The answer is not that easy or straightforward, as GDPR will be implemented differently for an eshop with 1 employee than to an international corporate company. What would I give you would be definitely general ideas, because GDPR is general ( 🙂 ) regulation that can be used for organization of any size and industry.

      If you want to help with GDPR, please contact us via our contact form (http://www.safetica.com/contact-us) and we can direct you to the partner we have in your region to provide guidance specific for your industry, number of employees and country you are from.

      Best,
      Matej Zachar

  3. Gina Reply

    Hi. My business provides offshoring support to clients for which we communicate a lot in emails. All these emails contain signatures revealing name, email address and phone numbers. Since this information is personal data, what controls do I need to put in place for GDPR compliance

    • Matej Zachar Reply

      Hello Gina,

      Using such signatures is common for every business – the same as business cards, for example. It is a very specific processing – sending the contact details via email brings challenges for security, but the impact of an incident in this matter would be rather low (contact information to just 1-2 people most of the times if the email would be accessed by malicious 3rd party).

      In order to be compliant, as with any other processing, there are more things you should do. So just from the most important: you should think if you are sending just the minimum information, you should document the processing, think about rights of data subjects and establish appropriate security measures. In terms of security, I would focus on securing the access to the whole database of emails (on an email server) and consider using OpenPGP or similar service for email encryption.

      It is worth noting that in general it is more important to think about the personal data, that are being sent via email not in signatures, but in attachments.

      Best,
      Matej Zachar

  4. Robert Luckett Reply

    Perhaps you could provide some insight on the following?

    A member of the public calls a customer service department. There is no previous
    consent or other legal basis for holding data on the subject. The phone system records the telephone number (if available), and the caller may (or not) provide further personal information during the call.

    1. If only the phone number is recorded, and no other consent is obtained, should the number be retained by the telephone system, and if so, could a call be returned to that number at any point in the future (and for any reason).

    2. If a caller does provide further identifying data (name etc.) during the call, is the fact that they initiated the call sufficient basis for recording that data, or must consent be requested and recorded, such as with a web site.

    • Matej Zachar Reply

      Hi Robert,

      This concept is more related to the secrecy of communication – and it might be different according to the country you are from.

      Nevertheless, from the GDPR perspective, everything is related to your purpose for collecting the data. In general, you can collect telephone number and/or the specific recording (regardless if the person stated his name or not – I would say that in 95% there would be some introduction with name anyway, for both sides to confirm they are talking to the right person), but you need to have a legal purpose to do so. If the purpose is for example retaining quality of your customer service, a cosent with recording might be necessary for saving this data in your database.

      Best,
      Matej Zachar

  5. Allister Burdett Reply

    Hi there,

    All of the data we collect (names, tel nos and email) comes under the GDPR Article 6 (b) definition “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. Does active consent need to be sought from these contacts if we are using it solely for the purpose above and not (for example) Emarketing? Also, would including the 6 (b) definition in our standard terms and conditions of sale be sufficient protection provided we can evidence this to auditors?

    • Matej Zachar Reply

      Hello Allister,

      I don’t know your much about your organization, but I recommend reviewing the personal data you are processing and the legal basis – for example if you have at least 1 employee, you’ll most probably process personal data about them for the purpose of fulfilling legal obligation according to Article 6 (c). Direct marketing also falls under “legitimate interest” of Article 6 (f) – see Preambule (47).

      Nevertheless, for your question, you should not require consent from data subjects, if you have another license for the processing. The reason is that you would mystify the data subject that it has different rights that it actually does.

      Also mentioning the legal basis for processing is good, but I wouldn’t consider it a “sufficient protection” as you write. I would rather recommend running a GAP analysis to see all what do you need to do to comply with GDPR.

      Best,
      Matej Zachar

  6. Paul Reply

    Hi

    If we were to record ‘personality traits’ of a regular customer based on our experience talking to the customer, would this be considered personal data and would we need consent? Is this something we would have to provide if the customer requested a copy of their data? The personality information would be used to help sales staff communicate effectively with the customer.
    Thank you in advance.

    • Matej Zachar Reply

      Hi Paul,

      Personal data is any information that you can link to a specific individual. So, if you are able to trace these ‘personality traits’ back to specific customers, it is considered a processing of personal data.

