GDPR - Business life
More about personal data within the business sector
Processing of personal data within the business sector is common. In addition, data, which often consists of personal data, has become increasingly important for companies to process. For example, the processing of personal data within the business sector takes place in order for companies to be able to further develop their products or adapt marketing.
Processing of personal data in schools
Schools process personal data in their operations, whether it is a public or private school. In addition, many schools have pupils who are children, which means stricter rules under the GDPR, because children are an extra group worthy of protection. Some personal data processed in school activities also have a subjective nature, which is often more sensitive than those of an objective nature. One example of personal data with a subjective nature is students’ grades.
Teachers are not responsible for the correct processing of personal data
It is the school itself, i.e. the controller, who is responsible for ensuring that the processing of personal data takes place in accordance with the GDPR and other applicable laws and regulations. However, teachers process personal data in their work. Therefore, it is important that the school provides them relevant information and education, so that they carry out the processing operations in accordance with the GDPR. If a teacher violates the GDPR during their personal data processing, it is the school that can be held responsible for the non-compliance and any consequences thereof.
Associations processing personal data
Associations that are subject to the GDPR and process personal data, such as keeping a member register containing members’ data, must comply with the rules of the regulation. This applies regardless of whether it is a smaller or larger association.
Trade union membership constitutes sensitive personal data
It is important to bear in mind that information about an individual’s membership in a trade union constitutes sensitive personal data within the meaning of Article 9 of the GDPR. Therefore, it is important to remember to follow the stricter rules if the association is a trade union. According to the general rule in Article 9 of the GDPR, it is even forbidden to process any sensitive personal data, but there are some exceptions.
Membership exemption
Membership exemption: Although the general rule prohibits the processing of sensitive personal data, such as information about an individual's religious beliefs, political opinions or trade union membership, it may be permitted. If the membership of a political association, religious association or trade union itself reveals sensitive personal data, it is permitted provided that the association complies with the other rules and conditions.
Processing personal data for research purposes
It is not uncommon to process personal data for research purposes and there are special rules in the GDPR for such processing. Among other things, the party processing personal data for research purposes must take appropriate technical and organisational security measures to protect the personal data. For example, pseudonymisation of personal data. In addition, there is a difference between processing personal data for scientific research purposes and historical research purposes.
Common with joint controllership
Research institutions usually collaborate with other institutions. In addition, in some cases they usually carry out research projects together. In such cases, it is important to clarify the relationship between the parties and their responsibility for the processing of personal data. Among other things, it is good to clarify the following issues:
- Are both institutions joint controllers, or are the respective institutions autonomous controllers?
- Can there be a data processor relationship between the institutions that cooperate in the research in question?
Processing of personal data for statistical purposes
Companies may have a need to process personal data for statistical purposes. Such processing often takes place in an aggregated format. Aggregated personal data means that they can no longer be linked to an individual, and thus such data is no longer classified as personal data.
The definition of statistical purposes in the GDPR
According to the GDPR, statistical purposes mean that a company processes personal data that is necessary to produce statistical results. The same applies to statistical surveys. According to recital 162 of the GDPR, a statistical purpose means that the result of the processing does not consist of personal data, but of aggregated personal data, and that the result will not be used to support decisions or actions regarding a specific individual.
General Data Protection Regulation
Different roles that companies can have under GDPR
A company that processes personal data is either a data controller or a data processor. It is the controller who determines the means and purposes of the processing. A processor processes the personal data on behalf of and in accordance with the instructions of the controller. For example, when a company (data controller) hires an accounting firm (data processor) to handle payroll. In addition, some companies may need to appoint a data protection officer (DPO).