Info about GDPR
Processing of personal data in connection with the company's communication
Processing of personal data in connection with the company’s communication with data subjects is often necessary, and also very common. This applies to both internal communication within the company (for example, to employees) and external communication outside the company (for example, to customers, suppliers or other business partners).
Processing of personal data in connection with the company's communication with data subjects must be carried out in accordance with the applicable rules
The rules regarding the processing of personal data in connection with the company’s communication with data subjects differ, depending on the type of company and what the communication is about.
For example, there is a difference between whether several doctors communicate with each other about issues around their patients via email, or whether a start-up company that builds websites sends messages with marketing to potential customers. The more important the personal data, the greater the requirements for a secure communication route.
Company's communications with data subjects via email
Email is a common communication channel for businesses to use. Both for internal and external communication. For example, by employees using email for internal communication with other employees, or by the company having an email address published on its official website that customers can use to email questions to customer service.
What legal basis should be used for marketing emails?
The processing of personal data in connection with the company’s communication with data subjects must be based on a legal basis pursuant to Article 6 of the GDPR. It is common for companies to use either consent or legitimate interest as the legal basis when sending e-mails for marketing purposes. Please note that the company must stop sending e-mails if the data subject so requests, in accordance with the data subjects’ rights under the GDPR.
What recitals in the GDPR mention direct marketing?
Recital 47 of the GDPR expressly states that the processing of personal data for the purposes of direct marketing may be considered a legitimate interest. However, it may be important to know that other national marketing laws may regulate consent requirements for direct marketing via email to potential new customers.
Recital 70 of the GDPR states that the data subject shall have the right to object to the processing at any time, free of charge, when the data subject’s personal data are used for direct marketing purposes. In addition, this right should be explicitly communicated to the data subject and presented clearly and separately from other information.
Is it allowed to send payslips by e-mail?
The short answer to the question is: It depends. If the pay slip contains sensitive personal data, the employer must not send it to the employee by unencrypted email. Sick leave is an example of sensitive personal data within the meaning of Article 9 of the GDPR, since it constitutes data relating to health. It is also personal data that companies usually need to process in order to be able to pay the correct salary, and therefore such information is usually shown on the payslip. Please note that it is possible to send a payslip via encrypted email that constitutes a secure email communication, only if it is deemed to be sufficiently secure.
Processing of personal data in the Human Resources (HR) department
All personal data processing requires support on a legal basis
It is important to keep in mind that all processing of personal data requires support on a legal basis to be lawful under the GDPR. Within the human resources department, also known as the HR department, much processing of personal data takes place. The purpose of an HR department is, among other things, to provide support to the operations on operational, administrative and strategic issues relating to the personnel in the company.
The HR department processes personal data in connection with the recruitment of employees, after the employment, in the development of skills and after the termination of the employees employment.
How long should the personal data of the jobseeker or employee be kept by the company?
The main rule of the GDPR is that the personal data shall not be processed longer than necessary for the purpose for which they were collected. If a person does not get a job after submitting a job application with their CV to the company, it is usually not necessary for the company to continue processing the personal data. The company should thus delete the received CV as well as any related emails (if it was the chosen communication route with the job seeker).
However, there may be situations where the company needs to save the personal data longer. For example, if the company continues to store the employee’s personal data after termination of employment in order to be a future reference, or to the extent continued storage is required by applicable law. There are many national labour laws that regulate specific retention periods, and in such cases the processing takes place on the basis of a legal obligation.
Personal data of a subjective nature can usually be perceived as more subjective privacy-sensitive data by the data subject
There is a difference between personal data of a subjective or objective nature. Personal data of a subjective nature is, for example, a diagnosis from a doctor, a grade from a teacher or assessments based on employee conversations in a company that is documented. It is important to bear in mind that personal data of a subjective nature may be perceived as more subjectively privacy-sensitive data by the data subject. Therefore, they need to be processed by the company with greater certainty.
Before the employment
The employer processes the personal data of the jobseeker before the employment, when the jobseeker contacts the company to apply for a job. For example, by answering a job ad, or sending a spontaneous application for employment to the company, via email.
During employment
There are many different personal data of the employees that the employer processes while the employment is ongoing. Please note that some of them are sensitive or subjectively privacy-sensitive personal data. For example, information about employees' sick leave, rehabilitation plans, assessment and documentation of work performance, etc.
Skills development
It is not uncommon for employers to save certain data and documented employee interviews for skills development. Such data may be perceived as privacy sensitive. Therefore, it is important to process them with greater security and be extra careful about deleting them when they are no longer necessary.
Processing of personal data in connection with the company's communication with data subjects via social media
Social media is an important part of the marketing work for many companies. It is common with processing of personal data in connection with the company’s communication with data subjects via social media. Therefore, it is good to know the rules when processing personal data via social media.
Unfortunately, many companies that process personal data via social media believe that they have no responsibility over the processing, as they believe that only the platform providers are responsible. However, this is not true. The company also has a responsibility for its processing of the personal data, even if the processing takes place within a social media platform provided by a third party provider.
Is the company responsible for the deletion of personal data that appears in the company's social media account?
Yes, the company is responsible for all processing of personal data the company performs via social media, including the deletion of personal data when it is no longer needed. This includes everything from pictures or videos of people that the company publishes on its social media, to comments on the company’s posts and chats in the company’s social media inbox. Among other things, the company needs to ensure that old chats with data subjects via social media are deleted when they are no longer necessary for the company to process.
Rules applicable to companies profiling customers through social media
It is important to keep in mind that companies should know how platform providers act and handle personal data before they start using their social media platforms. This is because the company and the platform provider in question may have a so-called joint controllership in certain cases. This was confirmed in a judgment of the Court of Justice of the European Union against Facebook. Rules on joint controllership are further regulated in, inter alia, Article 26 of the GDPR and Recital 79 of the GDPR.
Processing of personal data in connection with the company's communication with data subjects via the company's website
There are many companies that process personal data through their websites. For example, through cookies, when they receive requests via contact forms on the website, if they have any login system or similar. The starting point is that the more important the personal data, the higher the security requirements. For example, there is a difference between whether a company uses cookies to analyze how the website is used, or sells something by the buyer entering their credit card number which is stored in the company’s web servers.
A common mistake that companies often make on their website
Many companies have a contact form on their website that visitors can use to contact the company. For example, to ask questions, request a quote or similar. It is common for the visitor to need to fill in their name, e-mail address and possibly more contact information in the form. Many times, the majority of the fields in the form are also mandatory to fill in, in order for the message to be sent.
When the message is sent to the company via the form, the personal data is processed by the company. Therefore, the company must inform the data subject about the processing. A common mistake that companies make is not to inform about the processing in accordance with Article 13 of the GDPR. The information shall be provided in connection with the collection of the personal data, before the personal data is sent to the company, by the company presenting its privacy notice to the visitor.
Many websites use and store cookies on the visitor's device, which may constitute personal data and are therefore subject to the GDPR. In order to process non-essential cookies, such as for marketing purposes, the visitor’s active consent is required. In addition, the company must meet the information requirement. Among other things, the company must present a cookie notice on its website, with information about what cookies are, how they are used by the website, etc.
Learn more about processing data online
Processing of personal data by companies providing online services
Companies subject to the GDPR that provide online services almost always process personal data. Examples of such services are social media, search engines and e-commerce platforms. It is important to in such cases adapt the online service to the GDPR, such as introducing settings for users to withdraw their consents. In addition, it is not uncommon for companies operating online services to process the personal data of children, and then the rules are even stricter under the GDPR.