      Regarding the consent, you don’t need it if the processing falls under different subsection than (a) of Article 6. section 1 – it might fall under a “legitimate interest” of subsection (f), but it is relevant to how much information do you really collect. I recommend consulting it with lawyers.

      In general, you don’t ask for consent upon realizing the request for information (I think that your question is aimed that way), but before beginning of processing.

      Best,
      Matej Zachar

  7. Danielle Dennis Reply

    Hello,

    Do we have any information on how the enforcement / fining procedure will work once GDPR is established? Will companies receive warnings of noncompliance and be obligated to fix any issues within a designated time frame, or can people be immediately fined upon discovery of out-of-compliance web entities?

    • Matej Zachar Reply

      Hello Danielle,

      The decision about the fines is solely in decision of the regulatory authority. Upon the day that GDPR comes into force, the authorities will be able to issue penalties according to new rules.

      However, the fine does need to be necessarily issued. If the regulatory authority decides to provide recommendations rather than fine, it is specific cases entirely possible.

      Best,
      Matej Zachar

  8. Robert Reply

    Hi,
    First of all I want to congratulate you for the excellent article. I’ve been reading about GDPR all day today (4pm) and this one was the best. Firmly grounded, practical and with the strong scent of life.
    Now, my question:
    Since [email protected] or [email protected] are not connected to any natural person, they can be freely used for direct marketing purposes as they were until GDPR. If we get a response from some natural person who responds from [email protected] then we should acquire his/her fully GDPR compliant consent.
    Right or wrong?
    Thank you.

    Best Robert

    • Matej Zachar Reply

      Dear Robert,

      Thanks for your feedback!

      For your question, it is important to understand the relation you have with these people at first:
      – if you are using email addresses of your clients, they all fall under the “legitimate interest”, so you can send newsletters to them even without consent. (please refer to preambule (47) of GDPR)
      – general email addresses are not considered personal data, if you can’t connect them to any physical person. So, you are right as long as you really don’t know who are you contacting.
      – if you have no relation with these people (e.g. you collect the email addresses via web form), you should require a consent and provide the person with option to unsubscribe at any time.

      Please note that GDPR might not be the only law related to direct marketing and the situation may vary according to the country you do business in.

      Best,
      Matej Zachar

  9. Stewart Reply

    Thanks for this article. Although I’m still struggling to fully comprehend the impact of GDPR on my business, your examples have been very useful.

    I wonder if you have an opinion on the following. We currently store customer orders in our eshop and an internal production database. This data is used to generate internal reports – for example, average number of orders per customer, time between orders, top 10 customers etc – and these reports depends on identifying orders to specific customers. If a customer requests the right to be forgotten, would we need to remove all of their previous order history from the eshop and our internal production database? This could cause a problem should a ‘forgotten’ customer return to us at some point in the future with a query relating to a ‘forgotten’ order.

    Many thanks

    Stewart

    • Matej Zachar Reply

      Dear Stewart,

      Thanks for your comment.

      The right to be forgotten is not absolute/ultimate right. If there is a legal requirement to process or archive personal data, the right to be forgotten can’t be used. I recommend reviewing your local laws regarding archiving your financial records – for most countries you’re obliged to preserve this data for more than 10 years.

      Best,
      Matej Zachar

  10. Daniel Kaiser Reply

    Hello there.

    I work with a large public education entity.

    Could you point me toward the relevant analysis for Personal Data that is collected from persons located inside the USA (regardless of citizenship), who then subsequently move to the E.U./E.E.A. (again, regardless of citizenship)? I’m trying to determine whether the GDPR’s provisions will apply retroactively to data previously collected in the USA once the data subject is located in the E.U.

    Thank you!

    • Matej Zachar Reply

      Dear Daniel,

      We are not aware about a specific public analysis on this topic.

      Nevertheless, you can refer to the general provisions of GDPR, which should give you an idea on this topic. Please see the Article 3 of GDPR, specifically (2):

      This Regulation applies to the processing of personal data of data subjects who are _in the Union _ (…)

      All the data you have about people that are now EU citizens fall under the scope of GDPR.

      Best,
      Matej Zachar

      • Daniel Kaiser

        That’s helpful Matej. Thank you.

  11. Han Jeff Reply

    I have a question on Non European company who hired European citizens.
    Do we need to get employee explicit consents that we are using personal data for our company HR policy to give clear records of career development and income tax filing, employee reimbursement and benefits?

