GDPR - Business life
Processing personal data in business
Companies usually process personal data in their business operations. Personal data may belong to external parties, such as suppliers, customers and partners, as well as internal parties, such as company employees.
Common with processing of personal data in business
Companies that process personal data within the EU must comply with the GDPR. In other words, this applies not only to companies based in the EU, but also to companies based outside the EU that process the personal data of individuals within the EU. It is often necessary to process personal data in order to run the business.
Examples of processing in business
- Home address of customers who order goods from an e-commerce site, in order to carry out home delivery of purchased products.
- Employee’s name, social security number and bank account number to be able to pay the salary.
Camera surveillance at reception, as an additional security measure.
Roles in GDPR
There are different roles in GDPR that can be good to know. For example, who is the controller and processor, which actors need to appoint a data protection officer, who may be data subjects, and what the national data protection authorities do. Below is a brief summary of this, among other things.
Controller
It is the controller who determines the purpose of the processing, how long it will last and how it will be carried out. A company, authority or other form of organisation may be the data controller. Individuals may also be data controllers in certain cases.
Responsible for the processing according to GDPR
The controller is responsible for ensuring that the processing is carried out correctly in accordance with the rules of the GDPR. However, processors also have a responsibility for their processing of personal data, which is carried out on behalf of the controller.
The controller is usually the organisation itself, and not a specific person such as the owner or employees. In some cases, however, an individual may be the data controller. For example, if the processing is carried out by a sole trader or a private individual.
Some frequently asked questions about data controllers
Yes, companies may transfer the performance of the processing of personal data to someone else in accordance with the GDPR. However, it is not possible to transfer responsibility for the personal data and the processing. It is only the performance itself that can be delegated to someone else. For example, to a hired data processor.
Yes, two or more companies may have a joint controllership. Please note that it is important to regulate the relationship in a written agreement. For example, who should fulfil what obligations in order not to violate GDPR.
Employees shall not process personal data contrary to the instructions given by the controller. Therefore, it is important to create written and clear procedures that staff should follow when processing personal data in practice.
Processor
When an actor processes personal data on behalf of another actor, the processing takes place in the role of personal data processor. In other words, the processor processes personal data on behalf of and in accordance with the instructions of the controller.
Examples of situations where companies tend to be data processors
Cloud storage
Cloud storage: Many companies use cloud storage to save various digital files online, such as contracts, images, vides and/or backups. These files may contain personal data. In such cases, the cloud service provider processes the personal data on behalf of its customers. The cloud service provider thus acts as a data processor when they process the personal data stored in their cloud service in connection with the provision of the service to customers.
Accounting firms
Accounting firms: When a company hires an accounting firm to manage accounting, invoicing, payroll, etc., the accounting firm will have access to personal data in the performance of its duties. For example, names and any information about sick leave appear in the employees' pay slips, which the accounting firm may be commissioned to create and send to the employees. Thus, the accounting firm processes personal data on behalf of the company that hired them, in order to be able to fulfil the assignment.
CRM system
Companies that have many employees and customers usually have a CRM system. The company that operates the CRM system thus processes personal data on behalf of the company that uses the service, and is therefore a personal data processor in its processing of such personal data.
Some frequently asked questions about data processors
Both natural and legal persons can be processors. In other words, companies, organisations, authorities and private individuals.
Yes, processors can receive fines if they violate GDPR. In addition, they may be liable to the data subjects in accordance with Article 82 of the GDPR.
The controller must first give its written permission for a processor in turn to engage a sub-processor. If consent is obtained, the processor and sub-processor shall also enter into a data processing agreement with each other, in accordance with Article 28 of the GDPR.
Yes, data processing agreements must be in writing in accordance with GDPR. There are formal requirements for a data processing agreement under Article 28 of the GDPR, which clearly states that it must be in writing. In other words, verbal data processing agreements are invalid and thus in breach of the GDPR.
Data Protection Officer
Some companies are required to have a data protection officer under the GDPR. Even companies that do not need to appoint a data protection officer under the GDPR, can do so voluntarily as a privacy-enhancing security measure.
What data protection officers should do
Data protection officers work to monitor the company’s compliance with GDPR. It may be an employee who holds the role of data protection officer, but it does not have to be an employee. The data protection officer shall, among other things, advise on the company’s processing of personal data, check the organization’s internal control documents such as the internal procedures, and collect information regarding the company’s processing of personal data. A data protection officer thus plays an important role in the data protection work of the business.
Right to contact the data protection officer
Data subjects have the right to contact the data protection officer in case of questions regarding the processing of their personal data. This includes not only customers and external people, but also the employees of the company. The contact details of the data protection officer shall be publicly available, and are usually set out in the privacy notice published on the company’s official website. In addition, the company must notify the data protection officer to the national data protection authority.
Here are some common questions about data protection officers
No, the data protection officer has no personal responsibility for how the company processes personal data. In addition, it is prohibited to penalise the data protection officer for performing his or her duties. It is the party for whom the data protection officer works that is responsible for ensuring that its processing of personal data complies with the rules of the GDPR.
Knowledge of GDPR and any additional relevant national data protection legislation, Know the business, how the personal data processing takes place, what technical and organizational security measures the company has taken, Be able to disseminate appropriate information and create a good data protection culture within the business.
No, a data protection officer does not need to be employed by the company. The data protection officer may be an external actor. It may be an employee of the company. The individual acting as data protection officer may also have other tasks in parallel, unless it clashes with the role of data protection officer.
Yes, when a company is required to carry out an impact assessment, the data protection officer should always be involved in the process. The same applies if the company is considering carrying out an impact assessment.
