What data can we process and under which conditions?
When processing personal data, a company/organisation must respect the 7 key principles set out in the GDPR. These are:
- Lawfulness, fairness and transparency: Personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed.
- Purpose limitation: The company/organisation may collect and otherwise process personal data only for a specific purpose, which must be indicated to individuals when obtaining their personal data.
- Data minimisation: The company/organisation must collect and process only the personal data that is necessary to fulfil that purpose.
- Storage limitation: The company or organisation must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected.
- Accuracy: The company/organisation must ensure the personal data is accurate and up to date, taking into account the purposes for which it is processed, and correct it if not.
- Integrity and confidentiality: The company/organisation must implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology.
- Accountability: The company/organisation is responsible for complying with all principles of data processing and for demonstrating its compliance when required.
References
What information must be given to individuals whose data is processed?
When a company/organisation processes personal data of an individual, it must provide that individual, among other things, with the following information:
- its name (including the contact details of its data protection officer, if there is one)
- the purposes for which it will use that personal data
- the categories of personal data concerned
- the legal basis for processing the personal data
- the length of time for which the personal data will be stored
- other companies or organisations that will receive the personal data
- whether data will be transferred outside the EU
- the basic data protection rights of the individual whose personal data is processed (for example, the right to access and transfer data or have it removed)
- the individual’s right to lodge a complaint with a Data Protection Authority (DPA)
- the individual’s right to withdraw his/her consent at any time
- the use of automated decision-making and the logic involved in it, including the consequences of its use.
When a company/organisation has not obtained the personal data directly from an individual but from another source, it must provide that individual with the same information as above (apart from the right to withdraw consent).
In addition, it should inform the individual from which sources the personal data originates and whether it comes from publicly accessible sources.
In this case, the company/organisation must inform the individual at the latest within one month after the data has been obtained or when the company/organisation is first communicating with that individual, unless it improves impossible or would involve disproportionate effort to inform the individual, or obtaining the information from that individual is based on law.
The company/organisation processing individual’s personal data must present all the above-mentioned information to the individual concerned in a concise, transparent, intelligible way and drafted in clear and plain language.
References
Can data be processed for any purpose?
The purpose for processing personal data must be known and the individuals whose data is processed must be informed about it.
It is not possible to simply indicate that personal data will be collected and processed. This is known as the ‘purpose limitation’ principle.
Can we use data for another purpose?
In some situations when a company/organisation has collected data on legal bases such as legitimate interest, a contract or vital interests, it may be possible for that company/organisation to use the data for another purpose but only after checking that the new purpose is compatible with the original purpose for which the data has been collected.
The following points should be considered to assess the compatibility of the new purpose with the original purpose:
- the link between the original purpose and the new/upcoming purpose;
- the context in which the data was collected (what is the relationship between your company/organisation and the individual?);
- the type and nature of the data (is it sensitive?);
- the possible consequences of the intended further processing (how will it impact the individual?);
- the existence of appropriate safeguards (such as encryption or pseudonymisation).
If your company/organisation wants to further process the data for statistical or for scientific research purposes, it is not necessary to run the above-mentioned compatibility test since those purposes are presumed to be compatible with the initial purposes.
However, processing for those purposes requires a company/organisation to ensure that appropriate safeguards are in place for the rights and freedoms of individuals whose personal data is processed.
Examples
Further processing is possible
A bank has a contract with a client to provide the client with a bank account and a personal loan.
At the end of the first year the bank uses the client’s personal data to check whether they are eligible for a better type of loan and a savings scheme. It informs the client.
The bank can further process the data of the client for the new purposes as they are compatible with the initial purposes for which data was processed.
Further processing is not possible
The same bank wants to share the client’s data with insurance firms, based on the same contract for a bank account and a personal loan.
That processing is not permitted without the explicit consent of the client as the new purpose of the subsequent processing is not compatible with the initial purpose for which the data was processed.
References
- Articles 5(1)(b), 6(4) and 89(1) and Recitals 39 and 50 of the GDPR
How much data can be collected?
Personal data should only be processed where it is not reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data.
Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the purpose (‘data minimisation’).
It is a company/organisation's responsibility as controller to assess how much data is needed and ensure that irrelevant data is not collected.
Example
A company/organisation offers car-sharing services to individuals.
For those services it may require the name, address and credit card number of customers and potentially even information on whether the person has a disability (so health data), but not their racial origin.
References
For how long can data be kept?
Personal data must be stored for the shortest time possible.
That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
Your company/organisation should establish time limits to erase or review the data stored.
By way of exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, pseudonymisation, etc.).
Example
Data kept for too long
A company/organisation runs a recruitment office and for that purpose it collects CVs of persons seeking employment and who, in exchange for your intermediary services, pay you a fee.
You plan to keep the data for 10 years. The storage period does not seem proportionate to the purpose of finding employment for a person in the short to medium term.
References
Is it necessary to update stored data?
A company/organisation must ensure that the data held is accurate and kept up-to-date.
If personal data is inaccurate, it must rectified or deleted without delay, taking into account the purposes for which it is processed.
Example
The recruitment office ran by company/organisation collects CVs of persons seeking employment and intends to keep those CVs for 10 years, unless persons concerned ask for their deletion.
Given the purpose of the personal data collected and the long period time it is potentially kept, the recruitment office must ensure that the data is kept up-to-date.
Without such updates some of the searches are rendered useless for people seeking employment if, for instance, that person has gained new qualifications.
References
What does data protection ‘by design’ and ‘by default’ mean?
Companies/organisations should implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’).
By default, companies/organisations should ensure that personal data is processed with the highest privacy protection: for example, only the data necessary for the purpose foreseen should be processed; the data shall be kept for the shortest possible time; and personal data is made accessible only to a limited number of persons, on a need to know basis (‘data protection by default’).
For more information on the technical and organisational measures needed for data security, see Obligations.
Examples
Data protection by design
The use of pseudonymisation (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorised can read them).
Data protection by default
A social media platform should set users’ profile settings in the most privacy-friendly setting, for example, by limiting from the start the accessibility of the users’ profile so that it is not accessible by default to an indefinite number of persons.
References
How can a company/organisation demonstrate that it is compliant with the GDPR?
The principle of accountability is a cornerstone of the GDPR. According to the GDPR, a company/organisation is responsible for complying with all data protection principles and is also responsible for demonstrating its compliance with them.
The GDPR provides companies/organisations with tools to help them comply with the requirements stemming from the legislation.
For example, data controllers can choose to use voluntary tools such as codes of conduct and certification mechanisms to demonstrate their compliance with the applicable data protection rules and principles.
A company may adhere to a national or transnational GDPR code of conduct prepared by a business association which has been approved by the competent DPA.
A company may also adhere to an approved national or EU-wide GDPR certification mechanism operated by an accredited certification body.
Both codes of conduct and certification are optional instruments and therefore it is up to the company/organisation to decide whether to adhere to a given GDPR code of conduct or to request a GDPR certification.
While the company/organisation still has to respect and comply with the GDPR, adherence to such instruments shall be taken into consideration, should an alleged violation of GDPR rules require the DPA to investigate that company/organisation’s conduct.
Example
The national umbrella insurance body in the EU Member State of a company/organisation has established a national GDPR code of conduct approved by the competent supervisory authority. A number of rival insurance firms have adhered to the Code.
While adhering to the code is voluntary, it helps in demonstrating compliance with the GDPR and consequently, gaining the trust of the firm’s clients.