Direct la conținutul principal
Logoul Comisiei Europene
Comisia Europeană

Obligations

Information on your obligations when processing data, such as data protection impact assessments, data protection officers, notification of data breaches and more.

Informing the individual about the processing of their personal data

What information must be given to individuals whose data is processed?

Information on the processing and individuals’ rights

When a company/organisation is processing personal data, it must inform the individuals concerned and provide them with certain information on the processing. Such information must include, among other things:

  • the name of the company or organisation (including the contact details of the Data Protection Officer, if there is one);
  • the purposes for which the company/organisation will use the data;
  • the categories of personal data concerned;
  • the legal basis for processing the data; and
  • the length of time for which the data will be stored.

A company/organisation must also inform the individuals concerned if it processes their personal data for automated decision-making, including the envisaged consequences of that processing. 

In situations where a company/organisation has not collected the personal data directly from an individual but obtained it from another source, it must also provide the individual with information about the sources of that personal data, including whether it comes from publicly accessible sources. 

Regardless whether the personal data has been collected directly from the individual or been obtained from another source, the individuals must also be made aware about their rights in relation to their personal data (such as the right of access and erasure) and their right to lodge a complaint on the processing with a Data Protection Authority (DPA).

Requirements for providing information and exceptions

A company/organisation must provide the information on the processing in a concise, transparent, intelligible way and drafted in clear and plain language.

When the personal data is collected directly from the individual, the above information must be provided at the time when that data is obtained, unless the individual already has that information. 

If the personal data is obtained from another source, the information must be provided at the latest within one month after the data has been obtained or when the company/organisation is first communicating with the individual concerned or when the data is first disclosed to another recipient. 

However, certain exceptions apply: no obligation to inform exists in so far as the individual already has the information, or if it proves impossible or would involve disproportionate effort to inform the individual, or if obtaining or disclosing the personal data of an individual is based on law.

References

Data protection by design and by default

What does data protection ‘by design’ and ‘by default’ mean?

Companies/organisations should implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). By default, companies/organisations should ensure that personal data is processed with the highest privacy protection; (for example only the data necessary for the purpose foreseen should be processed, the data shall be kept for the shortest possible time and personal data is made accessible only to a limited number of persons, on a need-to-know basis (‘data protection by default’).

Examples

Data protection by design
The use of pseudonymisation (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorised can read them).

Data protection by default
A social media platform should set users’ profile settings in the most privacy-friendly setting, for example, by limiting from the start the accessibility of the users’ profile so that it is not accessible by default to an indefinite number of persons.

References

Security of personal data processing

What does a company/organisation need to do to ensure data security?

A company/organisation processing personal data is responsible for ensuring and demonstrating that the processing is carried out in a manner that ensures appropriate security of that data. This includes the protection against unauthorised access, unlawful processing and accidental loss, damage or destruction. 

To that end, the company/organisation is obliged to undertake appropriate technical and organisational measures. Those measures need to be adjusted to the likelihood and severity of the risk that the processing poses to the individuals concerned, taking into account, for instance, the nature, scope, context and purposes of the processing. 

The measures undertaken could for instance include:

  • pseudonymisation of personal data;
  • encryption of personal data;
  • ability to restore the availability and access to data in a timely manner (cases of physical or technical incident);
  • a process to regularly test and evaluate the effectiveness of technical and organisational data security measures.

Adhering to an approved code of conduct or certification mechanism may be used as one element to demonstrate compliance with the requirement to ensure the security of personal data. 

In addition to the measures mentioned above, the controller and the processor are obliged to ensure that any individual who processes personal data under their authority does so only on the basis of instructions from the controller, unless that processing is based on law.

References

Notifying data breaches

What is a data breach and what does a company/organisation have to do in case of a data breach?

A data breach occurs when the data for which a company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, the company/organisation must notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If the company/organisation is a data processor it must notify every data breach to the data controller.

If the data breach poses a high risk to the individuals concerned , they must also be informed, unless effective technical and organisational protection measures had already been put in place and applied to the affected personal data, or other measures have been taken after the breach that ensure that that risk is no longer likely to materialise.

It is vital for a company/organisation to implement appropriate technical and organisational measures to avoid possible data breaches. 

