It goes without saying that we are living in a digital age wherein the processing and sharing of personal information has become inevitable. The amount of data we produce and share every day is truly mind-boggling, whether it is through opening an email address, doing online banking, ordering items through online shopping, using social media platforms, we are constantly sharing more and more of our personal data. The World Economic Forum has described data as the oxygen that fuels the fire of the Fourth Industrial Revolution. But what exactly constitutes personal data, what is data protection, to whom that does this apply to, what rights does an individual have over his or her personal data. This article shall summarise some of these key points.
The European Union’s General Data Protection Regulation (GDPR) is the binding law that regulates data protection across the European Union (EU). The GDPR came into force on 25 May 2018. It harmonizes data privacy laws across the EU and applies to all data controllers and data processors regardless of location that process and hold the personal data of data subjects residing in the EU.
What is personal data?
The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data. In terms of the GDPR personal data is any information that relates to an identified or identifiable living individual. This includes for example your name, home address, Identity Document (I.D) card number, Internet Protocol (IP) code and information on your health and so on. Personal data can also constitute different pieces of information, which when collected together can result in the identification of a particular person. The GDPR protects personal data notwithstanding the technology used for processing that data.
What is sensitive data?
Sensitive data is a special sub-category of personal data which includes any racial or ethnic origin, financial status, political opinion, philosophical belief, religion, trade-union membership, sexual orientation, or concerns health and sex life, genetic data, or biometric data. Sensitive data enjoys extra consideration and protection under the GDPR as it has the potential to give rise to strong stigmatization or discrimination in a society.
When does the GDPR apply?
The GDPR applies when your data is collected, used and stored digitally or in a structured filing system on paper. This refers to both automated and manual processing, provided the data is organized in accordance with a pre-defined criteria. The GDPR also applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system. The regulations only apply to personal data concerning individuals. They do not govern data about companies or any other legal entities.
Who does the GDPR apply to?
The GDPR applies to a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed. It also applies to a company established outside the EU and is offering goods/services which are either paid or unpaid or is monitoring the behaviour of individuals in the EU. The GDPR also applies to a small and medium-sized enterprise (‘SME’) that processes personal data as described above.
However, some obligations of the GDPR will not apply to companies stated above if processing personal data is not a core part of the business and the business activity does not create risks for individuals.
Under which circumstances can data be processed?
The type and amount of personal data which a company or entity may process depends on whether the reason for processing the data is legal and the intended use of the same. There are several rules which the company must adhere to in processing this data. There are follows;
- The personal data must be processed in a lawful, fair and transparent manner,
- A specific purpose must exist for a company to process the data and this purpose must be indicated to individuals when collecting their personal data,
- The company must ensure that they only collect and process personal data that is required to fulfil that purpose and not for any other purpose,
- The personal data must be accurate and up-to-date having regard to the purposes for which it is processed, and correct it if not.
- The personal data must not be processed for other purposes that are not compatible with the original specified purpose,
- The company must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected,
- The company must install appropriate technical and organizational safeguards that ensure the security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technology.
What are the sanctions and liabilities if a company fails to comply with the GDPR?
Data controllers and data processors face severe consequences if they do not comply with the European rules. A company can act both as a controller and processor, depending on the exact type and usage of data. Depending on the provision infringed, fines may amount to a maximum of EUR 20 million or 4% of global annual turnover of the controller, whichever is one bigger. Furthermore, both controllers and processors are subject to joint liability for damages.
Recent research conducted by the DLA Piper on GDPR data breach in January 2020, reported that there had been 160,921 personal data breaches within the EU from May 25 2018 up until January 2020. Since the report, the numbers have gone up to 163,551,023. The report shows that most active EU member states that have breached the GDPR are France, Austria, and Germany. The best known examples of GDPR violations have ranged from failure to undertake sufficient due diligence after the acquisition of data, failure to implement appropriate security measures, lack of transparency on how data was harvested from data subjects and used for ad targeting, excessive data retention and lack of proper consent.