Data subject
It is important to know what a data subject is and what rights data subjects have, in order to comply with GDPR in practice.
Rights of data subjects
Data subjects have several rights under the GDPR. It is common to speak of the eight fundamental rights set out in Articles 15-22 of the GDPR.
Frequently asked questions regarding data subjects under GDPR
Yes, data subjects may be entitled to damages under Article 82 GDPR. Please note that damages are not the same as fines. There needs to be non-material or material damage for a data subject to be entitled to damages, but there are exceptions. In some cases, a data subject may be entitled to damages in the event of a fear of future non-material damage.
National data protection authorities
Every country in the EU has a national data protection authority. They play an important role in the GDPR.
Questions on national data protection authorities
Data subjects may submit a complaint to the national data protection authority of their country of residence. If the data protection authority considers that another country's data protection authority is more suitable to handle cases, for example because the company that violated the GDPR has its headquarters there, they can transfer the case there. In other words, the data subject does not have to worry about having to report to the right data protection authority.
Yes, national data protection authorities have the power to impose fines if they consider that companies have breached the GDPR. However, it is possible to appeal the decision to the court.
No, data protection authorities cannot claim damages for affected data subjects. On the other hand, they impose fines on companies, a fine which is not available to data subjects. The affected data subject needs to claim damages themselves, either directly from the company or by bringing a civil action against the company.
Processing personal data as an employer
It is very common to process personal data as an employer. In addition, it is common to process sensitive personal data in the working life, which means stricter rules. Therefore, it is good to know the rules of the GDPR in order not to violate the regulations, as breaches of the GDPR can result in major financial consequences for the company. For example, employers usually process the names of employees, possibly related contact persons, bank account information, sick leave, use camera surveillance, recruitment systems, etc.
Responsibility for personal data when employers process personal data
It is the company itself that is the data controller, and not the manager or any other individual working in the business. It is the legal person itself that is the employer and therefore responsible for the processing of personal data. In some cases, however, it is a natural person who may hold the role of data controller, for example if it is a sole trader or private person who carries out the processing.
Yes, for example, if a company that is responsible for personal data uses an accounting firm to handle payroll. In such cases, the accounting firm is a personal data processor, but has its own responsibility for the processing they carry out. However, the accounting firm is not the controller of the personal data processed.
Recruitment systems and skills databases
Many companies have employees to be able to run the business effectively. In addition, it is common to rely on competence databases when recruiting, which constitutes a processing of personal data. In that case, the company needs, among other things, to have a legal basis for that processing. Often, legitimate interest is the appropriate legal basis to support the processing.
Do not process more personal data than necessary
Companies may only process the personal data necessary for the purpose of the processing. In addition, the personal data shall be erased or anonymised when it is no longer necessary to process it.
Please note that it is permissible for the employer to continue processing the personal data for as long as it is possible for the job seeker or employee in question to take legal action. Sensitive personal data, on the other hand, is normally not allowed for employers to process when recruiting. The same applies to data on infringements of the law.
Frequently asked questions about recruitment systems and competence databases
It is inappropriate in most cases to use consent as a legal basis when an employer processes personal data of employees or job seekers. This is because the relationship of power is unequal between the parties. This is something on which the EDPB has also commented in its guidelines on the use of consent as a legal basis.
The main rule of the GDPR means that employees, which also includes future employees, have the right not to be subject to decisions based solely on automated decision-making.
Yes, the general rule means that employees should be informed about the processing of their personal data. In other words, the personal data processing should not take place without their knowledge.
Monitoring of employees
Companies may in some cases need to monitor the workplace and/or employees, for example by having camera surveillance in the company’s premises.
Camera surveillance in the workplace
It may be appropriate to have camera surveillance in the workplace. However, this constitutes a major privacy breach and employees normally have a strong interest in not being subject to such monitoring. Therefore, there should be strong reasons for having camera surveillance in the workplace. For example, a valid reason for having camera surveillance in the warehouse may be that there are high-value assets stored there. However, it is not okay to have a camera in front of the toilet, in order to be able to monitor how often the employees visit the toilet.
Frequently asked questions
Legitimate interest is usually the appropriate legal basis. Consent is generally not valid because there is an unequal power relationship between the employer and the employee.
No, there is no direct requirement in the GDPR, but it may be appropriate to have to do so. For example, it may be a must if the company monitors employees systematically regarding how they use their email.
Yes, employees have the right to receive information about the processing of their personal data and monitoring at the workplace. On the other hand, it does not usually have to be submitted at every inspection, but is usually enough that it takes place once. The information should be provided in writing in a privacy notice specific for employees.
Biometric data
A technical processing operation which makes it possible to identify a person by his or her physical, physiological or behavioural characteristics constitutes a processing of biometric data. For example, fingerprinting or facial recognition to access your company’s IT services and systems.
Biometric data constitutes sensitive personal data according to GDPR
According to Article 9 of the GDPR, biometric data constitute sensitive personal data. The processing of sensitive personal data is prohibited as a general rule, but there are some specific exceptions. It is important to bear in mind that the processing of sensitive personal data imposes higher requirements than the processing of ‘ordinary’ personal data.
Frequently asked questions
Yes, but the employer must have a legal basis and substantial grounds for processing biometric data. Consent is not normally appropriate as a legal basis, since the relationship of power between the employer and the employee is unequal.
As a general rule, the answer is no. In Sweden, a school used facial recognition for attendance checks of the pupils and the school had to pay a fine for it.
It is not explicitly regulated in the GDPR that companies must carry out an impact assessment before processing biometric data. However, it may be needed.
XXX
XXX
XXX