Contents
• What data can we process and under which conditions?
• The type and amount of personal data a company/organisation may process depends on the reason for processing it (legal reason used) and the intended use. The company/organisation must respect several key rules, including:
• personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed (‘lawfulness, fairness and transparency’);
• there must be specific purposes for processing the data and the company/organisation must indicate those purposes to individuals when collecting their personal data. A company/organisation can’t simply collect personal data for undefined purposes (‘purpose limitation’);
• the company/organisation must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’);
• the company/organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not (‘accuracy’);
• the company /organisation can’t further use the personal data for other purposes that aren’t compatible with the original purpose;
• the company/organisation must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’);
• the company/organisation must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
• Can data be processed for any purpose?
• No. The purpose for processing of personal data must be known and the individuals whose data you’re processing must be informed. It is not possible to simply indicate that personal data will be collected and processed. This is known as the ‘purpose limitation’ principle.
Can we use data for another purpose?
• Yes, but only in some cases. If your company/organisation has collected data on the basis of legitimate interest, a contract or vital interests it can be used for another purpose but only after checking that the new purpose is compatible with the original purpose.
• The following points should be considered:
• the link between the original purpose and the new/upcoming purpose;
• the context in which the data was collected (what is the relationship between your company/organisation and the individual?);
• the type and nature of the data (is it sensitive?);
• the possible consequences of the intended further processing (how will it impact the individual?);
• the existence of appropriate safeguards (such as encryption or pseudonymisation).
• If your company/organisation wants to use the data for statistics or for scientific research it is not necessary to run the compatibility test.
• If your company/organisation has collected the data on the basis of consent or following a legal requirement, no further processing beyond what is covered by the original consent or the provisions of the law is possible. Further processing would require obtaining new consent or a new legal basis.
• How much data can be collected? Personal data should only be processed where it isn’t reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data. Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the purpose (‘data minimisation’). It’s your company/organisation's responsibility as controller to assess how much data is needed and ensure that irrelevant data isn’t collected.
• For how long can data be kept and is it necessary to update it? Data must be stored for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.). Your company/organisation should establish time limits to erase or review the data stored.
• By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.). Your company/organisation must also ensure that the data held is accurate and kept up-to-date.
• What information must be given to individuals whose data is collected? At the time of collecting their data, people must be informed clearly about at least:
• who your company/organisation is (your contact details, and those of your DPO if any);
• why your company/organisation will be using their personal data (purposes);
• the categories of personal data concerned;
• the legal justification for processing their data;
• for how long the data will be kept;
• who else might receive it;
• whether their personal data will be transferred to a recipient outside the EU;
• that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
• their right to lodge a complaint with a Data Protection Authority (DPA);
• their right to withdraw consent at any time;
• where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.
• The information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.
• When data is obtained from another company/organisation, your company/organisation should provide the information listed above to the person concerned at the latest within 1 month after your company obtained the personal data; or, in case your company/organisation communicate with the individual, when the data is used to communicate with them; or, if a disclosure to another company is envisaged, when the personal data was first disclosed.
• Your company/organisation is also required to inform the individual of the categories of data and the source from which it was obtained including if it was obtained from publicly accessible sources. Under specific circumstances listed in Articles 13(4) and 14(5) of the GDPR your company/organisation may be exempted from the obligation to inform the individual. Please check whether that exemption applies to your company/organisation.
• What data can we process and under which conditions? The type and amount of personal data a company/organisation may process depends on the reason for processing it (legal reason used) and the intended use. The company/organisation must respect several key rules, including:
• personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed (‘lawfulness, fairness and transparency’);
• there must be specific purposes for processing the data and the company/organisation must indicate those purposes to individuals when collecting their personal data. A company/organisation can’t simply collect personal data for undefined purposes (‘purpose limitation’);
• the company/organisation must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’);
• the company/organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not (‘accuracy’);
• the company /organisation can’t further use the personal data for other purposes that aren’t compatible with the original purpose;
• the company/organisation must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’);
• the company/organisation must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
• What rules apply if my organisation transfers data outside the EU? In today’s globalised world, there are large amounts of cross-border transfers of personal data, which are sometimes stored on servers in different countries. The protection offered by the General Data Protection Regulation (GDPR) travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands. This also applies when data is transferred to a country which is not a member of the EU (hereinafter referred to as 'third country').
• The GDPR provides different tools to frame data transfers from the EU to a third country:
• sometimes, a third country may be declared as offering an adequate level of protection through a European Commission decision (‘Adequacy Decision’), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions. In other words, the transfers to an ‘adequate’ third country will be comparable to a transmission of data within the EU.
• in the absence of an Adequacy Decision, a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include:
• in the case of a group of undertakings, or groups of companies engaged in a joint economic activity, companies can transfer personal data based on so-called binding corporate rules;
• contractual arrangements with the recipient of the personal data, using, for example, the standard contractual clauses approved by the European Commission;
• adherence to a code of conduct or certification mechanism together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data.
• finally, if a transfer of personal data is envisaged to a third country that isn’t the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.
