GDPR Learning Hub

Menu
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Personal Data - GDPR

The life cycle of personal data

To understand the meaning of the EU General Data Protection Regulation (GDPR), it is useful to understand the life cycle of personal data. All companies that process personal data belonging to individuals within the EU/EEA area are subject to GDPR, regardless of where the company is established. GDPR is an EU regulation that came into force in 2018. 

What is personal data?

When it is possible to link some type of data to a natural living person, the information in question is regarded as “personal data”. The connection to the natural person can be either direct or indirect. An example of direct personal data is a name, and indirect personal data is the registration number of a privately owned car. Images, videos and audio recordings can also be personal data. 

What is privacy-sensitive personal data under GDPR?

There are four groups of privacy-sensitive personal data in the GDPR, one of which constitutes sensitive personal data. The privacy-sensitive personal data constitute more important personal data than, for example, a first name. This means that privacy-sensitive personal data must be processed with higher security. In addition, it may require the company to carry out an impact assessment before the processing begins, to see whether the processing is allowed or not.

Prohibition of processing sensitive personal data under the general rule

The processing of sensitive personal data is not permitted under the general rule in Article 9 of the GDPR. However, there are some exceptions to the general rule. Examples of sensitive personal data are data that reveals information about a person’s religious beliefs, political opinions or membership in associations. 

Is data about a person's health sensitive personal data?

Yes, data about an individual’s health is sensitive personal data. However, this is one of the most common sensitive personal data that companies process. For example, employers process information about employees’ sick leave, in order to calculate an accurate salary and fulfil their reporting obligations to the relevant authorities. However, the company should not send a payslip by unencrypted e-mail if the specification contains information about sick leave, as it is not sufficiently secure. 

Three steps in the life cycle of personal data

There are three key steps in the life cycle of personal data, which are described below. 

Step 1: The company has access to the personal data

The first thing that happens in the life cycle of personal data is that the company collects the personal data. The collection must take place in accordance with the rules of the GDPR in order to be legal and permissible. This means, among other things, that the company must: 

  • Have a legal basis for the processing of the personal data: Any processing of personal data must be based on a legal basis in order to be lawful. There are a total of six (6) legal bases to choose from in the GDPR. Among other things, consent, contract with data subject, legitimate interest. 
  • Inform the data subject about the processing of the personal data: In addition, companies shall inform data subjects about the processing of their personal data. If the personal data are collected from the data subject directly, the information about the processing shall be provided at the time of collection. Such as information on the legal basis used by the company, the duration of the processing, the rights of the data subjects, etc. The information should be set out in a written privacy notice presented before the collection. 

Step 2: The company processes the personal data

There is a lot that companies need to think about while processing personal data, i.e. within this step two of the life cycle of personal data. Among other things, the company needs: 

theme_placeholder

Protection of personal data

The company must protect the personal data that is being processed. The more important the personal data, the higher the security requirements. In order to protect the personal data, the company must take appropriate organisational and technical security measures. For example, by implementing antivirus protection, taking backups, controlling access permissions, and creating a good security culture within the organisation.

theme_placeholder

Able to fulfil the rights of data subjects

Data subjects have a number of rights under the GDPR, which companies need to be able to fulfil upon request. In addition, fulfillment must be made within a certain period of time, normally within one month of receipt of the request. Therefore, the company first needs to know what rights the data subjects have, then inform the data subjects about them and be able to fulfil them in practice. Therefore, it is good for companies to create internal routines around this.

theme_placeholder

Drawing up appropriate documents and agreements

The GDPR requires that companies must be able to demonstrate that they comply with the GDPR in practice. This means, among other things, that the company needs to have appropriate GDPR-related agreements and documents. For example, written internal procedures for how employees should act in the event of a personal data breach. In addition, the company must enter into written data processing agreements when hiring data processors. Companies may also need to document impact assessments for certain types of processing activities, etc. The documents and agreements that companies need to have depend on several factors, such as which processing activities the company performs, the extent of the processing activity, etc.

theme_placeholder

Designate roles and train staff

The staff handles personal data within the business and therefore needs to know how to do it in accordance with GDPR. However, it is always the organisation itself that bears the responsibility for personal data as the data controller, not the staff. In addition, it may be appropriate to appoint roles within the company. For example, if it is a large company with many departments, it may be helpful to appoint some data protection ambassadors. Some companies also need to appoint a data protection officer.

Step 3: End of processing of personal data

Companies may not process personal data indefinitely. The main rule is that companies must delete or anonymise (i.e. erase) the personal data, when they are no longer necessary to process for the purpose for which they were collected. 

Exceptions to the general rule allowing longer storage periods

However, there are exceptions to the general rule, which allows for longer retention periods of personal data. In some cases, there may be requirements for companies to continue processing personal data for a certain period of time according to legislation, even though they do not need the personal data for anything else. For example, companies must store billing information and receipts for a certain period of time in accordance with the national accounting act. It is permitted and the legal basis for the processing activity is, in such cases, legal obligation

Examples of more situations in which personal data will be deleted

Data subject’s request for erasure of personal data: A right that data subjects have is to have their personal data erased upon request (also called the “right to be forgotten”). The erasure shall take place without undue delay, but at the latest within one month. However, there are exceptions to this right since it is not an absolute right and may be restricted in some cases:

  • For example, it may be permissible for the company to continue the processing of the personal data, even if they receive a request for erasure form the data subject, if the processing activity is carried out in order to comply with a legal obligation incumbent on the company.
  • Exceptions also apply if the company needs to process the personal data in order to defend or establish legal claims.  

Companies should create internal procedures for employees regarding the erasure of personal data

In order for the company to be able to ensure the correct erasure of personal data when they are no longer necessary, or in the case of a request for erasure, it is good to create written internal procedures. 

The company must inform its employees how to carry out the erasure correctly. For example, this can be done by compiling the information in written internal procedures. In addition, it is good if the routine contains information about, for example, specific dates each year regarding the time when all employees should erase personal data from different storage sites.

Learn more about GDPR

Personal data may be subjective or objective in nature

When a person thinks about what personal data is, they usually think about objective personal data. For example, a name, social security number or phone number. In other words, personal data of an objective nature is usually something that can be identified by a person. However, it is also important to know that there are personal data that is of a subjective nature.

Want to learn more?

Read more
Scroll to Top