the GDPR in day-to-day business
Personal data in connection with the GDPR
Personal data is playing an increasingly important role in our work environment. In every company, every government institution and in social media, data is collected, collected and processed. Much of this information contains personal data, which has been intended to protect these data flows since the General Data Protection Regulation (GDPR) came into force in May 2018. In the event of a violation of the ordinance, severe penalties, sanctions and an unpredictable damage to the company's image are imminent. For this reason, companies should find out how to handle personal data in order to avoid fines and sanctions and to avoid damage to their image.
1. How are the personal data defined?
Personal data are defined in Article 4 No. 1 of the GDPR. They describe themselves as data that relate to an identified or identifiable natural person. The natural person has the same meaning for every living person. Identifiable persons can be assigned directly or indirectly through the information collected. In practice, this identification option would be used for customer numbers, employee numbers, etc. It is irrelevant here whether the person has been identified - the possibility of identification is sufficient.
All information that allows insights into the physical, physiological, genetic, psychological, economic, cultural or social identity fall under the term personal data in the case of natural persons. Telephone numbers, IP addresses or the appearance of a person can be named here as examples. Theoretically, processed working times can also fall under the personal data.
Some examples of the collection of personal data
• bank details
• Demographic data
• Identification numbers
• Online data collected
• Health information
• Political attitude
• Religious dates
• Sexual orientation
2. How is work in companies with personal data regulated?
Most companies are directly or indirectly involved in the processing of data and information. This data processing falls under the general principles of data protection. These established principles must be taken into account and compliance with them must be proven.
The following principles (Article 5 (1) GDPR) must be observed:
Lawfulness of the data processing
Data processing is only permitted if there is a legal basis or the consent of the person concerned.
Processing information in good faith
In principle, personal data may only be processed in the way that they were specified in a survey. The processing may only be carried out by a trustworthy person.
Data processing transparency
If you are affected by the processing of your own data, you always have the right to informal self-determination. In this way, it can be asked at any time who is processing the data and for what purpose the processing is used.
In principle, the processing of personal data must have a comprehensible purpose. This must pursue a fixed, clear and legitimate reason and must be comprehensible and meaningful.
The minimization of data
The collection of personal data must be reduced to what is necessary for the fulfillment of the purpose. In principle, as little personal data as possible should be recorded. This principle minimizes the data streams.
Correctness of the data processing
In principle, the data must be recorded factually correctly and must always be up to date. Affected parties can request a data correction at any time.
Limitation of storage
The collected personal data may only be stored for a period of time that is necessary for the intended purpose. If the archiving of the data is no longer necessary, the personal information must be deleted. There is an exception when statutory retention periods apply.
Integrity and confidentiality
Personal data must be treated with a high and appropriate level of security. This should protect against unlawful processing and prevent loss, destruction or unlawful access. This protection is guaranteed by technical and organizational measures (TOM), which are specified in Article 32 of the GDPR.
3. What types of personal data are there?
The protection of personal data is the focus of the GDPR. A distinction is made between different types of personal data. This means that the need for protection is different within the various categories.
Personal data - particularly sensitive data
This category includes survey data that provide information on racial and ethnic origin. Political opinions, religious or secular views, membership of a trade union, sexual orientation and genetic or biometric data are also considered to be particularly sensitive and therefore have a special need for protection.
The GDPR excludes the personal processing of data from these categories. In special cases, however, processing can be permitted, which is usually accompanied by the written consent of the person concerned.
How is the consent to data processing regulated in these categories?
Consent must be given expressly and refer to the above categories. The data subject must be explicitly informed about the processing of the sensitive data. Consent is generally to be given voluntarily. If this consent is given in an employment relationship, there must be no negative consequences. The employee must be informed about the purpose of the processing and his right of withdrawal.
Additional requirements in the special categories
In the categories with special need for protection, special requirements must be met. The processing of personal data requires a declaration of consent from the data subject. The company must ensure the technical and organizational measures and check the formulations in the declarations. In principle, you must have permission to collect data in accordance with Article 9 (2) GDPR. Every company should internalize that the processing of personal data from the special categories should be an exception!
4. Why is personal data considered worthy of protection?
If you want to comply with data protection correctly, there are many details to consider. Especially if the data collected could be used to draw conclusions about the lifestyle or to identify a person, this information is particularly worthy of protection.
For companies, personal data can often be equated with a monetary advantage. Data can support marketing departments and serve as the basis for day-to-day business for the sales department. The legislature sets particularly strict standards here and also supports the protection of the personal rights of the persons concerned (e.g. when using on one's own picture).
5. Regulations on the transfer of personal data
The transfer of personal data is a particular focus of the data protection regulations. This common form of processing harbors many data protection difficulties for companies.
If personal data is passed on, the applicable rights of the data subjects are automatically interfered with. If data is to be passed on, companies and also private individuals must ask themselves whether the transfer according to Article 6 of the GDPR also complies with data protection. An error that occurs here due to carelessness or negligence can have serious legal consequences. First and foremost, of course, are the consequences and consequences for the person concerned. Companies must reckon with fines, but there is also a risk of damage to their image if the negligent handling of personal data is made public. In this case, economic damage must also be expected. If the data protection violations have been made public in the press and in the media, the economic damage is often more serious than the fines to be paid. For this reason, companies should examine this topic very carefully and also bring data protection professionals on board.
The transfer of personal data is a core issue of the supervisory authorities and is strictly controlled. The GDPR has stipulated very high fines in the event of a data protection breach, which should lead a company to deal with the subject of personal data in detail. Companies should also be aware that in the event of a data protection violation not only the provisions of the GDPR apply, but further violations can also be punished. Here, the privacy rights of the data subject often have to be addressed, which are often violated in the event of data protection violations. This violation can also result in high claims for damages.