As soon as you have one employee you will have a personal file about them and you will process the data of your employee as part of the personnel accounting. Due to this processing of data also your employees come under the GDPR.
What you should also keep in mind is that you are not only going to process normal personal data of your employees but also so-called special categories of personal data, like e.g. the religious affiliation of your staff to give your employees days off because of holidays or the trade union membership of your employees, cf. Article 9.
Besides, these special categories of personal data merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms, e.g. the publication of the religious affiliation could lead to disadvantages or bullying of one employee.
The GDPR contains regulations for the protection of natural persons when processing personal data. The GDPR is in force since May 25th, 2018 and applies therefore to all organisations that are based in Europe or that are offering products and/or services to customers in Europe.
However, it does not only apply to organisations but also to businesses, authorities, clubs and individuals that are processing personal data outside of the private or domestic sphere.
The heart of the GDPR are the principles relating to personal data processing mentioned in Article 5, e.g. data minimisation or storage limitation.
The GDPR demands appropriate measures and also measures, that are state of the art. At the same time it is not prescribed what exactly has to be done, cf. Article 25 GDPR.
Appropriate here means that you need an up-to-date firewall, an up-to-date virus scanner and malware protection. You should also encrypt your data by default and test your fallback system on a regular basis to be able to recover backups in an emergency. Introducing a password policy (crucial here is the length!) and the establishment of different users and passwords for different areas are important contributions for data protection.
Immediately after noticing a personal data breach, you have to inform the data protection authority within 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. You then have to demonstrate the technical and organisational measures that are in place to reduce this incident.
The incidents have to be minuted in any case.
Take note: Even the loss of a mobile phone or an USB memory stick with addresses on it is a data breach and has to be reported.
Latest example: A lost USB memory stick has caused the Heathrow Airport in London a financial penalty of 120.000 GBP.
The GDPR requires you to have a record of processing activities, see Article 30 GDPR. On demand of the authority the data controller or the data processor provides the record of processing activities.
In the ROPA you have to list every single processing, the ROPA describes the exact usage of the data, the technical and organisational measures, that you have in place for the protection of the data, it shows you who is affected by a processing and it also shows you the recipient of a processing and possible data processors are also listed there. A fundamental risk analysis should also be included in a ROPA.
easyGDPR helps you generate your own Record of Processing Activities (ROPA).
Personal data means any information relating to an identified or identifiable natural person. As soon as you can directly or indirectly identify a natural person based on data like e.g. names, location data, customer IDs etc., this data is considered as personal data – Article 4 GDPR.
That depends completely on your company. Many organisations surely have to make additional safety arrangements regarding the software and hardware, in other organisations these safety arrangements are possibly already in place and there is only little left to do. However, data protection should definitely be taken seriously. Since the GDPR has come into force there have been bigger repercussions if you are simply ignoring data protection. It seems that penalties imposed for SME were already up to 500 – 5.000 EUR. You can find more information about the risks for noncompliance of the GDPR here.
The GDPR demands also a data protection by default and by design, that means that suitable technical and organisational measures have to be taken to fulfil the GDPR principles and to protect data subjects.
The GDPR is also an opportunity for many organisations to minimise existing risks and to position yourself as a reliable partner on the market who takes data protection seriously.
If you do not adhere to the GDPR, damage from the following areas can occur:
- Damage from evitable data loss,
- Penalties from the authority (appropriate and effective, up to €20m or 4% of your organisation’s annual global turnover),
- Indemnity claims from data subjects (also the lawyer’s fee for the enforcement),
- Reputational damage for the organisation if a data breach becomes apparent and
- Damage from the wrong response of not or badly trained staff.
In the organisations that we have been advising, there have been consistently procedures that made a data loss likely. In many cases this data loss would have caused this organisation’s ruin – completely without GDPR. The implementation of the GDPR is an opportunity to minimise risks and to achieve a better employee safety with manageable and often affordable measures.
Article 83 describes the general conditions for imposing administrative fines for the authorities. Taken measures to be GDPR compliant and minimising possible damages for the data subjects, will reduce possible penalties from the authority. It is explicitly demanded that penalties have to be operative.
There is no official information about vocalised penalties in Austria yet (November 2018) but it seems that the penalties imposed for SME were up to 500-5.000 EUR. Compared to that, the Heathrow Airport in the UK was penalised with 120.000 GBP because one employee has lost an USB memory stick with confidential information on it.
Under the GDPR the data subjects have a right to damages. Damages can also arise from a lawyer’s fee.
The awareness of the public for data protection has risen under the GDPR. Lacks in proper data protection have been reported in the media more often recently. The news about an organisation being sloppy with their data protection can be devastating for the reputation of the organisation. Just one employee that is not sensitised to data protection can cause extensive damage.
I am a small business owner and I am only issuing invoices, I don’t have a customer database, am I affected by the GDPR?
Yes, see “Am I affected by the GDPR?“.
Yes, see “Am I affected by the GDPR?”.
Basically, there is no need to send data to the authority. Not even your record of processing activities (ROPA) is automatically being transferred to the authority.
