Even though the GDPR has been in place for a few months now, there still is some confusion. It’s to be expected, though, since quality information is difficult to find and the EU institutions haven’t really tried much to remedy the situation. Small businesses and NGO-s are particularly hard-hit as for most, this is the first encounter with a privacy-related piece of legislation.
As part of our GDPR Q&A series, we’ve decided to compile a list of the most-commonly asked questions that we came across during the last few months.
The deadline has passed, can we be fined?
Yes. The supervisory authority in your country can fine you, should they find any compliance issues. The letter of the law is clear: 25 May was the deadline for compliance. Luckily, small companies will probably be off the hook for a while, as the supervisory authorities have bigger fish to fry. The catch is – nobody knows for how long. With each passing day, it becomes less likely that your infringements will be glossed over.
How do I appoint data controllers and data processors?
You don’t. The question completely misses the point, as data controllers and processors are not functions that require appointing. They are merely terms that are used to describe various levels of data processing activities. By carrying out personal data processing, you are already, in the eyes of the law, considered a data controller. Data controllers are responsible for collection, protection, storage and deletion of personal data, whereas data processors process data based on the data controllers’ instructions (bookkeepers, associates etc.)
What about a Data Protection Officer (DPO)?
DPOs, unlike the above, do require appointing. The criteria for appointing a DPO found in deprecated legislation has been superseded by the GDPR. Only the GDPR criteria are valid. Data controllers or processors must appoint a DPO if one or more criteria below applies:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences
There are no particular certifications that a DPO position would require, but Article 37 states that a DPO must be able to fulfil their duties in a professional manner. Expert knowledge of data protection law and practices is a requirement.
You can find more information about DPOs here.
Can I, as an owner, appoint myself as a DPO?
According to Article 38(6), there should be no conflict of interest between the tasks of a DPO and other duties. Owners or board directors are likely not to satisfy this requirement, so we would advise against such practices.
Is the GDPR a must for NGOs and charities?
Yes. There are few to no exemptions and if you haven’t, you should start preparing right now.
Start the process by getting your internal affairs in order. Acquaint your members with internal data protection practices and get rid of unnecessary data. Limit access to data only to those individuals who really need it. Take care to adequately protect data in physical form, and appoint a DPO if necessary.
What about NGO projects (EU funds etc.)?
Even then, if you are collecting personal data for this purpose, you need a lawful basis. There can be laws, ordinances or regulations that allow you to process data in such a manner. In some cases you will have a contractual obligation to process personal data, while in others, legitimate interest bay be used. If none of this applies, consent is the most likely option you will use.
When submitting various forms and applications for funding, you should ask all participants for their consent. Provide information on how you plan to use your data and ask for their signature. You can keep the data for some time after the project/programme ends, e.g. for 5 years, as long as you provide adequate information of that fact.
What about photography for personal purposes?
The GDPR does not apply to non-commercial processing of personal data for private and purely household purposes.
Is making copies of a person’s ID allowed?
Generally no, at least not without their explicit consent. Such copying is allowed only if required by law. Inconvenience to the party that collects the data is not a valid argument. This applies to passport cards, driver’s licences and similar documents.
Financial institutions will most often ask for such copies, even when they have no right to do so, as will hotels in many EU countries. In the latter, they have the right to collect your personal data due to a legal obligation, but they cannot make copies unless you consent.
What about street photography and the GDPR?
The rules are clear for wedding photographers, modelling and similar: draft an agreement clearly specifying how the data will be used and why. For street photography, the situation is a bit murkier. Generally, photos which do not aim to single out particular individuals are allowed – i.e. photos of a square where passers-by are incidentally photographed are fine.
Am I required to keep records of data processing activities?
This depends on the data and the number of employees you have. If your organisation or company has less than 250 employees, you do not have to keep records of your processing activities in most cases. However, certain processing activities require you to keep records even if you are otherwise exempt. These are:
- the processing you carries out is likely to result in a risk to the rights and freedoms of data subjects
- the processing is not occasional, or
- the processing includes special categories of data or personal data relating to criminal convictions and offences.
Records must contain the following:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures.
You can find more information here.
Can I collect and keep employee and invoice data?
Yes. You have a legal obligation to do so and the retention periods are defined by law. The GDPR cannot and does not force you to break the existing laws even if you receive a deletion request from the individual.
Is cold e-mailing allowed?
E-mailing natural persons without prior consent or business relationship is strictly forbidden and is considered spamming. The same goes for creating e-mail databases containing such entries. Of course, you do have the right to answer the users’ queries without asking for their permission. Any questions addressed to you are covered under the “contractual obligation” lawful basis, so you do not need any consent.
E-mails to existing customers can be sent without consent on the basis of legitimate interest, but the premise is rather flimsy and you must cease with such activities when you receive a request. Always include an unsubscribe link in the header and footer of every e-mail you send.
This does not apply to business e-mails. You can send promotional messages and offers to business e-mail addresses, such as [email protected]. Take care: this does not mean you can spam with impunity.
What about old e-mail databases?
If you obtained those e-mails in a GDPR-compliant manner, then you are allowed to keep them. Most likely, you did not and you have to re-evaluate your mailing list. This means deleting:
- all e-mail addresses that do not belong to your previous contacts
- addresses for which you cannot prove valid consent
Do I need consent for video surveillance?
You can still use CCTV to monitor the safety of your property, as long as you keep it minimally intrusive. You are also required to sign-post the area that is under surveillance. The notice should contain information about the company performing surveillance and a way to exercise data subject rights.