Privacy Europe

Compliance

As individuals, we want to know that our personal information is handled properly. Thus, companies have to comply with several laws and regulations regarding data protection and compliance. By adopting strong data protection methods organizations can not only improve their compliance but also deliver much wider efficiency savings.

Principles

Each automated process in a company using personal data such as HR or CRM systems, e-mail-systems, call centres or suppliers management, has to comply with the following principles:

  • Lawful processing: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
  • Purpose: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
  • Data minimization: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accuracy: Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject
  • Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures

    The controller shall be responsible for, and be able to demonstrate compliance with those principles (accountability).

Sensitive data

Moreover, special rules apply to sensitive data, which means data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Particular attention should be given when using such data. More restrictive national rules may exist.

Data breach notification

Regarding security, the GDPR requires companies to notify data losses or other illegal data use that might lead to a strong personal rights violation to the respective data protection authorities within 72 hours. Clear and comprehensive guidelines for a notification process within the company need to be in place!

Accountability and documentation obligations

Compliance requires not only to check all of the above listed points but also to have them in written form. This documentation can be checked by the authorities at any moment - so it is wise to have a data protection management system in place, including the record of processing activities as well as a documentation of data protection impact assessments.

Data subject’s rights

The GDPR imposes increased obligations for companies to inform data subjects about data processings and also grants individuals strong rights regarding data access, rectification and deletion of personal data. Companies shall be prepared for such requests!.

Risks

Any failure to comply with the above rules can be punished by a fine or lead to other risks.

Sarbanes-Oxley Act (SOX), Basel II and other compliance systems

Most international companies have to comply with their domestic laws, such as Sarbanes-Oxley Act. Using systems with a high impact on data protection and compliance (such as whistleblowing systems) requires special attention in most European countries - or can even be illegal in some others.

Privacy Europe | Services | European Network | Risks | European Privacy Framework | Compliance | Contact | About | Privacy Policy | Imprint © www.privacy-europe.com
All Rights Reserved.