38 questions and answers about GDPR

Lately we’ve organized a webinar about the new EU regulation GDPR (General Data Protection Regulation). This regulation affects every company and public institution in the European Union as well as foreign companies doing business within the EU. At the webinar we received more questions than we could possibly have answered and so here are answers:

 

Is there a document available online which lists everything that is considered personal data?

In the GDPR regulation, the definition of personal data is formulated very generally. We cite particular examples and the most common types of personal data on our website, but unfortunately, given the breadth of the regulation, it is not easy to list all the types of data that are considered personal. What can be said is that the regulation applies to any kind of data concerning a determinate or determinable individual.

I keep a record of names, surnames and emails of individuals in a web application. Do these data come under the competence of GDPR? And do both the operator of the web application and I need to treat them that way?

Yes. Contact data of a natural person are considered personal data. And personal data come under the competence of GDPR. You and the operator of the web app both have to approach them accordingly.

 How does GDPR apply to the data rendered to police (DNA, fingerprints, etc.)?

Data which is required by a particular legal act (such as in a police investigation) can be collected without the explicit consent of the subject. But of course, the data must adhere to other requirements of GDPR. For example, they have to be secured against being misused by police.

Is the right to be forgotten absolute? If a customer orders goods, and I need his information to complete the order, do I have to delete that information upon request?

The right to be forgotten is not an absolute right. It is possible to put it into effect only if the data is no longer necessary for the purpose it was originally gathered or processed for. Another case in which personal data cannot be deleted is when there is another legal obligation or law that directly obstructs the deletion (for instance the archiving law – which requires some documents containing personal data to be kept for a time period defined by law)

In CRM we keep record of email addresses and phone numbers of our customers’ employees. Will we now need to ask for explicit permission to store them?

It depends on if you already asked for consent when collecting the information, and also on why you collected it. If you must process the data in order to provide products or services, then the data can also be minimally processed without consent. For example you definitely need an address to be able to send a product to a customer. In your case, you have to consider whether or not you really need the contact information of each customer – it depends on your purposes.

It’s been mentioned that parental consent is required to process the data of children younger than 16. In this sense, do all services have to keep a record of the age of users? Is it sufficient to ask the user to state his/her age, or is it also necessary to verify the stated age?

Yes, it is essential to verify the stated age of the person who gives consent for data processing.

Parental consent is required when processing personal data of persons up to the age range of 13-16. The particular upper age limit is set by each country in the EU must be selected based on the respective country.

 

Do you want to know more about GDPR?

Join us at the webinar

 

The right to data portability is complimentary – is a bank obliged to provide me with information free of charge?

Yes, they are obliged to provide you with information free of charge.

Who regulates/controls wording of the Consent for personal data processing document?

There is no particular, regulated, consent language. Yu can refer to EU language recommendations, or preferably, consult with legal offices that provide consultancy services.

Who exactly does the GDPR apply to? How about an e-shop which only has 2 employees, but processes data of hundreds of customers?

Any e-shop that processes personal customer data must comply with GDPR. Basically, any organization with at least 1 employee has to process personal data of employees, and hence it has to protect that data too.

Do employment agencies have to designate a Data Protection Officer (DPO)?

With regard to the amount and character of personal data, we dare to say that employment agencies will have the obligation to designate a DPO.

GDPR states that processing personal data on a ”large scale” triggers the designation of a DPO. How is ”large scale” defined? Is there a certain amount of data specified?

Term ”large scale” is not clearly defined in the regulation. According to guidelines from Working Party 29, ”large scale” is defined by several factors: number of individuals, data volume, duration of data processing, and territory range. One example of large scale processing is the processing of patients’ data as a part of routine hospital activities (unlike patient data processing by an individual doctor – this is not considered ”large scale”). Other examples of large scale processing are the use of search engines to target personal data for advertising, and processing customer data as a part of the routine sales activities of an insurance company or a bank.

If we use an outsourced DPO, how often does he have to do a control?

