Everything you need to know about GDPR
This article covers everything you need to know about GDPR to be able to handle compliance tasks for your company.
The article is for you, who are the internal GDPR responsible and have the responsibility to ensure that your organization is compliant and complies with the General Data Protection Regulation, which came into effect in 2018.
The aim of this article is to provide you with a comprehensive overview of the concepts and legal requirements that you need to be aware of and to ensure that your organization complies with them.
Table of Contents
Background of GDPR
Although it may seem that way, GDPR was not created to increase the amount of paperwork and regulations that need to be followed.
As the use of the internet has become more widespread, the sharing of data across services and platforms has increased exponentially. This has created a need to establish a set of rules for which kind of personal data that can be stored, and how it should be stored.
With the rise of social media, there have been several cases of misuse of personal data over time, especially the Cambridge Analytica scandal in 2018 has increased the focus on how personal data can be processed.
GDPR (General Data Protection Regulation), also known as the Data Protection Regulation or the Personal Data Regulation, is an EU regulation that came into effect on May 25, 2018.
The purpose of the regulation is to promote the protection of individuals with regard to the processing of personal data in the EU.
According to the Data Protection Regulation, all European organizations - both private and public - must first and foremost be able to demonstrate that personal data is being processed in accordance with the rules in this area.
In addition to GDPR, the rules on data protection are also regulated by the Danish Data Protection Act, which implements and supplements GDPR.
You can read the entire regulation or get the main points explained by reading further in this article.
Process for GDPR implementation
When can you process personal data?
When processing personal data, there are 7 basic principles that you must always comply with as a data controller. All GDPR requirements are based on these principles, which is why it is important to have an understanding of them. You should be aware that compliance with these principles does not constitute a legal basis for your organization's processing activities. The legal basis can be found in the other legal provisions of the regulation.
The 7 basic GDPR principles (Article 5):
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimization.
- Storage limitation.
- Integrity and confidentiality.
1. Lawfulness, fairness and transparency.
Processing of personal data must be lawful, meaning that your organization must have a valid legal basis in national or EU law to process personal data. For example, the data subject has given consent to the processing of personal data under Article 6(1)(a) or Article 9(2)(a). The lawfulness principle also requires that the purpose of processing must be lawful.
Fairness means that the data subject's information must be processed in a fair manner. It is not enough that the processing is lawful, it must also be fair to the data subject. Fairness involves protecting the interests of the data subject. This is an expression of the unwritten principle of good data processing practice.
Transparency means that your organization must clearly communicate what, how, and why you are processing the data subject's personal data. The data subject must be made aware of the risks, rights, rules, and guarantees of the processing in a transparent and understandable way. It is important to communicate in a simple and easily understandable language.
2. Purpose limitation
When personal data is collected, the data controller must describe the purposes for which the data is being collected. The data may only be processed for the stated purpose. This means that you may not process the personal data for any other purpose, than the original purpose for which it was collected. The purpose of the processing must be determined prior to the start of the processing activity. The purpose must also be reasonable, which means that the purpose must be legal and within the reasonable scope of your organization. In determining whether a possible disclosure of personal data can be accommodated within the original purpose, the "not incompatible" test under Article 6(4) et seq. of the GDPR and Section 5(2) of the Danish Data Protection Act can be carried out.
3. Data minimization
The collected personal data must be sufficient, relevant, and limited to the purpose of the processing. Therefore, it is important that you do not have more information than necessary to fulfill your purpose.
It is important to ensure that the personal data being processed is accurate. If necessary, the information must be updated, and incorrect data must be updated or deleted immediately.
5. Storage limitation
Personal data must be deleted or anonymized when it is no longer necessary to retain them. If the information is still used for the original purpose, it is not necessary to delete it.
6. Integrity and confidentiality
Personal data must be protected against unauthorized or illegal processing. It must also be ensured that information is not lost or damaged. To ensure this, your organization must have implemented appropriate organizational and technical measures.
