Data protection & GDPR
Latest update: Sept. 27, 2021
Data, including personal data, is processed on a daily basis. EU data protection law affects a wide range of organizations, such as businesses, not for profits, municipalities, authorities and more. Almost all organizations are processing personal data in some way, for example, personal data belonging to their customers, their employees or members. It is important that organizations, of whatever nature, understand their obligations towards those whose personal data they are processing and what is required of them to ensure they are processing this personal data in a lawful way.
Data protection is governed throughout the EU by the General Data Protection Regulation, known as the GDPR. This piece of law ensures that personal data is protected to an appropriate standard and that businesses and organizations who process this personal data do so in a fair, transparent and responsible way. We will briefly describe in this text what is considered as personal data, when an organization is considered as processing personal data and at a high level, how organizations can do so in a lawful way.
What is personal data?
Personal data is any information which directly or indirectly relates to or concerns an identified or identifiable living natural person. Different pieces of information which, when combined together can result in the identification of a particular person, can also amount to personal data. Picture and sound data about a natural person are also counted as personal data, even if no names are mentioned. Encrypted or coded information is also personal information if someone has a key that can link them to a person.
To determine if something is personal data, a good question to ask is whether the information on its own or in combination with other information can be used to distinguish an individual from others. This can be broken down into 4 steps or criteria which can be used to identify personal data, all of which are needed for the information to be identified as personal data.
Some examples of personal data include:
- Email address
- Identification number
- An Internet Protocol (IP) address
Examples of information not considered personal data:
- Company registration number
- Anonymized data
Additionally, it is important to know that certain types of personal data are considered as ‘special categories’ of personal data. This data is more sensitive than other personal data and as a result needs even more protection. This includes, for example, ethnic origin, religious belief, genetic data, health data and more.
When is personal data considered as being processed?
Almost anything an organization does and every action taken with personal data is considered as processing. Processing is an operation or set of operations carried out on personal data, either by automated means or manual means. This includes, collecting, storing, analyzing, aggregating, sharing, deleting, amending, recording, using personal data, and more. Processing begins when an organization collects personal data and continues until the personal data is firmly destroyed given that it is no longer needed. The GDPR is technology neutral and protects the processing of personal data regardless of how it was processed. Some practical examples of processing include sending marketing emails, employee records and payroll, collecting and using data gathered by a survey and more.
As mentioned, the GDPR applies to processing done entirely or partially by automated means, in other words, wholly or partly without human intervention. It also applies to non-automated processing if it is part of a structured filing system, i.e. it is organised according to pre-defined criteria.
Controllers and processors
There are 2 roles that organizations can take when processing personal data. Understanding the role that an organization has is important to understand what responsibilities an organization has under the GDPR.
An organization processing personal data is considered to be either a controller or a processor. As you will see below, whether an organization is a controller or processor is not a question for individual interpretation but set out in the law. Both controllers and processors have responsibilities under the GDPR and risk large fines and compensation claims if they do not meet their obligations under the GDPR.
What constitutes a controller and processor is defined specifically in the GDPR but generally, a controller is an individual or organization that decides why and how personal data is processed. It is therefore not a manager at a workplace or an employee who is responsible for personal data but the company that employs them. That said, a natural person who trades as a sole trader, can also be responsible for the processing of personal data. A processor, on the other hand, is an individual or organization that processes personal data on behalf of the data controller. To further explain, a controller decides, for example, how personal data will be collected, why it is collected, what it is going to be used for, who it will be shared with and more. The processor does not have any decisionmaking autonomy over the personal data, they do not decide to collect personal data, what personal data should be collected or similar, they simply follow instructions and do with the personal data what the controller tells them to. A processor is always outside the controller's organization and can be a natural or legal person, public authority, institution or other body.
It’s important to remember that an organization can be a controller and a processor at the same time. In one processing activity they can be a controller and in another a processor, which is why we always recommend that organizations assess and document the role they have in each processing activity.
I am processing personal data, does that mean I am subject to the GDPR?
The GDPR covers processing of personal data by controllers and processors who are:
- established in the EU regardless of whether the processing happens in the EU or not,
- not established in the EU processing the personal data of data subjects (people personal data is collected from) in the EU in connection with offering a good or service or monitoring behavior
- not established in the EU but established somewhere where EU law applies due to public international law.
There are some exclusions to processing but they are very narrow. These include, processing outside the scope of EU law such as national security activities, processing for law enforcement and public security and processing for purely household undertakings.
How can an organization process personal data in a lawful way?
The GDPR requires that personal data covered by the protections of the GDPR are processed according to certain principles, which we have summarized here. Processing of personal data must be done transparently, people whose personal data is being processed must be openly informed of this and given specific information. Processing of personal data should only be done for a limited purpose and only the minimum personal data required for that purpose collected and processed. Personal data, which is being processed must be kept secure, up to date, accurate and stored only for as long as needed and relevant to the purpose it was processed.
Processing of personal data can only be done if the organization processing the personal data has a legal basis to do so. The GDPR provides six different bases for processing. A processor must have a lawful basis for each processing activity. We do not recommend more than one lawful basis per processing activity. Organizations processing special categories of personal data, as explained above, can only do so subject to certain exceptions in addition to meeting one of the six lawful bases explained above. In addition, organizations wanting to send personal data outside of the European Economic Area can also only do so with a lawful basis.
Organizations subject to the GDPR should understand their responsibilities and ensure to fulfil them.
Organizations should map out the personal data they are processing and determine whether they are acting in the role of controller, joint controller or processor for each processing activity.