The handling of personal data should be constantly monitored. Each company should decide for itself whether to designate an internal or external DPO.

Who bears the responsibility in case of an incident? And who pays the fine? The administrator or the processor?

There is no definite answer to this question. It depends on if the incident happens at the administrator or processor side. We recommend a very precise definition of responsibility of both subjects in a contract.

How does GDPR apply to company employees?

GDPR requirements apply to organizations, but data protection responsibilities also naturally pass on to employees who work with the data.

Does the processor himself have the responsibility to comply with GDPR?

If the processor has employees and hence processes their personal data, then the processor of course has to comply with GDPR. Such a company can then have two roles – for its clients it can serve as processor, while for its employees it serves as administrator.

If our GDPR management is conducted by an external company, who would be fined in the event of a personal data leak? Is the responsibility born by us, or can it be contractually transferred to the provider?

According to GDPR, the obligation to protect personal data applies to both administrator, and processor (external company processing the data). Hence, both entities are responsible for their protection, since they both work with the data – even if the administrator only collects the data and sends it to the processor.

Can Privacy policy be handled similarly to Cookie policy – by placing a banner with a link to the whole Privacy policy on the web?

For a company that processes personal data, the privacy policy is one of their most important documents. We recommend entrusting the preparation of the directive into the hands of lawyers.

I’ve read that in case that a visitor doesn’t give consent for personal data processing, his access to the website should be completely denied. Is this true?

One of the new principles that GDPR brings is the necessity to acquire unambiguous and unconditional consent for personal data processing from a data subject. If a data subject does not grant their consent to the administrator of a service, it does not justify the failure to provide the service, unless the consent is a requirement of the provider of the service itself. Here is an example from an e-shop environment: if I provide an e-shop operator with personal data that is essential for purchasing a product, the e-shop operator cannot cancel my order just because I did not give him permission to send me marketing emails.

Can a customer prevent us from collecting his/her personal data? For example by saying he/she does not want his/her phone number or IP address to be stored by us?

It depends on the legal purpose for processing his/her personal data. If the purpose is given by, for instance, a public interest, then the customer can not explicitly prohibit you from collecting the information. But by employing the right of subject access, the customer can raise an objection/question on why a particular type of information is being processed. The processing must always take place on the grounds of the customer’s consent – so the customer is the one who decides which data will be processed.

 

Follow us on Facebook so that you will know about all the seminars and webinars coming. We hold webinars on GDPR and DPO courses as well.

I want to be up to date

 

 Are a customer’s business phone number, business email address and business IP address also considered to be personal data?

Yes, if it is possible to identify a particular natural person on the grounds of this information.

Can a company have contracts with more than one DPO?

The management of personal data takes teamwork, but companies are obliged to provide contact information for only one person performing the DPO’s function. This will be the main contact person, for example, the supervisory authority.

Our company already complies with ISO 27001. Is this sufficient?

First of all, it is necessary to examine the extent of ISMS to find out if it really applies to all kinds of personal data processing in the organization. One of the important points within ISO 27001 is compliance with legal acts – including GDPR. Last but not least, GDPR does not apply to personal data security alone, but also to many other areas (rights of data subjects, transfer of personal data abroad, etc.) – so make sure that the processes are also set correctly when it comes to these areas.

Safetica DLP handles a lot of data. How does it help to comply with GDPR?

Safetica is only a tool (system) which collects and processes personal data. The security of the system alone is supported by encryption of Safetica’s components themselves, as well as the encryption of communication and personal logs storing. Since GDPR places demands also on organizational and personal requirements beyond the scope of the software solution, for these specifics we give recommendations about what steps to take to use our products in accordance with the regulation.

Does Safetica also work on Mac OS?

Up to now it works only on Windows, but support for Mac OS is planned soon. At the moment we also offer solutions for Android, iOS and Windows Phone.

I am building an e-shop hosted by a third party (webhosting). Who has the role of DPO? Me, the webhost, or the contract owner?

DPO is a stand-alone entity responsible for the processing of personal data in an organization. You can find more information about DPOs here.