    • Matej Zachar Reply

      Hello Jeff,

      Thank you for your question.

      In general, you don’t need consent for types of processing, that fall under different lawful basis of Article 6 (1) of GDPR. For some of the processings you mentioned (taxes, agenda about social insurance etc.), there will be an obligation from law to do it. For others, you might have a legitimate interest (according to (f)) to do it.

      In those cases, the consent will be not required.

      Best,
      Matej Zachar

  12. Paul Bass Reply

    Hi,

    Could you tell me your thoughts on banners advertising a businesses products included on email signatures.
    Would this be in breach of any GDPR rules?

    The banner would be on every outbound email, be it business to business, to individuals or even a personal email to my children’s school checking on evening clubs.

    Some of the recipients would have their details held in CRM, others would just be a recipients email address found online.

    Would this be considered direct-marketing? What about for the individuals who’s personal details are not being stored?

    • Matej Zachar Reply

      Hello Paul,

      Thank you for your question. I am afraid I would need a little clarification to answer correctly.

      Are you seeking to send banners advertising your products in outbound emails from your employees? If it contains advertisments like you mentioned, then yes, they might be considered a direct marketing. According to the preambule (47) of GDPR, it can fall under a ‘legitimate interest’ basis, provided you are doing it with people in relation with you, e.g. your customers.

      I need to warn you that doing it with any contact you might have or find could be considered a GDPR breach, depending the specific situation.

      If you need more information, please specify the question a little bit more.

      Best,
      Matej Zachar

  13. Mike Reply

    Excellent article!

    I work for a EU based consulting company where we from time to time publish papers on different subjects to document knowledge. In these documents the authors always write their name. Are these documents considered “personal data” even though the content of the document has nothing to do with the person in question but rather details some knowledge like how a specific technology works?

    If the above is “personal data” and it is sufficient for a name to present on a document for it to be personal data, does that mean that all Microsoft Office documents created are considered personal data as the setting in Office is that the name of the author is inserted into every document as meta data?

    Thanks once again,
    Mike

    • Břetislav Chod Reply

      Dear Mike,

      thank you for your questions.

      According to the GDPR, ‘personal data’ are considered any information relating to an identified or identifiable natural person. Name is the most relevant identifier used to identify a person and therefore shall be considered as personal data.
      Documents as such are not personal data. Only the content of such documents could be evaluated.

      The content of documents you are describing could be understood as an expression of author’s professional or personal knowledge or opinion. Even while expressing objective information from some professional branch (for example new technological procedure in that branch) it will still contain some unique aspects of the author’s writing. As such, the name of the author could be relevant, should the recipients of this document be interested in identification of the author to match the knowledge or opinion expressed in the document with a specific person. You may also think of it the way that some articles are the more relevant the more prominent the author is. The answer to your question then must be yes, the content of such documents must be considered personal data, provided that it is attributable to a specific person and other recipients could match content of some document with its author.

      Metadata created while working in Microsoft Office then represents identical case as stated previously. If the content of documents created in Microsoft Office is attributable to a specific person, the content would then represent a personal data.

      I hope you find this answer sufficient. If you have any more questions, please do not hesitate to contact us.

      Best regards
      Břetislav Chod
      paralegal, http://www.sedlakovalegal.com

  14. Paul Beckley Reply

    If we do business with EU citizens in the US, do we need to be GDPR compliant? There is conflicting information as to whether it is for “…any citizen living in the EU…” or “…any EU citizen regardless of where the company is..”

    We are no a multination company and we only do business in the US but we [may] have EU customers (we do not ask).

    • Matej Zachar Reply

      Hello Paul,

      You can find the information you are seeking in Article 3 (2) of GDPR:

      This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
      (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
      (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

      By the point (a), it is true that if you have EU customers, you have to comply with GDPR. For example if you offer delivery to the European Union or have prices stated in € currency as well, you can assume that you are processing information about EU citizens.

      Best,
      Matej Zachar

  15. Jerry Shallis Reply

    Hi,

    I haven’t seen any discussion on this, and it’s beginning to worry me.

    Say one of my business contacts sends me an email from his personal email account, or has an email signature which gives his personal phone or mobile number. So I now have data on that individual for which I couldn’t demonstrate a legitimate reason to keep.
    Yet it is a single email, and I cannot pick and choose the parts of emails that my email archiver then stores and indexes. Indexing is a perfectly legitimate thing to do with business emails as I may need later to search them, but I have now processed the personally identifying data.

