General note to the series “GDPR translated for Businesses”:

As generally known, an all-new European Data Protection legislation will come into force on 25 May 2018. As the General Data Protection Regulation (GDPR) will automatically apply in all member states, it is high time for all companies to assess its impact on their businesses and, if necessary, to prepare for its implementation.

This series of articles is drafted for the practice. Its purpose is to help companies understand the GDPR and to propose a road map towards the internal implementation of the GDPR in all departments of a business.

PART 2

Preparation: tracking personal data within the company

After an inventory of all types of data collected in a company (see previous article), it is very important for each company to understand how and why personal data are collected. This is necessary in order to comply with the newly introduced accountability principle of the GDPR, which requires that each company be fully able to demonstrate that all legal data protection rules are implemented and followed by both the company itself and its employees.

The following questions must be answered:

I. Where do the data come from?

In practice, a company can obtain personal data from different sources. In the usual case, the data holder himself provides his data either directly or indirectly (e.g. the parents for children). However, cases are possible in which personal data are provided differently, e.g.

  • Automatically, by technical means – IP, other online identifiers, telephone number on display, video capture
  • From another department of the same company – e.g. if an employee from the HR department provides the accounting department with information on the state of health of an employee
  • From business partners or official documents.

II. Why were such data collected?

Once a complete list of personal data is prepared and the sources are identified, one must raise the question why the collection took place. Usually, a company collects personal data in order to:

  • Comply with legal requirements (e.g. the accounting department uses some personal data of clients for invoicing, of employees for payroll purposes, etc.),
  • Fulfil contractual obligations (e.g. a transport company needs to collect the personal data of the recipients)
  • Prepare marketing actions (e.g. sending newsletters to clients on new products)
  • Keep a statistical track of clients and profiling (e.g. if a company has an online shop and uses cookies or GoogleApps)
  • Understand the clients´ needs better and enhance its own products (e.g. sending samples and questionnaires to clients)
  • Screen the suppliers for the purposes of its own business (e.g. keep track of a contract history with the supplier, its representatives and contact data)
  • Keep a database of potential employees (e.g. retain CVs received by e-mail)
  • Assure the security of the premises (e.g. keeping records of the security cameras).

Personal data must not be collected without a reason or “just in case”.

From a legal point of view, all the above mentioned aspects are linked to the lawfulness of processing, which will be detailed in our next article.

III. Where/ for how long must the data be processed?

Irrespective of the purpose/ lawfulness of data processing, each category of data needs to be verified in the light of the technical measures for processing (including storage) and the period of such processing.

As a general rule, one should not process personal data for a longer period than required. There are, however, legal provisions stating that certain personal data need to be retained for an extremely long period of time (e.g. 50 years for payroll information).

Each company has to verify internally if:

  • The personal data are still needed,
  • The processing is compliant with the GDPR as regards security, confidentiality, access,
  • The data are accessed by empowered persons in a timely manner in case of technical events,
  • The data processing is regularly tested in order to assure the above mentioned compliance.

IV. Was there a transfer of data?

Personal data may (partially) be transferred to third parties, e.g. to other group companies or contractual partners. Please note that there is a broad understanding of the term “transfer”. In practice, even the access of an HR colleague from the mother company to the personnel files is considered a transfer of data and has to be disclosed to the employees.

In cases of transfer, a company must make sure that the recipient complies with the same set of rules. This is an explicit legal obligation, and the company is liable if the contractual partners do not comply with the data protection principles. Hence, all the contracts with suppliers (IT, security services) have to be checked and adapted to the provisions of the GDPR.

Note: as soon as the business has been X-rayed and all the aforementioned pieces of information have been obtained, the field preparation is finished for the company. The next step consists in assessing, together with IT and legal counsels, whether and how the data processing within the company has to be adjusted in order to comply with the GDPR