If you have already read our blog post about personal data, you know that it is anything that relates to an identifiable living person and that all this information can be stored in different forms.
Every bit of information that can be used as part of identification is considered your personal data.
The GDPR sets forth requirements that need to be fulfilled to legally process personal data. Processing refers to a wide range of operations or actions performed on or with personal data.
Examples of data processing include:
- ‘Collection of data’, for example gathering information about candidates in a recruitment process
- ‘Storage of data’, meaning storing data on servers or in a physical archive
- ‘Use of data’, for instance, a company using their customers’ email addresses to send out newsletter
- ‘Dissemination of data’, including posting a photo of an employee by the company’s marketing department on the company’s website
- ‘Altering of data’, for example managers updating employees’ home address in the address list
- ‘Deletion of data’, for instance deleting the candidate data from a recruitment system
The rules of the GDPR apply when personal data is processed wholly or partly by automated means, or by non-automated or manual means if the processing is a part of a structured filing system. This means that the GDPR is applicable for example
- When your HR department stores a paper copy of your employment contract in the archive
- When files containing personal data are deleted automatically in a system due to the software settings; and
- When you send an email to a customer
The GDPR is not applicable when personal data isn’t processed by automated means. It is also not applicable when personal data is processed by non-automated means but isn’t part of a filing system.
This means that if you write down a customer’s name and phone number on a post-it note to remember to call them, and then throw the note out once you’ve made the call, this does not constitute processing data under the GDPR. The GDPR regulation is furthermore not applicable for processing performed for purely personal activities, such as calling a friend or posting a picture of your family on social media.
In conclusion, processing of personal data includes any operation performed on or with personal data by automated means, or by non-automated means when part of a filing system. Processing under the GDPR does not include private use of personal data, or manual use of personal data that’s not part of any filing system.
Do you have examples of data processing from your everyday work where the GDPR is not applicable?
When is it legal to process personal data?
Now that you’ve learned what personal data is and what processing of personal data means, it is time to take a look at when it is allowed to process personal data.
The GDPR contains a few fundamental principles for processing personal data, which include that data must only be processed lawfully, fairly and in a transparent manner for specified and explicit purposes. Personal data may only be processed if it is necessary to fulfil these purposes, and anyone who’s processing the data must ensure that it is accurate, kept up to date and properly secured.
In order to guarantee that data is processed lawfully, the GDPR sets out six different lawful bases. One of these must apply to the processing at hand –otherwise it isn’t lawful to process the personal data.
The six legal bases are:Consent
The person whose data is being processed has given their explicit, clear and voluntary consent. This is the mandatory legal basis for processing special categories of personal data, also called sensitive data, such as health information and data on religion or sexual orientation.
Performance of a contract
The processing of data is necessary in order to fulfil the requirement of an agreement or to take the necessary steps to enter an agreement, for example when using a customer manager’s name and email address to send an agreement for digital signing.
The processing is necessary for compliance with laws or regulations, for example when the police question witnesses during a crime investigation.
Protect vital interests
The processing is necessary to protect the vital interests of a natural person. This can be the case when a hospital provides emergency medical treatment.
Public interest or official authority
The processing is necessary for public interest or for official authority, for example when carrying out the functions of the government or the courts.
The processing is necessary for the purposes of the legitimate interests of the one who is processing the personal data. This can be the case when a company markets its products or services or keeps records of customers and suppliers.
Do you know of any personal data consent forms that your workplace asks candidates, employees, or other data subjects to sign?
What are my rights?
By now, you’ve learned what processing of personal data is and when it is legal to process data. The purpose of the GDPR is to ensure that you own and decide on your personal data. Now, let's take a look at your rights! In order to give you the power over your personal data, the GDPR states the following fundamental rights:
- First of all, you have the right to information about your personal data being processed and for what purposes. You are entitled to ask for a registry of your data, where all the data being processed must be stored.
- Second of all, you have the right to rectification, which guarantees that inaccurate personal data must be corrected.
- Third of all, you have the right to erasure, also known as the right to be forgotten, meaning that you can demand that your personal data shall be removed. Using this right, the data must be deleted, unless it is necessary for continuing the processing on the legal basis. In that case, you can use
- the right to restriction of processing, which means you can demand that only the data necessary for certain legal basis may be processed.
- Additionally, you have the right to data portability. This means that you are entitled to receiving your data in a structured manner, for example in order to transfer it from one company to another.
- Finally, you have the right to object to have your personal data processed, for example by declining direct marketing.
How does your workplace make sure that data subjects are informed about their fundamental rights?
In summary, data processing is related to anything that can be done with personal data, including collecting, storing, using and deleting it. Data may only be processed for a specific purpose on a legal basis, such as an explicit consent or the legitimate interest of the party who’s processing the data. In order to ensure that you own and decide on your personal data, you have fundamental rights under the GDPR, including the right to information about why your data is processed, as well as the right to be forgotten.
Book a demo with one of our experts and we will show you how you can become GDPR compliant across all HR processes.