Does a video surveillance solution for public places come under GDPR?

Yes, video surveillance systems also process personal data (identifying activities of a natural person), so they also come under GDPR. Getting permission of the people is of course not physically possible in these cases. That is why it is important to identify the legal base for the processing of video recordings, and then choose a transparent approach towards the privacy of citizens (the primary condition being suitable notification in the monitored area). Further GDPR requirements are of course valid.

How far into the backup and archive history do the right to be forgotten requirements apply?

If there is no legal act that requires you to archive personal data, then you should delete them from all memory files, including archives.

We keep record of data and store them in cloud services, for example Google Suite. There are data protection tools provided and security rules can be set. But who has the responsibility for securing them – us or Google?

Providers of these kind of services of course have to ensure compliance of their services with GDPR. Both Google and Microsoft have recently announced that they are working hard to bring their services into compliance with GDPR. However, it’s important to mention that by using these services you are not automatically freeing yourself from your own responsibility for complying with GDPR. GDPR impacts your whole organization and by just transferring all personal data to G-Suite you are not doing enough to comply with it.

Is employee attendance also considered to be personal data?

Certainly, yes. An employee is a natural person and if a record of his/her attendance is unambiguously connected with his/her identifier, then it is considered to be personal data.

After GDPR comes into force, can we continue declaring that papers and identifiers which a candidate has provided us with for the purpose of selection procedure will not returned?

Each company determines the rules of selection procedures itself, but it has to meet the obligations set by GDPR about handling and processing personal data. We are not sure what exact kind of documents the question is referring to, but companies are obliged to protect all documents that contain the personal data of natural persons.

Does GDPR apply also to contact information collected before the regulation comes into force? Do we have to ask our customers for their permission again, so that the new requirements are met?

Yes, GDPR does apply to information collected before May 25th, 2018. We recommend you to revise all consents gathered up to this point, and to make sure they are unambiguous and designated for the particular purpose of processing. If data have to be processed for some other legally ordained purpose (for instance public interest), then the consent is not required. It could be useful to run a company audit of legal titles which the data processing is based on.

I’ve been wondering about PR agencies. They have media lists (lists of reporters with their contact information) and they process personal data for their own functioning. Do they also come under GDPR? And how do I ensure permission for using a reporter’s email address, if this information is publicly available online?

If the information is publicly accessible on the website of the person in question, so that people can contact him/her, you don’t have to ask the person for permission. But if you intend to use this piece of information for other reasons (let’s say direct marketing of your services), then we recommend asking for the person’s consent.

Let’s take a model example – I am a dentist who processes personal and medical record of patients. According to law, I have to keep record of this documentation for 10 years – either in print form or electronically with an electronic signature. The right to be forgotten does not apply to me. I have two options: to store the data in the software on my computer in my dentist’s office, or to store the data online – in the cloud. Do I understand it right that in either of these options I will de facto transfer the burden of GDPR (to the cloud provider/to the administrator of the data – the software producer)?

In the case when archiving is demanded from you by a particular legal act, the right to be forgotten does not apply to you – you’re right in this part.

To answer the other part – by using either of the two options you named, you do not transfer the burden of GDPR to anybody else. It is you who is considered to be the data administrator and who carries the responsibility for GDPR, the provider remains solely a provider.

Is there information available on what materials will need to be presented (next year) for audits investigating whether an organization complies with GDPR?

It’s anticipated that compliance with GDPR will, with time, become one of the audited items in companies. But at this point in time, when the regulation is not yet in force, there is no information on this available yet.

Can the consent for personal data processing be granted to us over the phone?

Yes, but this consent has to be recorded and documentable for cases of a control by a supervisory authority, and it has to meet all the GDPR requirements for correct consent granting.

We keep records about our employees, partners and their employees from around the world. Records are stored on servers in the USA using SAP and Microsoft Cloud (not sure where these MS Cloud servers are located). What are our duties to protect data when servers are out of our reach?