    What is the status of the unwanted/unneeded personal data? It clearly comes under GDPR yet in all fairness, I didn’t ask for it and I was given it in a way that makes it almost impossible to segregate it from information for which I do have a legitimate interest.

    Can consent be inferred if the individual has of their own volition given me the data? If it can’t then it is hard to see how I could systematically purge my email systems of any emails that contained non-business data as recognizing the presence of non-business telephone numbers is almost impossible.
    I think that email headers may be worse even than this as I will archive the headers with the emails. These may contain the IP address registered to my contact’s company, which may well be a legitimate interest, but if he sent the email from home, not via a VPN, it will have his personal IP address. Recognizing this, manually or automatically, will be a nightmare.

    Thanks for your comments,
    Jerry

    • Jiří Hradský Reply

      Hello Jerry,

      Under the Czech law, more precisely, under the Protection of Personal Data Act, it is stated that this Act does not apply to accidental processing. In October 2013, the Úřad pro ochranu osobních údajů (the Czech Personal Data Protection Office) issued an opinion where stated: „Accidental handling of personal data may, for example, be considered as working with a paper containing relevant personal data; its preservation is necessary, but besides relevant personal data, it contains also unnecessary personal data and data which are not collected by controller.“

      The exception of this material scope is not included in the GDPR. However, it is reasonable to think about meaning of the processing. According to definition, it means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, storage etc.

      It must therefore be a systematic activity carried out for a particular purpose.

      According to commentary literature on the GDPR, random or unintentional processing does not fall under the material scope of the GDPR. It is absolutely unthinkable that person who receive an email is forced to delete it only because of the reason that it contains personal data which are not systematically collected. Even if there was such an argument that this collection of emails is processing (not unintentional), there is also a legitimate interest for such processing.

      We think that in case of signatures or email headers it won’t be systematic activity carried out for a particular purpose. In that case, it won’t fall under the material scope of the GDPR.

      Best regards,

      Jiří Hradský
      AK SEDLAKOVA LEGAL s.r.o.

  16. stefano Reply

    Hi,
    excellent article.
    I work for a small bank not established in the EU which has some EU customers.
    Do we need to appoint an EU representative?
    We collect personal data for the sole purpose of contract fulfilling and we do not store special categories of personal data.
    As Art. 27 says, the representative is not needed in the following case:

    (a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing;

    We process personal data occasionally (to send account statements or letters to customers).
    We also don’t think the processing may result in a risk to the rights and freedoms of natural persons.

    What is your opinion on that?
    Thank you for your help
    Best regards

  17. Matej Zachar Reply

    Hello Stefano,

    Thank you for your feedback and question.

    It is hard to say if you need to appoint an EU representative without a good knowledge of how your company operates. In our opinion, you are right when considering just business-based communication with your clients. Nevertheless, we do recommend thinking about other purposes for which you may process the data.

    From our experience, there can be many processing you might not be aware of from the marketing perspective (e.g. tracking visitors on your website, large profiling of customers, cookies etc.) and these may trigger this requirement as mandatory for you.

    Best,
    Matej Zachar

  18. Alex Reply

    Hi,
    I work for a company that does market research for other companies. Our data contains at most one or two pseudonymized data connected to the data they produce. We delete this information as soon as we can. In your opinion, if someone withdrew consent would we have to get rid of both the potential identifier and the data connected to it, or just the identifier?

    • Matej Zachar Reply

      Hello Alex,

      Thank you for your question.

      If you lose an identifier, the data is no longer personal according to the definition in GDPR.

      Nevertheless, I would recommend to think about your database in more detail – sometimes it is not enough to just erase one identifier. Imagine a situation, where you would have a database with names, ages and place of residence and imagine a situation, where one person lives in a village small enough that it has up to 10 people. If you erase just the name, the combination of age and place can be still enough to identify the person.

      To implement the anonymization scheme properly, you need to think about these special cases to really lose the identification of the data subject.

      Best,

      Matej Zachar

  19. Jonathan Reply

    Hi, I run a small web design company. We have a cloud CRM system with client information. We outsource to a company abroad (outside of the EU), so they have access to our CRM database and client information. (they have their own login details to our cloud crm system)

    Am I right in thinking all we have to do is ensure all our clients are;

    Aware & accept via a new form that the services are being outsourced and to who
    Ensure the outsourcing company are being GDPR compliant

    Is there anything else we need to consider and do?

