GDPR in a nutshell

Posted on by Let's go Online
  • What is GDPR and does it refer to my organization?

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

If applies to all organisations and other legal entities, as well as individuals, who handle any personal data of EU citizens.

More about GDPR can be found here.

  • What is personal data according to GDPR? What are the rules of handling persona data according to GDPR?

The type and amount of personal data a company/organisation may process depends on the reason for processing it (legal reason used) and the intended use. The company/organisation must respect several key rules, including:

  • personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed (‘lawfulness, fairness and transparency’);
  • there must be specific purposes for processing the data and the company/organisation must indicate those purposes to individuals when collecting their personal data. A company/organisation can’t simply collect personal data for undefined purposes (‘purpose limitation’);
  • the company/organisation must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’);
  • the company/organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not (‘accuracy’);
  • the company /organisation can’t further use the personal data for other purposes that aren’t compatible with the original purpose;
  • the company/organisation must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’);
  • the company/organisation must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
  • Can data be processed for any purpose?

No. The purpose for processing of personal data must be known and  the individuals whose data you’re processing must be informed. It is not possible to simply indicate that personal data will be collected and processed. This is known as the ‘purpose limitation’ principle.

  • Can we use data for another purpose?

Yes, but only in some cases. If your company/organisation has collected data on the basis of legitimate interest, a contract or vital interests it can be used for another purpose but only after checking that the new purpose is compatible with the original purpose.

The following points should be considered:

  • the link between the original purpose and the new/upcoming purpose;
  • the context in which the data was collected (what is the relationship between your company/organisation and the individual?);
  • the type and nature of the data (is it sensitive?);
  • the possible consequences of the intended further processing (how will it impact the individual?);
  • the existence of appropriate safeguards (such as encryption or pseudonymisation).

If your company/organisation wants to use the data for statistics or for scientific research it is not necessary to run the compatibility test.

If your company/organisation has collected the data on the basis of consent or following a legal requirement, no further processing beyond what is covered by the original consent or the provisions of the law is possible.  Further processing would require obtaining new consent or a new legal basis.

  • What information must be given to individuals whose data is collected?

At the time of collecting their data, people must be informed clearly about at least:

  • who your company/organisation is (your contact details, and those of your DPO if any);
  • why your company/organisation will be using their personal data (purposes);
  • the categories of personal data concerned;
  • the legal justification for processing their data;
  • for how long the data will be kept;
  • who else might receive it;
  • whether their personal data will be transferred to a recipient outside the EU;
  • that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
  • their right to lodge a complaint with a Data Protection Authority (DPA);
  • their right to withdraw consent at any time;
  • where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.

Example of such formula developed by participants of the project can be found here:

More detailed information about information clauses can be found here.

  • How much data can we collect?

Personal data should only be processed where it isn’t reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data. Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the purpose (‘data minimisation’). It’s your company/organisation’s responsibility as controller to assess how much data is needed and ensure that irrelevant data isn’t collected.

  • Does my company/organisation need to have a Data Protection Officer (DPO)?

Your company/organisation needs to appoint a DPO, whether it’s a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behaviour of individuals includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.

The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or an organisation.

  • How can I demonstrate that my NGO is compliant with the GDPR?

The principle of accountability is a cornerstone of the General Data Protection Regulation (GDPR). According to the GDPR, a business/organisation is responsible for complying with all data protection principles and is also responsible for demonstrating  compliance. The GDPR provides businesses/organisations with a set of tools to help demonstrate accountability, some of which have to be mandatorily put in place.

For example, in specific cases the establishment of a DPO or conducting data protection impact assessments (DPIA) may be mandatory. Data controllers can choose to use other tools such as codes of conduct and certification mechanisms to demonstrate compliance with data protection principles.

You may adhere to a Code of Conduct prepared by a business association which has been approved by a DPA. A Code of Conduct may be given EU-wide validity through an implementing act of the Commission.

You may adhere to a certification mechanism operated by one of the certification bodies that have received accreditation from a DPA or a national accreditation body or both, as decided in each EU Member State.

Both codes of conduct and certification are optional instruments and therefore it is up to your company/organisation to decide whether to adhere to a given code of conduct or to request certification. While your company/organisation still has to respect and comply with the GDPR, adherence to such instruments might be taken into consideration in the case of an enforcement measure against you for a breach of the GDPR.

  • Where can I found reliable information regarding GDPR?

We highly recommend the official European Commission page, where you can find all crucial legal acts, examples of practical implementation, and answers to most common questions. Please check https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en

Deixe um comentário

Design a site like this with WordPress.com
Iniciar