The data controller is responsible for ensuring compliance with the GDPR principles mentioned above. It is also important that you can demonstrate that your organization complies with these principles. However, the regulation does not specify how to document compliance. Nevertheless, the regulation sets out some formal requirements for certain documentation, such as Article 28(9), which states that data processing agreements must be in writing and electronic. The same requirement applies to records under Article 30.
What is personal data?
Personal data is any form of information that can be attributed to a specific person.
The following information is identifiable:
- Social security numbers.
- Location data.
- Payment information.
- Medical records.
When it is practically possible to identify a person from the information or in combination with other information, the information can be characterized as "personally identifiable".
There are three categories of personal data in the GDPR:
- Ordinary personal data (non-sensitive information).
- Special categories of personal data (sensitive information).
- Criminal convictions and offenses.
Ordinary personal data (non-sensitive information)
Regular personal data are all the information that are not classified as sensitive personal data. This could for example be:
- Identification information such as name, address, age, and education.
- Economic conditions.
- Family relationships.
- Social problems.
- Application and resume.
Special categories of personal data (sensitive information)
The special categories of personal data are expressly defined in the data protection regulation, and they include information about:
- Race and ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data.
- Biometric data for the purpose of uniquely identifying a person.
- Health-related information.
- Sexual life or orientation.
Only the information mentioned above constitutes special categories of personal data.
Convictions and criminal offenses
Information about criminal offenses is separately regulated in data protection law. This could be information that a person has committed a certain criminal offense.
The GDPR regulation refers to the need to find a legal basis for the processing of such information in national legislation such as the Danish Data Protection Act.
National identification numberThe GDPR regulation refers to the need to find a legal basis for the processing of CPR numbers or similar information in national legislation such as the Danish Data Protection Act.
What is a processing activity?A processing activity can be translated as a work process in which you handle personal data. It is primarily electronic processing of information that is covered by the rules. Examples may include collection, registration, systematization, storage, search, use, disclosure or deletion of personal information.
Examples of internal processing activities:
- Recruitment and applications.
- HR administration.
Examples of external processing activities:
- Sending newsletters.
- Customer administration.
- Cookie consent.
It may involve processing of both ordinary and sensitive personal data, as well as internal information on employees and external information on customers and suppliers.
Documentation of processing activities
One of the most important requirements in the GDPR legislation is that if your company processes personal data, you must document your processing activities. A processing activity can be seen as a "work process in which personal data is processed".
Documentation of your processing activities aims to comply with the "Principles for processing of personal data", “Keeping a record of processing activities" and "risk assessment of processing activities". Therefore, processing activities can be considered as the foundation for your further work with GDPR.
Registration of processing activities
Registration of processing activities can be done in a static document or in a cloud-based platform where there is an opportunity to work dynamically with the entered information.
Data controller and data processor
What is a data controller?
The regulation defines a data controller as: "A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." The data controller determines the why (the purpose) and how (the means) of the processing of personal data. It is also the data controller's responsibility to ensure that there is a legal basis for the processing and that the rights of the data subjects are observed and respected.
What is a data processor?
The regulation defines a data processor as: "A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." The data processor processes personal data on behalf of the data controller and operates under the responsibility of the data controller. If the data processor acts outside of the instructions (and thus outside of the data processing agreement), they become an independent data controller. However, this does not mean that the original data controller cannot be held accountable to the data subject. It is the data controller's responsibility to monitor the data processor (and the data controller is responsible for what the data processor does).
The data processor is responsible for complying with the data processing agreement with the data controller.
What is a sub-processor?
The data processor has the option to pass on one or more tasks to a sub-processor (subcontractor). The sub-processor has at least the same obligations as the data processor.
The data processor may only use a sub-processor if the data controller has given written approval. Additionally, it is important to emphasize that the sub-processor acts on behalf of the data controller and not on behalf of the data processor. This means that the data processor does not become a data controller for the sub-processor. However, the data processor is responsible for the data protection obligations that the sub-processor has. If the sub-processor does not fulfill these obligations, it is the data processor's responsibility to fulfill these obligations on behalf of the data controller.
It is important that the responsibility is clearly defined in the data processing agreement.
What is a data processing agreement?