    Thank you!

    • Matej Zachar Reply

      Hello Jonathan,

      Thank you for your question. The answer might not be that straightforward as it seems, because GDPR contains many requirements that will apply to your processing.

      It is important to understand that not just customer data, but also information about your employees, job applicants, partners and any other 3rd parties will be subject to GDPR compliance.

      The most important things to consider in your case:
      – find out if the country outside EU provides adequate level of protection and if not, ensure that all the requirements of GDPR for transfer outside of EU is met (e.g. consent, …)
      – ensure adequate level of security for both transfer and using the data
      – consider other GDPR requirements and if they apply for your processing – DPIA, DPO, rights of data subjects, record keeping, …

      The most important is to start with audit, map all your personal data processings and the requirements that apply. This will help you identify key points to achieve compliance.

      Best,

      Matej Zachar

  20. Sacha Reply

    Hi Matej,
    In terms of HR sending CVs to Managers, should they be password protected. If so I’m not even sure this is possible from a cloud based solution.

    Many thanks

    • Matej Zachar Reply

      Hello Sacha,

      Thank you for your question.

      GDPR is mentioning encrpytion as one of the recommended security measures several times, but every control you implement should be appropriate to the cost of it compared to a risk it poses. In your particular example, if this happens just once in a time, it might not be worthwile to invest to the encryption solution as oposed to bigger organizations, where it happens on a regular basis.

      On a side note, many of the email gateways encrypt emails within internal communication by default. This might be considered sufficient as the only transfer you described is internal.

      Best,

      Matej Zachar

  21. John Repede Reply

    Great article and forum!

    GDPR says that to pseudonymize a data set, the “additional information” must be “kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.”
    What qualifies as “kept separately”?
    A separate table within a database?
    A separate database on the same server?
    A separate database on separate server?

    • Matej Zachar Reply

      Hello John,

      As you might expect, GDPR is not that specific it would give you a straightforward answer to your question. For this specific situation, you need to consider:
      – Who has access to the database
      – Who has access to the server
      – Who has access to the separate server

      The idea behind pseudonymization and keeping the identifiers separate is to limit number of people with access to the key for uncovering (reverse pseudonymization) the data. In my opinion, having the key in the same database or on the same server is not the best solution (as there might be many possible ways to extract the data). I would recommend keeping the key in an encrypted form in completely separate place, like a different server, or even locked down in a safe. The most critical part is to ensure that the key is accessible only by minimum number of individuals, on a need-to-know basis.

      Best,

      Matej Zachar

  22. Kenny Reply

    Hi. Under the GDPR, do organisations have authority or the right to restrict or remove personal mobile phones, which are not used for work purposes from employees during the employees working day?

    Thanks

    • Matej Zachar Reply

      Hi Kenny,

      Thank you for your question.

      If I understand it correctly, you are asking whether the employer has a right to take employee’s personal mobile phone from him/her during the work hours.

      GDPR does not address this particular scenario. For the answer, I would recommend looking into specific legislation (Labour Law or similar) of your country of residence.

      Best,

      Matej

  23. Rob James Reply

    Good article, I learned much from it and from the comments and answers to the questions.

    I have a question of my own; the booking system for the leisure company I support collects customer information and requires that customers sign a waiver before taking part in various activities. The waiver can be signed online and the customer is sent an email with the signed waiver as a PDF attachment. If a session is booked online then the customer is sent a booking confirmation by email.

    These emails necessarily contain details of the customer and any children that may participate in the activities.

    What does GDPR say about the data in the email? How could it be protected?

    Would we be liable if, for example, someone recognised that emails sent from that domain contained such data and intercepted it for their own purposes?

    Thanks.

    • Matej Zachar Reply

      Hello Rob,

      Thanks for your question.

      As you correctly assume, these emails contain personal data that fall under scope of GDPR. While GDPR states important rules for data processing, it is not specific enough to state detailed requirements for data in the email.

      From the WP29 recommendations and judicature I can recommend the following:
      – review if it is absolutely necessary to share or send all the data to the client and reduce them to an appropriate minimum
      – think about more secure way of sharing such data, such as providing them in the personal section on the web, where the customer gets only after successful authentication; implement HTTPS on web

      Formal risk analysis might give you better idea about the right measures you can implement to reduce risks associated to personal data transfer.

