GDPR in business
Processing of personal data online
Companies often carry out processing of personal data online. Many people around the world are online on various digital platforms in their everyday lives, ranging from young children to older people.
GDPR Online
The internet has become a huge and important part of our daily lives. We use the internet and digital platforms for various things, such as paying bills, ordering things, communicating with friends and much more. When an individual does this, their personal data is processed by different actors, in different ways and for different purposes.
GDPR is an EU regulation that regulates how personal data may be processed, for example if they belong to an individual who is residing in the EU. A starting point for companies subject to the GDPR is to keep in mind that the more important the personal data, the higher the requirements.
Online services
In principle, companies that provide online services always carry out processing of personal data online. Examples of online services are social media, e-commerce platforms and search engines. It is important to keep in mind that many children use the internet and online services of various kinds, such as games or social media. When children use online services, the rules are stricter regarding the processing of children’s personal data.
Children have stronger protections under, among other things, GDPR
As children are a group of data subjects that are extra worthy of protection, they are more protected than adults under the GDPR. This is due, among other things, to the fact that children may find it more difficult to understand the safeguards, consequences, risks and rights they have in relation to the processing of their personal data. Recital 38 of the GDPR deals with this point in more detail.
The age limit for a valid consent from a child
According to the GDPR, a child who has reached the age of 16 may give valid consent for the processing of his or her personal data. However, Member States have the right to lower the age limit under Article 8 of the GDPR. In Sweden, the age limit is lowered to 13 years, which is the minimum age limit. On the other hand, it is apparent from recital 38 of the GDPR that the consent of a child’s legal guardian should not be required if it concerns advisory or preventive services offered directly to children. For example, advice on addiction, crises or other forms of online helplines for children and young people.
Always consider the UN Convention on the Rights of the Child
All EU countries have adopted the United Nations Convention on the Rights of the Child (UNCRC). In addition, several countries, such as Sweden, have adopted it as national legislation. It is good for companies to always have the Convention on the Rights of the Child in mind when creating an online service aimed at children.
Data protection by default and data protection by design
It is important to have data protection by design, as this is a requirement for data controllers under Article 25 of the GDPR. It does not matter if it is a startup or a multi-billion dollar company. In short, this means that all companies must work actively to comply with the requirements of the GDPR. This means, among other things, that companies must:
Implement and offer data protection-friendly settings, such as giving the user an opportunity to withdraw their consent. It must be as easy to withdraw as to give consent, in accordance with Article 7(3) of the GDPR.
Have a legal basis for each individual processing in accordance with Article 6 of the GDPR.
Comply with the seven basic data protection principles pursuant to Article 5 of the GDPR.
Take adequate organisational and technical security measures in accordance with Article 32 of the GDPR.
Cookies
Many websites and applications use cookies, which can lead to the processing of personal data online. Cookies are small text files that are stored on the device used when visiting the website or application (such as a computer, mobile phone or tablet). There are basically two types of cookies: essential cookies and non-essential cookies. The rules are different for them. In the EU, both the GDPR and the e-privacy directive form the basis for the central legislation on cookies.
Requirements for processing essential cookies
Essential cookies, also known as “necessary cookies”, are always used, without the need for the user’s prior consent. However, it is important to bear in mind that these cookies must be strictly necessary to enable the provision of a service or function that the user has requested. For example, a cookie that allows an e-commerce platform to remember what the user has added to their shopping cart, to enable the completion of the purchase.
If a company only uses essential cookies, the company should publish and present a cookie notice to the user. However, the company does not need to install a cookie plug-in to request consent for these cookies.
Requirements for processing non-essential cookies
If the company wishes to use non-essential cookies, the following applies:
Consent
The company must obtain the explicit, active and voluntary consent of the user regarding the use of non-essential cookies. This means, for example, that a consent box should not be pre-ticked. In addition, it should be as easy for the user to withdraw the consent, as to give it.
