General note to the series “GDPR translated for Businesses”:

As generally known, an all-new European Data Protection legislation will come into force on 25 May 2018. As the General Data Protection Regulation (GDPR) will automatically apply in all member states, it is high time for all companies to assess its impact on their businesses and, if necessary, to prepare for its implementation.

This series of articles is drafted for the practice. Its purpose is to help companies understand the GDPR and to propose a road map towards the internal implementation of the GDPR in all departments of a business.


Preparation: How to assess personal data in a company?

I. Which Personal Data exist?

First of all, it is absolutely necessary to perform an inventory of all types of data collected in a company, beginning with the reception area up to the management. Please bear in mind that any information can be personal data if it relates to a natural person. The definition of personal data according to Art. 4 (1) of the GDPR is 

"any information related to an idenitified or indenany information related to an identified or identifiable person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

A person is also identifiable if additional information allowing its identification can be obtained without unreasonable efforts (e.g. considering online information, available on webpages).

Please find below some examples:

i. Reception area

  • Names and phone numbers of people contacting the company
  • Incoming mail / correspondence directory: names and addresses of senders who are natural persons.

ii. HR

  • Identification data of employees and candidates for certain positions
  • Copies of ID cards
  • Data regarding the confession
  • Data regarding employees’ minor children
  • Access cards allowing to track the card user
  • Time records
  • Biometrical data (e.g. used for time attendance)
  • Evaluations/assessments of employees.

iii. Legal

  • Information regarding parties in a litigation or arbitration procedure
  • Corporate documents providing data of natural persons which are organs of a company.

iv. Accounting

  • Data required for the issuance of invoices to natural persons or companies represented by natural persons such as name, personal identification data (e.g. address, ID card, personal identification number)
  • Bank accounts of natural persons.

v. Material agreements

  • Data related to individuals empowered to sign agreements (e.g. address, ID card, personal identification number)

vi. IT

  • Data processed through the own website
  • IP addresses
  • Cookies
  • Customers’ / clients’ accounts allowing identification of the natural person.

vii. PR

  • List of newsletter recipients (e-mail addresses)

viii. Video surveillance

  • Video cameras recording natural persons

ix. Car and person tracking by GPS

  • If the respective car can be linked to a natural person

x. Call center

  • Registrations of phone calls with natural persons
  • Identification of natural persons.

The list above may be extended depending on each business and its particularities. For this reason, it is extremely important to have all relevant persons of the business involved in this process, in order to make sure that no type of data has been missed.

A short example for unexpected data processing: During the phone call with a friendly client, an employee asks for personal data about the minor children of the caller (name, surname, date of birth etc.), although he/she is not required to do so, in order to send a Christmas or birthday card with colored and animated figures. Despite the undoubtedly good intention, from a data protection perspective, such situations have to be assessed.

II. What to do afterwards?

After having a clear overview on the collected personal data, each business must answer the following questions:

a. Where do the data come from?

b. Why/ where were such data collected?

c. For how long must the data be stocked?

d. Was there a transfer of data?

We will detail the above questions in our next article.

Note: After listing every type of personal data existing in the business, the final verification of the personal data must be customized for each field of activity / business area .For this purpose, both experience from inside the business and legal know-how have to be combined. This requires a tight cooperation between the persons pertaining to the respective business and specialized counsel.