      You would be held liable in case of the incident you describe, if the regulatory authority in your country finds out that you don’t protect the data well enough.

      Best,

      Matej Zachar

  24. David Cain Reply

    Sorry for the length of this… As one of the primary objectives od GDPR is protecting the personal information of natural persons, I wonder if you could comment on the following senario? If requested, every organisation is going to have to provide all of the personal information held on a person on demand. The guidance on the Information Commissioner’s website under “Right of Access” says:
    “You must verify the identity of the person making the request, using ‘reasonable means’.” And
    “If the request is made electronically, you should provide the information in a commonly used electronic format.”
    So, you get an email request from someone on your database asking for any information you hold on them and you are legally obliged to provide that.
    So what does ‘reasonable means’ mean in terms of verifying that they are who they say they are? Is it enough that someone has emailed you from a recognised email address and perhaps has physical address details as well or other basic personal information? In most cases, that would seam reasonable. It seems to me that, in the absence of any hard and fast rules, each company will interpret “reasonable means” in a different way.
    So, you send off all the information you have on an individual (by email as that’s how the request was sent), to someone who may or may not actually be the real person. It could be a hacker who has obtained control of an email address and enough other information to identify the person – which wouldn’t be hard.
    So GDPR seems to have made it very easy for a hacker intent on identity fraud to get hold of all the information that any and every organisation has on an individual as companies are now required to provide it. And the more information they accumulate from different companies the easier it will be to convince other companies that they are that person. GDPR has even removed the ability to charge a fee to provide the information. By making access to your personal information a right, GDPR seems to be making it less secure!

    • Matej Zachar Reply

      Hello David,

      Thanks for your question.

      ‘Reasonable means’ might be different for every company. Some companies e.g. incorporate customer portals under authenticated section on the webpage. When the request comes this way, you can be quite sure about the identity of the person, because he/she needed to authenticate to get into that section anyway.

      In a different scenario, if the request comes via email, you should verify that the email address is the same as you used in the previous communication and if it’s possible, ask about another piece of information you have shared in the past. That might be considered ‘reasonable means’ in such case.

      In general, the more data you are going to share (which relates to specific processing you are doing as a company) the more cautious you should be to verify the identity properly.

      You are right that there is a possibility that companies will misunderstand the requirement properly, which can lead to unintended exposure and misuse of the information. In GDPR, there are more articles that could be misunderstood, that’s why we recommend discussing the implementation with experts to be sure you are implementing it correctly.

      Best,
      Matej Zachar

  25. Stephanie Reply

    Hi, I work for a retail store that prints my name and employee number at the bottom of the receipt. What are my rights with regards to this? Is this not considered personal data, even though it can identify me?

    • Matej Zachar Reply

      Hello Stephanie,

      Your name and employee number will be considered personal data.

      I would suggest to ask this question to your employer, as you have the right for information by GDPR. They should provide you with all the information about the purpose, legal basis and other terms of processing, as well as with your rights.

      Best,
      Matej Zachar

  26. Heidi Reply

    I have a home and garden blog with a small base of subscribers. I use an online marketing platform to manage my subscription list. People subscribe to my blog voluntarily and can unsubscribe at any time. I use this subscription list only to send email updates when I publish a new post. The online marketing platform that I use has stated they are doing everything they need to do on their end to comply with the GDPR. I’m in the U.S. and I’m not sure how many of my subscribers are in the E.U.
    Do I need to take any action?

    • Roman Tomek Reply

      Dear Heidi,

      The Regulation (EU) 2016/679 on the protection of natural persons (hereinafter “GDPR”) applies to the processing of personal data of data subject who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union. In this case, in our opinion, you are not offering goods or services to the data subjects in EU. So, there is no need to meet the obligations set by GDPR. Also, the obligations set by GDPR will be met by marketing platform.

      Best,
      Roman Tomek
      AK SEDLAKOVA LEGAL

  27. Craig Wilson Reply

    Great article but I can’t find anything speaking specifically to our scenario. We are a US based company and only sell and ship products in the US. However, it’s possible that we have customers that have moved from the US to Europe and we are unaware of this move. If we continue to send them marketing emails, are we exposed to incurring a fine under the GDPR?