Information requirements
The user should be informed about the processing and which specific non-essential cookies that the company wants to use. This is done smoothly by the company publishing the information in a cookie notice. Examples of what should be stated are which cookies are used, what their function and purpose is, how long they are saved, how the person can revoke the consent, etc.
Communication
Companies communicate a lot digitally and also store personal data digitally through various platforms for different purposes. For example, personal data is processed online by the company’s employees sending e-mails, saving customers’ phone numbers in the CRM-system, receiving CVs from potential employees and much more. Therefore, it is good for business owners and employees to know the rules of GDPR, so as not to violate the regulations and risk that the company is sentenced to pay large fines.
Although there are no specific provisions in the GDPR regarding the processing of personal data when using e-mail, there are many general rules that the company must have in mind. Many emails usually contain personal data and thus the GDPR applies.
For example, the e-mail address itself may be personal data if it contains a first name and/or last name. In addition, an e-mail itself may contain personal data, such as the sender’s contact details (address, telephone number, e-mail address), other individual’s personal data appearing in an attached document or similar.
Can the employer send pay slips to the employees by e-mail?
If the pay slip contains information about sick leave or other sensitive personal data pursuant to Article 9 of the GDPR, the employer shall not send it by unencrypted e-mail. Please note that it may be allowed to do so, if it is done through encrypted email. The reason why the company should not send it via unencrypted email if it contains sensitive personal data, is because it is not secure enough. In other words, security requirements are higher when processing sensitive personal data, which payslips usually contain.
Human Resources (HR)
Companies process personal data regularly in their HR work. This occurs, for example, from the time the company receives a CV from a job seeker, and is ongoing throughout the employment period for the fulfilment of the employer’s labour law obligations, as well as for a certain period of time after the termination of the employment.
Subjective assessments may be more privacy-sensitive
Companies may wish to process personal data that are linked to the employee’s performance and that may have a subjective nature. For example, whether an employee is good at his or her job, to be able to be a future reference or to see who is suitable to be promoted.
Websites
The rules regarding the processing of personal data online via websites can be complicated, as it can be done in different ways and for different purposes.
Do not forget to inform the data subject about the processing
Many websites publish a contact form that users can use to contact the company directly. It is often mandatory for the user to fill in their name and e-mail address, possibly even phone number, in order for the company to be able to reply to the message. These types of data constitute personal data under the GDPR. A mistake that many companies make is that they forget to inform about the processing before the user sends the message to the company.
Key trade-offs
Freedom of expression
Many countries have a freedom of expression law, and if it is a constitution such as in Sweden, the constitution is in some parts above GDPR. For example, if a company has received a so-called voluntary publication certificate in Sweden, it is allowed for the company to process the personal data in a way that would otherwise be contrary to the GDPR.
Journalistic purposes
The rules for the processing of personal data of journalists are different from those for ‘ordinary companies’.
Marketing, sales, social media or similar
If a company in the EU has published a website to conduct sales of its goods or services, carry out marketing or similar, or uses social media to communicate with potential customers, the GDPR applies to the company.
According to the GDPR, the rules differ depending on the purpose of the processing, who the data subject is, how the processing takes place in practice, through which channels, etc. Therefore, it is important to keep in mind that there are specific rules and exceptions that may apply. In other words, the rules are not the same if a company processes personal data to carry out marketing or if it does so for journalistic purposes.
Info about GDPR
Different roles in GDPR
It is important to know the different roles within GDPR, as the rules differ between the roles. For example, it is important to know who is the controller or processor for a processing operation, what the role of the data protection officer entails and which supervisory authority is the company’s lead supervisory authority. It is the controller who determines the purpose of the processing of personal data. The entity that processes personal data on behalf of the controller and in accordance with its instructions is the processor. For example, an accounting firm that processes the personal data of the customer company’s employees to make wage payments to the employees on behalf of the customer company.