This is very complex topic but GDPR rules still apply since you are storing personal data. The most important part for you are rules about moving records out of EU borders, since your servers are located in the USA and in the cloud. So this is first thing you need to learn – where your data are actually stored.

Next, you should analyze the current state of how personal data are being processed. This should map how your organization handles personal data and give you clear recommendations on improving processes, organizational transformation or technical measures.
For more information go to www.safetica.com/gdpr

We have a family pension where we are obliged by law to report personal data on our guests to authorities. Do we need to anonymize these data?
Anonymization is not required for every scenario of handling personal data. GDPR article #32 doesn’t provide a complete list of scenarios for anonymization– it is rather a list of areas your company should focus on. If a specific law applies to your business then you should follow it.

I’m working in an online services business and I collect the email addresses and IP addresses of my customers. I use these email addresses to send promotional messages. I use a cloud email tool to mass email. Do I need to extend my Terms of Use with an agreement of processing personal data or do I need to take additional steps to protect email addresses?

Yes, GDPR regulation applies to your case of personal data processing. You should go step by step through all GDPR requirements and do a gap analysis to make sure that you are compliant. In your case, it might be very quick and easy to do (e.g. right to be deleted upon a customer’s request can be done by removing a single line in an Excel Spreadsheet).
Here are some tips:

  • You are analyzing or collecting data to the necessary extent required for your business
  • Is collecting IP address really necessary?
  • You guarantee the safety of personal data (e.g. data are encrypted and access is password-protected to certain roles)
  • You are ready for rights of data subjects (e.g. request to remove any records related to a customer or export data in a universal format readable by a machine – see right for data portability)
  • You are removing personal data no longer needed on regular basis
  • You’ve documented how you handle personal data (all parts required by GDPR)


Do you have further questions on GDPR? Contact us and find out how Safetica can help your company to secure sensitive personal data in compliance with GDPR.

I need help with GDPR


Safetica Technologies has made every attempt to ensure the accuracy and reliability of the information provided in the article and the discussion below. However, the information is provided “as is” without warranty of any kind. Safetica Technologies does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in the article.

This article has 26 comments

  1. Teodora Reply

    Hello. I want to find out if we implement this GDPR at my company, it is mandatory to transfer all physical documents in digital format? If I have a physical contract for example, do I a have to put it in digital format?
    Thank you!

    • Matej Zachar Reply

      Hello Teodora,

      No, GDPR does not require you to transfer any physical documents to digital form. It requires you to protect personal data in both physical and digital forms adequately.

      Best,
      Matej Zachar

  2. Teodora Reply

    I have one more question. Could you suggest me modalities to implement this GDPR for my company? I found steps on the internet from other companies, but they don’t give me something to develop. They just write down some general steps. Thank you again!

    • Matej Zachar Reply

      Hello Teodora,

      The answer is not that easy or straightforward, as GDPR will be implemented differently for an eshop with 1 employee than to an international corporate company. What would I give you would be definitely general ideas, because GDPR is general ( 🙂 ) regulation that can be used for organization of any size and industry.

      If you want to help with GDPR, please contact us via our contact form (http://www.safetica.com/contact-us) and we can direct you to the partner we have in your region to provide guidance specific for your industry, number of employees and country you are from.

      Best,
      Matej Zachar

  3. Gina Reply

    Hi. My business provides offshoring support to clients for which we communicate a lot in emails. All these emails contain signatures revealing name, email address and phone numbers. Since this information is personal data, what controls do I need to put in place for GDPR compliance

    • Matej Zachar Reply

      Hello Gina,

      Using such signatures is common for every business – the same as business cards, for example. It is a very specific processing – sending the contact details via email brings challenges for security, but the impact of an incident in this matter would be rather low (contact information to just 1-2 people most of the times if the email would be accessed by malicious 3rd party).

      In order to be compliant, as with any other processing, there are more things you should do. So just from the most important: you should think if you are sending just the minimum information, you should document the processing, think about rights of data subjects and establish appropriate security measures. In terms of security, I would focus on securing the access to the whole database of emails (on an email server) and consider using OpenPGP or similar service for email encryption.