The failure to adhere to the GDPR has severe consequences as seen in a recent decision in Germany which resulted in a hefty fine being imposed on an employer for violating the GDPR. The Swedish retail conglomerate Hennes & Mauritz (The H&M Company) had for a number of years, through one-on-one conversations between the employees and their supervisors, been collecting and digitally storing employees’ personal information. This information was partially recorded, digitally stored, detailed, updated over time, and could be accessed by up to fifty executives throughout the company. Sometime in October 2019, due to some configuration error all of this information became accessible, company wide, for a few hours. Unbeknown to the employees, H&M had collected, recorded, stored and updated personal information of employees which could be accessed by a number of individuals. This breach was reported to the Data Protection Authority of Hamburg (“HmbBfDI”) whom imposed a fine of EUR35.2-million for the employer’s illegal surveillance of its employees’ activities and stated that this fine was “adequate and effective to deter companies from violating the privacy of their employees”. Furthermore, H&M undertook to implement various remedial steps on implementing data protection and undertook to compensate the employees. This decision sends a strong message to all companies to ensure that they do not over-process employee’s personal data and be compliant with GDPR.
What rights does an individual have over his/her personal data?
At the time of collecting your data, an individual has the following rights;
- the right to know who is processing what information and the reason thereof,
- the right to right to request access to the personal data,
- the right to object the processing of the data,
- the right to correct the data without undue delay,
- the right to have data deleted and to be forgotten,
- the right to have a say when decisions are automated and
- the right to move personal data.
How can companies ensure that they are GDPR compliant?
In concluding, companies must thus ensure that they are GDPR compliant to avoid the severe consequences. They can do this by doing the following;
- Knowing and full understanding all the key concepts and articles regarding GDPR,
- Training the necessary personnel on the basic principles of the GDPR and the procedures being implemented for compliance,
- Bringing all the company’s internal procedures in line with the privacy policies and the GDPR,
- Reviewing and updating information contained in the employee, customer and supplier contracts,
- Implementing appropriate technical and organizational safeguards that ensure the security of the personal data,
- Securing personal data through appropriate organizational and technical measures and verifying whether data transfers outside the EU are compliant with GDPR requirements.
- Taking a proactive approach in monitoring and detecting breaches and in making sure data is properly managed,
- Checking consent procedures as under GDPR consent for any data processing must be specific, granular and auditable. The consent needs to be simple to understand and easy to withdraw,
- Assigning a Data Protection Officer (DPO) is necessary for public authorities or organization’s that do large-scale monitoring of individuals or of special categories of data or data relating to criminal convictions and offence,
- Developing a framework of policies and procedures to support data subject rights, the procedures must be adequate for data subjects to exercise their extended rights under GDPR.
- Raise awareness of GDPR compliance throughout the organization and at every stage of each business process,
- Create a GDPR compliance implementation plan, after establishing which current policies and practices need amending, establish a plan for implementing the necessary changes.
The implications of GDPR cannot be ignored and companies must thus strive to be GDPR compliant by engaging firms that have the necessary expertise.
In light of the COVID-19 pandemic wherein companies have taken several measures that involve the processing of different types of personal data including health data and privacy data, it has become very important for companies to ensure that they are GDPR compliant. Companies and organisations should thus be aware that certain measures do have an impact on the privacy of individuals and must strike a balance between safety measures benefiting public health and invasive controls impacting the privacy of individuals. Companies must also ensure that the processing of personal data collected through the measures implemented to prevent the spreading of COVID-19 must comply with all the fundamental principles of data processing under the GDPR.
Centurion Plus Germany on Data Protection
Centurion Plus Germany provides professional legal services to companies to ensure that they are not only compliant but they have placed the necessary limits of collecting, sharing and using personal data especially relating to health data. Centurion Plus also offers other services such as providing legal advice on the key concepts of the GDPR, conducting audit policies, putting in place, putting in place short-term or long term measures and procedures to ensure the security of the personal data.
Contact us today for a complimentary consultation.