    • Roman Tomek Reply

      Dear Craig,

      Under the Article 3 of Regulation (EU) 2016/679 on the protection of natural persons (hereinafter “GDPR”), the GDPR applies to the processing of personal data of data subject who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union. However, that doesn’t mean that seller who is targeting only US market falls under the scope of GDPR. To do so, there must be an intention to offer goods or services to data subjects in EU which is not the case here. The mere accessibility of the controller’s (your company) website in the Union, or of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention. Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union, but this is not your case.

      Best,
      Roman Tomek
      AK SEDLAKOVA LEGAL

  28. Bob Snow Reply

    Excellent, thorough article. I have a question: let’s say you’re offering a free white paper in exchange for contact info (name, email). I know we’re not allowed to use that email to use for another mailing on another topic…but can we offer, say, a series of white papers issued at quarterly intervals, that can be covered by a one-time consent? Thanks in advance.

    • Matej Zachar Reply

      Hello Bob,

      Thanks for your question.

      It depends on the way you will communicate the purpose of processing the personal data. In your case, I would suggest to say that the purpose is sending whitepapers on regular basis, from which the user can unsubscribe at any time and he is going to receive the first one immediately. In this way, the purpose and consent is going to be one.

      Best,
      Matej Zachar

  29. Allyson Reply

    Hello,

    As we begin to receive requests to comply with the Right to be Forgotten, a few questions are coming up…

    Do we confirm receipt of the request?
    Do we confirm once the deletion/erasure has taken place?
    Do we need to track that this request was made and fulfilled?

    I ask about the first two because it seems counter to GDPR to now voluntarily email someone who just asked to be removed from all communications.

    Any input is appreciated!

    • Matej Zachar Reply

      Hello Allyson,

      Thanks for your questions. Please see the answers below:

      Do we confirm receipt of the request?
      Yes, we recommend confirming receipt, especially if the processing of the request is going to take you some time (couple of days / weeks).

      Do we confirm once the deletion/erasure has taken place?
      Yes, we recommend confirming that you fulfilled the requirement. In case you are able to react very quickly, you don’t have to confirm receipt, just send the final answer.

      Do we need to track that this request was made and fulfilled?
      Yes, we recommend documenting the request for your internal tracking. You can save this as an evidence for potential audit from data protection authority.

      Best,
      Matej Zachar

  30. Robert Daniell Reply

    We have sent a consent request, but this has not been responded to. Are we permitted to send a chaser email, or by a difference medium, say text?

    • Matej Zachar Reply

      Hello Robert,

      Thank you for your question.

      If I understand your question properly, we would not recommend doing it. Not answering to a consent request is generaly considered as not giving the consent.

      Best,
      Matej Zachar

  31. Deborah Reply

    my name is used on my email address for the company that I work for and my full name, does this fall under GDPR?

    • Matej Zachar Reply

      Hello Deborah,

      Yes, email containing your name, surname and company name (domain) can be considered personal information.

      Best,
      Matej Zachar

  32. Elia Reply

    Thanks for nice insights about GDPR!

    I just have some questions about GDPR…

    Is it legal/illegal to write someones name down without consent, or does it become illegal if I write several names down in a list, like a database…those names which are easy retrieved online, such through a phone-catalog? What about friends names or just peoples names from my own memory?
    What about other information which can be accessed online, such as address, phone-number….other related information about people, such a youtube-username, etc…?
    What about those names and numbers one has stored in a mobilephones contact-list? Do we need to get consent from all those contacts to keep having their information stored?
    Does GDPR apply only to commercial businesses, or even charitable organizations, or private individuals?

    In advance, Thank you!

    Best Regards

    • Matej Zachar Reply

      Hello Elia,

      First of all, GDPR does not apply to processing, conducted by natural physical person solely for his/her private use. It only applies on personal data processing in organizations. For both private and public, and even non-profit organizations.

      Secondly, GDPR does not require consent in all cases of personal data processing. In fact, it is usually just a fraction of all processings, for which you don’t have any other legal base. In most cases, organizations will process the data of their employees, customers, and any third parties because of regulatory requirements, fulfilment of a contract, or for their legitimate interests. In those cases, you don’t need data subject’s consent.

      You can find more information about lawfulness of processing in Article 6 of GDPR.

      Best,
      Matej Zachar

Leave a Comment

Your email address will not be published. Required fields are marked *