      It is worth noting that in general it is more important to think about the personal data, that are being sent via email not in signatures, but in attachments.

      Best,
      Matej Zachar

  4. Robert Luckett Reply

    Perhaps you could provide some insight on the following?

    A member of the public calls a customer service department. There is no previous
    consent or other legal basis for holding data on the subject. The phone system records the telephone number (if available), and the caller may (or not) provide further personal information during the call.

    1. If only the phone number is recorded, and no other consent is obtained, should the number be retained by the telephone system, and if so, could a call be returned to that number at any point in the future (and for any reason).

    2. If a caller does provide further identifying data (name etc.) during the call, is the fact that they initiated the call sufficient basis for recording that data, or must consent be requested and recorded, such as with a web site.

    • Matej Zachar Reply

      Hi Robert,

      This concept is more related to the secrecy of communication – and it might be different according to the country you are from.

      Nevertheless, from the GDPR perspective, everything is related to your purpose for collecting the data. In general, you can collect telephone number and/or the specific recording (regardless if the person stated his name or not – I would say that in 95% there would be some introduction with name anyway, for both sides to confirm they are talking to the right person), but you need to have a legal purpose to do so. If the purpose is for example retaining quality of your customer service, a cosent with recording might be necessary for saving this data in your database.

      Best,
      Matej Zachar

  5. Allister Burdett Reply

    Hi there,

    All of the data we collect (names, tel nos and email) comes under the GDPR Article 6 (b) definition “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. Does active consent need to be sought from these contacts if we are using it solely for the purpose above and not (for example) Emarketing? Also, would including the 6 (b) definition in our standard terms and conditions of sale be sufficient protection provided we can evidence this to auditors?

    • Matej Zachar Reply

      Hello Allister,

      I don’t know your much about your organization, but I recommend reviewing the personal data you are processing and the legal basis – for example if you have at least 1 employee, you’ll most probably process personal data about them for the purpose of fulfilling legal obligation according to Article 6 (c). Direct marketing also falls under “legitimate interest” of Article 6 (f) – see Preambule (47).

      Nevertheless, for your question, you should not require consent from data subjects, if you have another license for the processing. The reason is that you would mystify the data subject that it has different rights that it actually does.

      Also mentioning the legal basis for processing is good, but I wouldn’t consider it a “sufficient protection” as you write. I would rather recommend running a GAP analysis to see all what do you need to do to comply with GDPR.

      Best,
      Matej Zachar

  6. Paul Reply

    Hi

    If we were to record ‘personality traits’ of a regular customer based on our experience talking to the customer, would this be considered personal data and would we need consent? Is this something we would have to provide if the customer requested a copy of their data? The personality information would be used to help sales staff communicate effectively with the customer.
    Thank you in advance.

    • Matej Zachar Reply

      Hi Paul,

      Personal data is any information that you can link to a specific individual. So, if you are able to trace these ‘personality traits’ back to specific customers, it is considered a processing of personal data.

      Regarding the consent, you don’t need it if the processing falls under different subsection than (a) of Article 6. section 1 – it might fall under a “legitimate interest” of subsection (f), but it is relevant to how much information do you really collect. I recommend consulting it with lawyers.

      In general, you don’t ask for consent upon realizing the request for information (I think that your question is aimed that way), but before beginning of processing.

      Best,
      Matej Zachar

  7. Danielle Dennis Reply

    Hello,

    Do we have any information on how the enforcement / fining procedure will work once GDPR is established? Will companies receive warnings of noncompliance and be obligated to fix any issues within a designated time frame, or can people be immediately fined upon discovery of out-of-compliance web entities?

    • Matej Zachar Reply

      Hello Danielle,

      The decision about the fines is solely in decision of the regulatory authority. Upon the day that GDPR comes into force, the authorities will be able to issue penalties according to new rules.