Examples

Organisation must notify the DPA and individuals
The personal data of a textile company’s employees has been disclosed. The data included the personal addresses, family composition, monthly salary and medical claims of each employee. In that case, the textile company must inform the supervisory authority of the breach. Since the personal data includes sensitive data, such as health data, the company must notify the employees as well.

A hospital employee decides to copy patients’ details onto a CD and publishes them online. The hospital finds out about this data breach a few days later. As soon as the hospital finds out, it has 72 hours to inform the supervisory authority. Since the personal details contain sensitive information, such as whether a patient has cancer, is pregnant, etc., the hospital  must inform the patients as well. In this case, there would be doubts about whether the hospital has implemented appropriate technical and organisational measures to ensure data security.  If it had indeed implemented appropriate measures (for example encrypting the data), a material risk would be unlikely and it could be exempt from notifying the patients affected.

Company must notify clients and they may then have to notify the DPA and individuals
A cloud service loses several hard drives containing personal data belonging to several of its clients. It must notify those clients as soon as it becomes aware of the breach. Its clients must notify the DPA and the individuals depending on the data that was processed by the data processor.

References

Data Protection Impact Assessment (DPIA)

When is a Data Protection Impact Assessment (DPIA) required?

A DPIA is required when processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required at least in the following cases:

  • a systematic and extensive evaluation of the personal aspects of an individual based on automated processing, including profiling;
  • processing of sensitive data on a large scale;
  • systematic monitoring of public areas on a large scale.

National Data Protection Authorities (DPAs), in cooperation with the European Data Protection Board, shall provide lists of processing operations for which a DPIA is required. 

The DPIA should be conducted before the processing begins and should be considered as a living tool, not merely as a one-off exercise. Where there are residual risks that cannot be mitigated by the measures put in place, the DPA must be consulted prior to the start of the processing.

If the processing is based on law which regulates the specific processing operation or operations and DPIA has been carried out as part of a general impact assessment when adopting that law, there is no obligation to conduct a separate DPIA, unless the Member State in question considers it necessary.

Examples

DPIA required
A bank screening its customers against a credit reference database; a hospital about to implement a new health information database with patients’ health data; a bus operator about to implement on-board cameras to monitor drivers’ and passengers’ behaviour.

DPIA not required
A community doctor processing personal data of his patients. In this case, there is no need for a DPIA since the processing by the community doctors (as far as the number of patients) is low (i.e. not large-scale processing).

References

Data Protection Officer

When does a company/organisation need to have a Data Protection Officer (DPO)?

A company/organisation needs to appoint a DPO, whether it is a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behaviour of individuals includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.

Public administrations always have an obligation to appoint a DPO, except for courts when they act in their judicial capacity.

The DPO may be a staff member of a company/organisation or may be contracted externally on the basis of a service contact. The DPO can be an individual or an organisation and must have the necessary expertise in data protection law and practices.

Examples

DPO mandatory
A DPO is mandatory for example when a company/organisation is:

  • a hospital processing large sets of sensitive data;
  • a security company responsible for monitoring shopping centres and public spaces;
  • a small head-hunting company that profiles individuals.

DPO not mandatory
A DPO is not mandatory if the processing is carried out by:

  • a local community doctor processing patients’ personal data, including health data, but only to a limited amount;
  • a small law firm processing its clients’ personal data.

References

What are the responsibilities of a Data Protection Officer (DPO)?

The DPO assists the controller or the processor in all issues relating to the protection of personal data. In particular, the DPO must:

  • inform and advise the controller or processor, as well as their employees, of their obligations under data protection law;
  • monitor compliance of the organisation with all legislation in relation to data protection, including in audits, awareness-raising activities as well as training of staff involved in processing operations;
  • provide advice where a DPIA has been carried out and monitor its performance;
  • act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights;
  • cooperate with DPAs and act as a contact point for DPAs on issues relating to processing.

The organisation must involve the DPO properly and in a timely manner in all issues concerning the protection of personal data. The DPO must not receive any instructions from the controller or processor for the exercise of their tasks and must be able to carry out their tasks and duties in an independent manner. The DPO should report directly to the highest level of management of the organisation.

Reference