The enforcement of GDPR has risen a number of questions and triggered many debates. While we wait for the court to issue official answers in the near future, we’ve decided to address some of the most frequently mentioned concerns.
Personal data under GDPR
GDPR is introducing categories of personal data that have never been regarded before, making the definition of personal data very specific, and elevating the data protection process.
“Personal data” stands for any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person can be identified, directly or indirectly, by reference to an identifier such as name, identification number, location data, online identifier; or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” –Art. 4 GDPR
Long story short: GDPR considers all personal data that can be used to identify an individual, including genetic, mental, cultural, economic, and social aspects of one’s identity.
That being said, examples of personal information would be:
- IP Address
- Location Identifier
- Email Address
- Bank Details
Even the e-mail address you use for work is considered personal information
As mentioned above, an email address is considered personal information, if it contains elements that can identify that person. The same applies to your “business” e-mail address containing personal elements, since that information can be used to determine your identity AND place of work.
Therefore, regardless of whether an e-mail address is public and visible online, a website is not allowed to publish it without that person’s consent. Still, as a website administrator, you can still use the visitor’s e-mail address to contact them.
It is all about the location – not citizenship
When it comes to non-EU citizens located in the EU, or EU citizens located outside the EU, the confusion about citizenship and location arises. The same discussion is triggered when a product or service is being delivered within the EU or beyond its borders.
If a company transfers EU personal data outside of the EU, they must ensure that the protection of this data is still on the same level as it is under GDPR.
However, there is a specific scenario that is regarded differently. If, for instance, an EU resident moved to the US and ordered a product or service, providing his US home address for the delivery, the GDPR does not apply in this case.
You do not always need to obtain consent to collect employee data
GDPR imposes that, in order to process personal information, you need to obtain consent or have other kinds of lawful basis.
Besides consent, other kinds of lawful basis for processing personal employee data include:
- Signing a contract with the individual;
- Complying with the legal obligation under the EU law;
- Protecting the vital interest of an individual;
- Performing tasks in the public interest;
- Pursuing the legitimate interests of the organization.
Employers usually choose to process the employee data based on the terms of a contract, comply with the EU employment laws, or pursue the legitimate interests of an organization.
The right to be forgotten is not an absolute right
A person’s right to require their data to be removed, also known as the “Right to be forgotten” or the “Right to erasure”, is a relatively new concept the GDPR brought to life. This special request now obligates companies to develop new techniques and strategies in order to comply with it.
However, this right is not an absolute one and it applies if there is a valid reason. An individual filing for this request will need to specify the reason under Article 17 of the GDPR before a company is required to erase their data.
Here are some examples of valid reasons for the deletion of a person’s data:
- Data is available online, but it is outdated, or otherwise currently irrelevant, so the user can ask for an update or deletion;
- The data subject decides that the data controller no longer has the right to access their data, and the data isn’t in the public domain;
- Someone stole or altered the data;
- A judicial body ruled the data be deleted.