      However, the fine does need to be necessarily issued. If the regulatory authority decides to provide recommendations rather than fine, it is specific cases entirely possible.

      Best,
      Matej Zachar

  8. Robert Reply

    Hi,
    First of all I want to congratulate you for the excellent article. I’ve been reading about GDPR all day today (4pm) and this one was the best. Firmly grounded, practical and with the strong scent of life.
    Now, my question:
    Since [email protected] or [email protected] are not connected to any natural person, they can be freely used for direct marketing purposes as they were until GDPR. If we get a response from some natural person who responds from [email protected] then we should acquire his/her fully GDPR compliant consent.
    Right or wrong?
    Thank you.

    Best Robert

    • Matej Zachar Reply

      Dear Robert,

      Thanks for your feedback!

      For your question, it is important to understand the relation you have with these people at first:
      – if you are using email addresses of your clients, they all fall under the “legitimate interest”, so you can send newsletters to them even without consent. (please refer to preambule (47) of GDPR)
      – general email addresses are not considered personal data, if you can’t connect them to any physical person. So, you are right as long as you really don’t know who are you contacting.
      – if you have no relation with these people (e.g. you collect the email addresses via web form), you should require a consent and provide the person with option to unsubscribe at any time.

      Please note that GDPR might not be the only law related to direct marketing and the situation may vary according to the country you do business in.

      Best,
      Matej Zachar

  9. Stewart Reply

    Thanks for this article. Although I’m still struggling to fully comprehend the impact of GDPR on my business, your examples have been very useful.

    I wonder if you have an opinion on the following. We currently store customer orders in our eshop and an internal production database. This data is used to generate internal reports – for example, average number of orders per customer, time between orders, top 10 customers etc – and these reports depends on identifying orders to specific customers. If a customer requests the right to be forgotten, would we need to remove all of their previous order history from the eshop and our internal production database? This could cause a problem should a ‘forgotten’ customer return to us at some point in the future with a query relating to a ‘forgotten’ order.

    Many thanks

    Stewart

    • Matej Zachar Reply

      Dear Stewart,

      Thanks for your comment.

      The right to be forgotten is not absolute/ultimate right. If there is a legal requirement to process or archive personal data, the right to be forgotten can’t be used. I recommend reviewing your local laws regarding archiving your financial records – for most countries you’re obliged to preserve this data for more than 10 years.

      Best,
      Matej Zachar

  10. Daniel Kaiser Reply

    Hello there.

    I work with a large public education entity.

    Could you point me toward the relevant analysis for Personal Data that is collected from persons located inside the USA (regardless of citizenship), who then subsequently move to the E.U./E.E.A. (again, regardless of citizenship)? I’m trying to determine whether the GDPR’s provisions will apply retroactively to data previously collected in the USA once the data subject is located in the E.U.

    Thank you!

    • Matej Zachar Reply

      Dear Daniel,

      We are not aware about a specific public analysis on this topic.

      Nevertheless, you can refer to the general provisions of GDPR, which should give you an idea on this topic. Please see the Article 3 of GDPR, specifically (2):

      This Regulation applies to the processing of personal data of data subjects who are _in the Union _ (…)

      All the data you have about people that are now EU citizens fall under the scope of GDPR.

      Best,
      Matej Zachar

      • Daniel Kaiser

        That’s helpful Matej. Thank you.

  11. Han Jeff Reply

    I have a question on Non European company who hired European citizens.
    Do we need to get employee explicit consents that we are using personal data for our company HR policy to give clear records of career development and income tax filing, employee reimbursement and benefits?

    • Matej Zachar Reply

      Hello Jeff,

      Thank you for your question.

      In general, you don’t need consent for types of processing, that fall under different lawful basis of Article 6 (1) of GDPR. For some of the processings you mentioned (taxes, agenda about social insurance etc.), there will be an obligation from law to do it. For others, you might have a legitimate interest (according to (f)) to do it.

      In those cases, the consent will be not required.

      Best,
      Matej Zachar

Leave a Comment

Your email address will not be published. Required fields are marked *