This article will provide you with information on the responsibilities of a data controller and the procedures for implementing security measures for the processed data.
Moreover, learn more about the requirements of a data protection impact assessment and the consequences of mitigating the risks linked to data processing.
Keep reading to discover all the essential information about handling personal data in the course of your business operations.
Contact us via email at office@cristinatudor.ro to ensure that you process personal data legally within your activities.
Contents:
Purposes of processing personal data and the legal grounds for processing.
What should be included in the information notice or data processing agreement for it to be valid?
What are the main obligations of data controllers?
Purposes of processing personal data and the legal grounds for processing
For data processing to be conducted legally, it must be based on one or more of the following grounds:
The most common ground for data processing is:
(i) the consent of the data subject – data processing agreement.
In this case, it is necessary, before performing any operations on a particular category of personal data, to seek the data subject's consent through a written document.
In this sense, the data processing agreement issued by the data subject represents the most commonly used ground for data processing.
An individual can indicate their consent for the processing of their personal data by making a declaration or taking a clear action, thus forming the data processing agreement.
Additionally, the data subject has the right to withdraw their consent at any time, and operators are required to maintain a record of consent that can be easily verified.
Moreover, the consent provided in the data processing agreement must be given voluntarily in order to be considered legitimate.
Consent is not considered valid if:
· the data subject does not truly possess the freedom to choose; or
· cannot refuse to give consent; or
· cannot retrieve it without experiencing considerable harm.
Furthermore, in order for consent to be considered valid, it is essential that it is provided with complete understanding. This entails presenting the data subject with, at the very least, the following components in a clear and unequivocal manner:
a) the identity of the operator and
b) the purposes of processing personal data.
It is also important to note that if data processing is based on the consent of the data subject, you must clearly show that the data subject has explicitly agreed to the processing of their personal data.
(ii) performing a contract to which the data subject is a party
For instance, this basis for data processing is relevant when considering a employment agreement signed between an employer and an employee.
In this case, it is necessary to carry out the processing of the employee's personal data, which includes the use of copies of identity documents for the preparation of mandatory declarations to tax authorities, the transmission of the amount of social security contributions, etc.
(iii) fulfillment of a legal obligation by the operator
In this context, the controller processes personal data based on the provisions of applicable law, such as:
– tax regulations;
– the Law on the organization and conduct of social activities;
– European regulations regarding the implementation of international sanctions, etc.
(iv) the protection of the vital interests of the data subject or another individual
For instance, during emergencies like when someone loses consciousness and needs urgent medical help, it is essential to analyze information about the person's health in order to safeguard their life.
This ground for data processing is rarely used.
(v) performing a task carried out in the public interest
Public authorities (such as local councils, city halls, prefectures, and national authorities) process the personal data of Romanian citizens to fulfill a task in the public interest.
(vi) legitimate interests of the operator or a third party
This legal basis for data processing is applicable when the controller can demonstrate that the processing of personal data is necessary for the legitimate interests pursued by the controller.
For example, the legitimate interest of a commercial agent may justify the use of video surveillance in the workplace, provided that such use does not involve the processing of special categories of data.
What must be included in the information notice or data processing agreement for it to be valid?
The GDPR Regulation provides for the obligation to ensure a minimum level of transparency for the data subject regarding the manner in which their personal data will be used.
In this regard, the data subject must receive an information notice that includes a set of mandatory information, such as:
(i) The identity of the controller (i.e., the identification data of the company);
It is mandatory to provide the data subject with information about the data controller.
This information may include, as appropriate, the full name and surname of the data controller, their telephone number, email address, or other contact details, and possibly their business address.
If you are uncertain about whether the data you are handling qualifies as personal data, feel free to contact us at office@cristinatudor.ro for an assessment.
(ii) The purposes for which personal data are processed;
It is necessary to inform the data subject about the purposes for which their personal data is being processed.
In this respect, a clear distinction must be made between:
a) specific purposes of processing and
b) secondary purposes of processing.
Especially when the data is used for purposes other than those initially planned during data collection, it is crucial to transparently inform the data subject about this.
For example, personal information could be utilized for generating marketing statistics through the conduct of opinion surveys.
In this case, the processing of personal data must have an obvious and easily understandable purpose for the data subject.
Moreover, the reasons for processing the personal data must be clearly, concisely, and understandably stated.
