The personal data and information of consumers is an invaluable resource for businesses. By making use of this information, they can better target their marketing. However, in order to protect the rights of individuals and privacy, this data is subject to the General Data Protection Regulation. More commonly known as GDPR, this legislation aims to regulate and harmonise the processing of data by the member states of the European Union. To mark the International Data Protection Day on the 28th January, we thought it important to review the obligations of European companies regarding the GDPR.
What are the principles of the GDPR in Europe?
Since its adoption in 2016 and its implementation on the 25th of May 2018, the European GDPR aims to safeguard the privacy of every European citizen by protecting their personal data. This is done through six main lines of approach.
1 - Lawfulness, fairness, and transparency
Personal data must be collected and processed in a lawful, fair, and transparent manner. To this end, data subjects must be informed of how their data is used.
2 - Purpose limitation
Personal data must be collected for specific, explicit, and legitimate purposes. The company must inform the data subject before collecting their data and not go beyond the scope of the initial consent.
If a company wishes to use them afterwards for other purposes, it must pay particular attention to this new purpose. Here are some things to consider:
- The link between the initial and future purpose;
- The context in which the data is collected;
- The sensitivity of the data (health, scientific research, etc.);
- The impact of this new data processing on the data subject;
- Are there appropriate safeguards?
If the new purpose falls outside the original consent, a new consent will have to be obtained.
3 - Data minimisation
As far as possible, personal data should not be processed. Otherwise, they must be limited, relevant and suitable for the purpose.
For example, there is no point in asking a person for their date of birth if it is not intended to be exploited. The GDPR therefore requires that the collection of data be limited to that which is relevant.
4 – Accuracy
Personal data must be accurate and therefore updated when necessary to reflect the current status of the data subjects.
5 - Storage limitation
All data should be stored for a limited period, as short as possible (e.g. project duration). As such, when data are no longer needed for the purposes for which they were collected, they must be deleted or anonymised.
In some cases, data must be legally stored for several years (data of company employees, etc.).
6 - Integrity and confidentiality
Appropriate security measures must be implemented to protect personal data from any form of:
- Falsification;
- Loss;
- Destruction;
- Damage;
- Unauthorised access.
Is the GDPR mandatory in Europe?
The GDPR applies to all companies and organisations that collect, use or process personal data of EU citizens, regardless of their size, activity, or location. The European regulation is also applied to processors.
It is important to highlight the fact that a country outside the European Union processing personal data of EU citizens is obliged to follow GDPR compliance. The general services manager has a role to play in enforcing the legislation.
In case of non-compliance with the rules, the European Commission imposes penalties, such as fines of up to £17,500,000 (€20 million) or 4% of the company's annual turnover.
But who is affected by the GDPR? Here is the list of countries where the GDPR applies in Europe:
- France;
- Germany;
- Italy;
- Spain;
- Portugal;
- Netherlands;
- Belgium;
- Luxembourg;
- Denmark;
- Ireland;
- Finland;
- Sweden;
- Austria;
- Greece;
- Croatia;
- Bulgaria;
- Romania;
- Cyprus;
- Czech Republic;
- Estonia;
- Latvia;
- Lithuania;
- Hungary;
- Malta;
- Slovenia;
- Slovakia;
- Poland.
How to communicate about data collection
In the age of digitalisation and artificial intelligence, data-driven decision-making is an integral part of corporate CSR policy. It is therefore important to stress that an organisation has an obligation to explain very clearly to its customers why their data is collected, how it is used and how long it will be stored for.
The following information must be communicated to the individuals whose personal data is being collected:
- Who the business is;
- The purposes of the data collection;
- The categories of personal data involved;
- The legal reason for the collection;
- How long the data will be stored;
- Possible further recipients in Europe;
- If the data will be transferred outside the EU;
- Their rights in terms of data copying and protection;
- Their right of complaint;
- Their right to withdraw consent at any time.
GDPR in Europe: what are the developments in data protection legislation?
The GDPR in Europe replaces the 1995 Data Protection Directive and aims to strengthen the protection of online privacy. Over the years, the legal framework has had to adapt to keep up with the developments in society and technology, including the rising use of digital technology and the development of e-commerce.
As a result, new regulations have been introduced to strengthen the protection of personal data.
Companies must now notify the supervisory authority in the event of a data privacy breach which is likely to affect the rights and freedoms of data subjects.
A DPO (Data Protection Officer) must be appointed in companies that systematically process sensitive data on a large scale.
The data protection principle must be respected at the design stage (privacy by design).
Companies are no longer required to declare data processing operations to the dedicated national body except for specific processing). However, they are obliged to keep records of personal data processing to prove their compliance with the EU GDPR in the event of an audit.
As soon as a processor has access to the processing files, the company must draw up a subcontract which includes the GDPR obligations. This responsibility is applicable to all processors in the chain.
Citizens have the right to refuse that their personal data be used for commercial prospecting or automated analysis for classification or prediction purposes (profiling technique). They can also make the decision to request to receive the data collected about them (right to data portability).
GDPR in Europe: what is the impact for employees?
The implementation of the GDPR has consequences for the employees of companies, particularly regarding the processing of their personal data. Under the GDPR, companies must inform their employees in a transparent manner about the processing of their personal data, as explained above (purposes of collection, expected retention period and data recipients).
Employees have the right to access their data and to request that it be corrected or deleted if it is inaccurate.
Finally, the GDPR includes measures to protect the personal data of employees, particularly in the event of the transfer of their data to third parties, a data breach or dismissal. These measures aim to ensure that employees' data is treated confidentially and to protect their rights and freedoms.
We invite you to download our "Procurement Policy and CSR" white paper to expand your knowledge of corporate responsibility.