Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.

Each of these processing operations must be described in the record with the following information:

  • the purpose of the processing (e.g. customer loyalty);
  • the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
  • who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
  • where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
  • where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
  • where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager.

This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).

 

More information:

 

Did you find your answer?

Individuals have the right to request erasure of personal data concerning them and in that case, the controller has the obligation to erase the personal data. You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to comply with the request, provided that the individual is informed of this within one month after receiving the request.

It is important to note that the right to erasure is not absolute. It does not apply when the data in question is necessary for:

  • exercising the right to freedom of expression and information (e.g. for journalistic purposes);
  • compliance with a legal obligation which requires the processing of personal data (e.g. processing records on employees’ work hours);
  • reasons of public interest in the area of public health
  • archiving purposes in the public interest or scientific or historical research purposes or statistical purposes; and
  • the establishment, exercise or defence of legal claims.

When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the individual has requested erasure, unless this proves impossible or would require disproportionate efforts.

 

More information:

On the same topic:
Did you find your answer?

You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.

You must do this free of charge.

 

More information:

 

On the same topic:
Did you find your answer?

Individuals can ask you whether you are processing their data and where it is the case, they have a right to access that data. So when this happens and if you process their data, you should, for example provide a copy of their personal data, free of charge, together with any necessary additional information. Where a request is made electronically, your organisation should provide the required information in a commonly used electronic format, unless the individual requests otherwise.

 

More information:

 

On the same topic:
Did you find your answer?

If your organisation is collecting the personal data directly from individuals, it must provide the necessary information at the time of collection.

In case of indirect collection of personal data, your organisation must provide the information at the latest within one month after the personal data has been initially obtained. This maximum period of one month can be reduced:

  • if the personal data is used for the purpose of communication with the data subject. In that case, you must inform the data subject at the latest at the time of the first communication to the data subject;
  • if the data is transmitted to another recipient, the organisation informs the data subjects of this at the latest when the personal data is transferred. 

 

More information:

 

On the same topic:
Did you find your answer?

Organisations must, in the case of direct collection of personal data from the individuals concerned, provide information about the processing operations in a concise and transparent way, using understandable, easily accessible and clear and plain language. This can be done in writing (e.g. on the reverse side of a tender) or by electronic means (e.g. on a website). If the person concerned so requests, you may also provide this information orally, but you must be able to prove this afterwards.

Even when the data was collected indirectly, i.e. if you do not directly collect the personal data from an individual yourself, but for example via a third party, you must provide the same detailed information to individuals

On the same topic:
Did you find your answer?

The GDPR gives individuals control over the processing of their personal data. In order to do this, transparency is key. This means you have to inform individuals whose data you process about your processing operations and the purposes. In other words, you have to explain who processes their data, but also how and why. Only if the use of personal data is 'transparent' for those involved, can they assess possible risks and make decisions about their personal data.

Under the GDPR you are obliged to share the following information with individuals:

  • the identity and contact details of the controller;
  • the purposes of the processing;
  • the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.)
  • the contact details of the controller;
  • the contact details of the DPO (if there is a DPO);
  • the recipients or categories of recipients of the data;
  • Information on whether the data will be transferred outside the European Economic Area (EEA) (where applicable: the existence or not of an adequacy decision or reference to the appropriate safeguards and how this information can be made available to data subjects);
  • the categories of personal data processed, when the data is not obtained from the individual.

In addition, the GDPR requires your organisation to provide the following information to ensure fair and transparent processing:

  • the retention period or, where this is not possible, the criteria used to determine this period;
  • the right to request access, erasure, rectification, restriction, objection and portability of personal data;
  • the right to lodge a complaint with a data protection authority;
  • if the legal basis for the processing is consent: the right to withdraw consent at any time;
  • in the case of automated decision-making, relevant information about the underlying logic and the intended consequences of the processing for the data subject;
  • the source of the personal data (if you did not directly receive it from the individual concerned;
  • whether the individual is required to provide the personal data (by law or by contract or to enter into a contract) and what the consequences of refusing to provide the data are.

 

More information:

 

On the same topic:
Did you find your answer?

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

  • informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
  • by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

 

More information:

Did you find your answer?

For consent to be considered valid, it must be:

  • freely given;
  • specific;
  • informed; and
  • unambiguous.

This means that individuals must have a genuinely free choice regarding whether or not they agree with the processing of their personal data; they need sufficient information so that they can understand which data is processed, for what purpose, and how this is done; they also need sufficient granularity in consent requests.

In addition, there should be a clear affirmative action from the individual (without pre-ticked boxes and made separately from applicable general conditions).

In addition, individuals need to be able to freely withdraw their consent (without any negative consequences) if they change their mind later on.

 

More information:

On the same topic:
Did you find your answer?

Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.

 

More information:

Did you find your answer?
Subscribe to