Therefore, it is essential for the data subject to be provided with precise details regarding the handling of their personal data and to avoid being deceived by vague information or ambiguous terms.
Also, it is important to mention that the purpose of processing must be as specific as possible, so it can be easily understood and appreciated by the data subject.
For example, the purpose of processing data related to the organization of advertising campaigns should be indicated in a clear, concise, and understandable manner.
In case the processing purpose is secondary, it should be included in the data processing agreement and clearly and explicitly communicated to the data subject.
(iii) The legal grounds for processing personal data;
In addition to the purposes for which the personal data are processed, the data subject must also be informed about the legal grounds for the processing.
The legal grounds for processing personal data represent the legal justification that allows the processing of personal data.
It is crucial to bear in mind that the legal basis for processing personal data must be clearly stated, leaving no room for uncertainties or lack of information.
(iv) The duration of processing personal data;
Another element that must be included in the information notice or data processing agreement is the duration for which the personal data will be processed.
This duration must be clearly specified and must not leave room for interpretation.
Specifying the start and end dates for processing personal data is equally important.
For instance, when personal data processing is done for a contract, the contract should clearly state the duration of the processing.
(v) Information about the categories of personal data processed
In the information notice or data processing agreement, the data subject should be informed about the categories of personal data that will be processed.
This information is necessary to provide the data subject with a clear understanding of the type of data that will be processed.
For example, personal data may include information such as the individual's name, date of birth, address, email address, phone number, national identification number, IP address, etc.
It is also important to note that the categories of personal data processed must be mentioned explicitly, without any ambiguities or gaps in information.
(vi) The right of access to personal data
In addition to the above information, the data subject must be informed about their right to access their personal data.
This right allows the data subject to request information about the personal data that is being processed and to receive a copy of that data.
The right of access to personal data is an essential element of data protection and must be explicitly mentioned in the information notice or data processing agreement.
(vii) The right to rectification of personal data
The data subject must also be informed about their right to request the rectification of their personal data if it is found to be inaccurate or incomplete.
This right allows the data subject to correct any errors in their personal data and to ensure that the data is accurate and up-to-date.
(viii) The right to have personal data erased
The right to erasure, also known as the "right to be forgotten" allows the data subject to request the deletion of their personal data if it is no longer necessary for the purposes for which it was collected or if the data subject has withdrawn their consent for processing.
This right is an important aspect of data protection and must be clearly communicated to the data subject in the information notice or data processing agreement.
(ix) The right to restrict processing
The data subject must also be informed about their right to request the restriction of processing of their personal data.
This right allows the data subject to limit the processing of their personal data in certain circumstances, such as when the accuracy of the data is contested or when the data subject has objected to the processing.
(x) The right to data portability
The right to data portability allows the data subject to request the transfer of their personal data to another data controller in a structured, commonly used, and machine-readable format.
This right is particularly relevant in situations where the data subject wishes to switch service providers and requires their personal data to be transferred to the new provider.
(xi) The right to raise objections against processing
It is also necessary to inform the data subject of their right to oppose the processing of their personal data.
This right allows the data subject to object to the processing of their personal data in certain circumstances, such as when the processing is based on the legitimate interests of the data controller or when the data is being processed for direct marketing purposes.
(xii) The right to file a complaint with a regulatory body
It is important to inform the data subject about their right to file a complaint with a supervisory authority if they suspect that their personal data has been processed in breach of the GDPR Regulation.
This right is an essential aspect of data protection and provides the data subject with a means of seeking redress if their rights have been infringed.
5. What are the main obligations of data controllers?
Data controllers have several obligations under the GDPR Regulation, including:
(i) Ensuring the lawfulness, fairness, and transparency of data processing.
(ii) Implementing appropriate technical and organizational measures to protect personal data.
(iii) Conducting data protection impact assessments (DPIAs) for high-risk processing activities.
(iv) Notifying the supervisory authority and data subjects of data breaches.
(v) Maintaining records of processing activities.
(vi) Appointing a Data Protection Officer (DPO) if required.
(vii) Ensuring that data subjects can exercise their rights under the GDPR Regulation.
In conclusion, complying with the GDPR Regulation is essential for businesses and organizations that process personal data.
Failure to comply can result in significant fines and damage to your reputation. It is crucial to understand the requirements of the GDPR Regulation and to implement appropriate measures to ensure compliance.
If you need further details or help regarding GDPR compliance, feel free to reach out to us at office@cristinatudor.ro.
Comments