The regulating authority only demands that you document the processings of personal data and that you can provide that documentation for the authority on demand. The authority doesn’t find out any specific data (e.g. names or email addresses) thereby.
Only in certain cases the authority is going to ask for specific data, e.g. if somebody files a complaint, the authority is going to ask for data of that person so that the authority can verify the complaint.
The authority can demand access to all information that is necessary for the fulfilment of their tasks, can point out putatively offences against the GDPR and can also prohibit a certain kind of processing.
The authority can ask for access to your records and can perform data protection audits on site.
In doing so, the authority also checks if
- the data is being processed accordingly to its purpose and fairly,
- the safety measures are state of the art,
- the staff handles data protection questions correctly,
- there are processes for the deletion of no longer needed data,
- … .
Yes. Even not automated, processed data is subject to the GDPR. Once you have sorted the data in one way or another, they are subject to the GDPR.
That means that the data subjects have the right of access. The files have to be secured appropriately and the data that is no longer needed has to be disposed of.
Here appropriately means that e.g. personnel files with the religious affiliation or the union membership should be locked.
Yes. If the GDPR applies to you or not does not depend on the size of your organisation but rather if you are processing, saving or using personal data (e.g. names of your customers, telephone numbers or email addresses) in any way.
One-person-enterprises also have to adhere to the GDPR.
The risk for small-scale operations results from possible indemnity claims and penalties which arise from the wrong dealing with data subject requests and the documentation obligations from the GDPR.
Only if you are using personal data exclusively in the private or domestic sphere, you are not affected by the GDPR.
The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. (Article 2)
The GDPR applies to all businesses, organisations, authorities, clubs and individuals that are processing personal data (out of the private or domestic sphere). These businesses, organisations etc. are called data controllers.
The GDPR applies to data controllers in the EU and for all personal data that is being processed – this also includes persons that live outside of the EU.
The GDPR only applies to data controllers outside of the EU if these are offering goods or services to data subjects inside of the EU whether the data subjects have to make a payment, or they are observing the behaviour of data subjects so far as this behaviour happens inside of the EU.
Goods or services are being offered to persons inside of the EU if it is recognisable that persons inside of the EU ought to be reached. That can be done by prices in EUR, a website in a language especially spoken in the EU (like German or Czech) or by items which refer to an EU country.
An example: An US organisation that is selling online classes with no visible relation to the EU, is not subject to the GDPR – even if the online classes can be bought from inside the EU. If the organisation prices the classes also in EUR, then it is also subject to the GDPR.
Yes, but …
For sending out birthday wishes you need the date of birth of your customers.
If you are asking a new customer for their date of birth, you have to state that you want to use the date of birth for sending out birthday wishes. Additionally, asking for the date of birth at the time of order must not be absolutely necessary (if you don’t have other legal basis for the processing e.g. the regulation to save the date of birth for overnight stays).
Therewith you are getting a proper approval for the processing of new data.
You can also use the existing data for processings that can be expected by the data subject. If you sent out birthday wishes in the past it is legitimate to assume that the data subjects are expecting this kind of processing and you can continue to do so.
Make it easy for the data subjects to revoke the processing or to withdraw their consent.
If you have obtained the date of birth from a third source and there is no link to the data subject, the sending of birthday wishes is questionable from a data protection point of view.
If you have gotten the birthdays via social networks, you can use this information to send out birthday wishes within this social network.
A birthday that has been published to Facebook cannot automatically be used for institutional advertising. Where exactly you can draw the line is not yet brought to the supreme court. One could argue that the data on Facebook is public.
Yes, but …
But under Article 14 you have to inform the data subject within 30 days, that you are processing their data and where you got that data from. This also includes data that you have gathered from public sources if that processing is not yet known to the data subjects.
Additionally, you have to obey to the rules of the Telecommunications Act when contacting potential customers.
Furthermore, it has to be easy for the data subjects to object to this kind of processing.
A DPO has to be appointed in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity,
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
So, the appointment of a DPO is rarely mandatory in the UK, although you can always voluntarily appoint a DPO, even if you don’t need one.
Physicians don’t need a DPO because the work with medical data is not their core activity. Physicians communities and hospitals absolutely need a DPO.
No and that is why WhatsApp should not be used in an organisation.
WhatsApp is a product of Facebook and Facebook is certified under the US-EU Privacy Shield. So theoretically transferring data to Facebook resp. WhatsApp would be permitted.
In their licensing conditions WhatsApp asks for permission to upload all saved telephone numbers and contacts from the mobile phone to Facebook/WhatsApp. Without this permission WhatsApp is not useable. The data is being used to identify familiar persons.
The problem here is that thereby the data from third parties is also transferred to Facebook, even though the third parties may disapprove of that. That can directly affect these persons because of the established connection from your and other address books, which is undesirable.
Another problem with WhatsApp is that the usage is almost inevitable in the private sphere (especially for groups in clubs, classes, …). Once you are using WhatsApp in private your business contacts will be transferred to Facebook as well.