Each automated process in a company using personal data such as HR, CRM, e-mail-systems, call centres or suppliers management, has to comply with the following principles:
- purpose: there must be a written purpose for the data processing
- publicity: processing must not be hidden; people have the legal right to get to know about which of their data are used for which purpose
- rights of the data subject: each person can ask for data correction or deletion
- security: companies must enforce measures to ensure data security, to avoid them getting stolen, damaged or lost
- time limits: there must be a written and enforced time limit for personal data storage
Moreover special rules apply to sensitive data, such as related to health, race, ethnic origin or religion. Particular attention should be given when using such data. More restrictive national rules often exist.
Data breach notification
Regarding security more and more European countries require companies to notify data losses or other illegal data use that might lead to a strong personal rights violation. Such notification will probably become mandatory soon in whole Europe - so it's time to prepare.
Compliance requires not only to check all of the above listed points but also to write them down. This documentation can be checked by the authorities at any moment - so it is wise to store such information in a permanent way.
Any failure to comply with the above rules can be punished by a fine or lead to other risks.
Sarbanes-Oxley Act (SOX), Basel II and other compliance systems
Most international companies have to comply with their domestic laws, such as Sarbanes-Oxley Act. Unfortunately, European philosophy ignore such concepts as whistleblowing. Using such systems requires special attention in most European countries - or can even be illegal in some others.