Save As PDF
Title:
Application of the General Data Protection Regulation
Keywords
Data protection, Rights, Obligations, Registration, Brand
Author:
AE
Languages:
English
Description:
• What data can we process and under which conditions?
• The type and amount of personal data a company/organisation may process depends on the reason for processing it (legal reason used) and the intended use. The company/organisation must respect several key rules, including:
• personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed (‘lawfulness, fairness and transparency’);
• there must be specific purposes for processing the data and the company/organisation must indicate those purposes to individuals when collecting their personal data. A company/organisation can’t simply collect personal data for undefined purposes (‘purpose limitation’);
• the company/organisation must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’);
• the company/organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not (‘accuracy’);
• the company /organisation can’t further use the personal data for other purposes that aren’t compatible with the original purpose;
• the company/organisation must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’);
• the company/organisation must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
• Can data be processed for any purpose?
• No. The purpose for processing of personal data must be known and the individuals whose data you’re processing must be informed. It is not possible to simply indicate that personal data will be collected and processed. This is known as the ‘purpose limitation’ principle.
Can we use data for another purpose?
• Yes, but only in some cases. If your company/organisation has collected data on the basis of legitimate interest, a contract or vital interests it can be used for another purpose but only after checking that the new purpose is compatible with the original purpose.
• The following points should be considered:
• the link between the original purpose and the new/upcoming purpose;
• the context in which the data was collected (what is the relationship between your company/organisation and the individual?);
• the type and nature of the data (is it sensitive?);
• the possible consequences of the intended further processing (how will it impact the individual?);
• the existence of appropriate safeguards (such as encryption or pseudonymisation).
• If your company/organisation wants to use the data for statistics or for scientific research it is not necessary to run the compatibility test.
• If your company/organisation has collected the data on the basis of consent or following a legal requirement, no further processing beyond what is covered by the original consent or the provisions of the law is possible. Further processing would require obtaining new consent or a new legal basis.
• How much data can be collected? Personal data should only be processed where it isn’t reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data. Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the purpose (‘data minimisation’). It’s your company/organisation's responsibility as controller to assess how much data is needed and ensure that irrelevant data isn’t collected.
• For how long can data be kept and is it necessary to update it? Data must be stored for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.). Your company/organisation should establish time limits to erase or review the data stored.
• By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.). Your company/organisation must also ensure that the data held is accurate and kept up-to-date.
• What information must be given to individuals whose data is collected? At the time of collecting their data, people must be informed clearly about at least:
• who your company/organisation is (your contact details, and those of your DPO if any);
• why your company/organisation will be using their personal data (purposes);
• the categories of personal data concerned;
• the legal justification for processing their data;
• for how long the data will be kept;
• who else might receive it;
• whether their personal data will be transferred to a recipient outside the EU;
• that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
• their right to lodge a complaint with a Data Protection Authority (DPA);
• their right to withdraw consent at any time;
• where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.
• The information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.
• When data is obtained from another company/organisation, your company/organisation should provide the information listed above to the person concerned at the latest within 1 month after your company obtained the personal data; or, in case your company/organisation communicate with the individual, when the data is used to communicate with them; or, if a disclosure to another company is envisaged, when the personal data was first disclosed.
• Your company/organisation is also required to inform the individual of the categories of data and the source from which it was obtained including if it was obtained from publicly accessible sources. Under specific circumstances listed in Articles 13(4) and 14(5) of the GDPR your company/organisation may be exempted from the obligation to inform the individual. Please check whether that exemption applies to your company/organisation.
• What data can we process and under which conditions? The type and amount of personal data a company/organisation may process depends on the reason for processing it (legal reason used) and the intended use. The company/organisation must respect several key rules, including:
• personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed (‘lawfulness, fairness and transparency’);
• there must be specific purposes for processing the data and the company/organisation must indicate those purposes to individuals when collecting their personal data. A company/organisation can’t simply collect personal data for undefined purposes (‘purpose limitation’);
• the company/organisation must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’);
• the company/organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not (‘accuracy’);
• the company /organisation can’t further use the personal data for other purposes that aren’t compatible with the original purpose;
• the company/organisation must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’);
• the company/organisation must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
• What rules apply if my organisation transfers data outside the EU? In today’s globalised world, there are large amounts of cross-border transfers of personal data, which are sometimes stored on servers in different countries. The protection offered by the General Data Protection Regulation (GDPR) travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands. This also applies when data is transferred to a country which is not a member of the EU (hereinafter referred to as 'third country').
• The GDPR provides different tools to frame data transfers from the EU to a third country:
• sometimes, a third country may be declared as offering an adequate level of protection through a European Commission decision (‘Adequacy Decision’), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions. In other words, the transfers to an ‘adequate’ third country will be comparable to a transmission of data within the EU.
• in the absence of an Adequacy Decision, a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include:
• in the case of a group of undertakings, or groups of companies engaged in a joint economic activity, companies can transfer personal data based on so-called binding corporate rules;
• contractual arrangements with the recipient of the personal data, using, for example, the standard contractual clauses approved by the European Commission;
• adherence to a code of conduct or certification mechanism together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data.
• finally, if a transfer of personal data is envisaged to a third country that isn’t the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.