It is a legal requirement that as a data controller, you enter into a data processing agreement with all your data processors. The data processing agreement describes how the data processor may process personal data on behalf of the data controller, ensuring that data is processed correctly and securely. The agreement is a legally binding document and must be in writing, including electronically. The agreement must meet certain minimum requirements to be considered valid.
Minimum requirements for the data processing agreement
- The data processor may only process personal data according to documented instructions from the data controller.
- The data processor must ensure that authorized persons who process personal data have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.
- The data processor implements technical and organizational measures to ensure a level of security appropriate to the data controller's risk assessment.
- The data processor complies with the conditions for the use of sub-processors.
- The data processor assists the data controller as far as possible in responding to requests from data subjects, such as for access, erasure or rectification.
- The data processor assists the data controller in ensuring data processing security, notifying the supervisory authority/data subject about breaches of personal data security and preparing impact assessments.
- The data processor deletes or returns the personal data to the data controller upon the data controller's choice.
- The data processor makes all information necessary to demonstrate compliance with the data processing agreement available to the data controller and notifies the data controller if an instruction, in the data processor's opinion, conflicts with the regulation.
The Data Protection Agency provides guidance on how to prepare a data processing agreement. For example, you can use the Data Protection Agency's template to prepare your company's data processing agreement and refer to Article 28(3) of the GDPR for further elaboration.
Supervision of data processors
According to the GDPR legislation, as a data controller, you must supervise that the data processor complies with the data processing agreement. Therefore, it is not sufficient to simply have entered into a data processing agreement. You can read more about supervision of data processors here.
Record of processing activities
Why you need a record of processing activities
One of the most important requirements of the GDPR is that all data controllers and processors must maintain an internal record of processing activities (work processes in which personal data is processed). The record ensure that data controllers and processors have the necessary overview and comply with the rules of the regulation. You must be able to present the record of your processing activities to the Data Protection Authority at any time upon request. The record must be available in writing and electronically, and there are no requirements for the format thereof.
What information should an Article 30 record contain?
The Article 30 record is divided into 30.1 and 30.2, which respectively concern information for data controllers and processors.
Record for data controllers (30.1 record)
All companies that process personal data must create an Article 30.1 record. Here, you are the data controller, which means you are responsible for the data being processed. Therefore, you must prepare an Article 30.1 record of your processing activities if you, for example, process data on employees in connection with payroll. The inventory must contain:
- Name and contact information for the data controller.
- Purpose with the processing.
- Categories of data subjects and categories of personal data.
- Categories of recipients to whom the personal data have been or will be disclosed.
- Transfers of personal data to a third country or an international organization.
- Retention schedules for the various categories of data.
- Description of technical and organizational security measures, if possible.
Inventory for data processors (30.2 record)
Not all companies need to create an Article 30.2 record. The record only needs to be prepared by companies acting as data processors. Being a data processor means that you are not responsible for the personal data being processed, but you process it on behalf of another data controller company.
Examples of typical data processor companies could be an IT supplier or a marketing agency that processes data on behalf of their clients.
*Data processors are also registered on a 30.1 inventory, and all data controller companies must prepare this record. Here, the data processors are registered, while on a 30.2 inventory, the companies that use you as a data processor are registered.
The inventory must contain:
- Name and contact information for the data processor (you as the supplier) and the data controller (the customer) on whose behalf the data processor is acting.
- Categories of processing carried out on behalf of the data controller.
- Transfers to a third country or an international organization.
- Description of technical and organizational security measures, if possible.
When do you need a record?
Almost all companies and organizations need to maintain a record of their processing activities.
Do you need help creating your record?
Learn how the Privacy platform can assist you in keeping your register up-to-date.
Inspection of your data processors
How do I conduct supervision of my data processors?
It is not sufficient to enter into a data processing agreement with your data processors, as a data controller company or authority, you are also obligated to continuously supervise that the data processors comply with the data processing agreement. You must be able to document this supervision at all times to the Danish Data Protection Agency.
How to conduct supervision of your data processors
The Danish Data Protection Agency has established a guidance model that you can rely on when assessing how to supervise your data processors. The model consists of a points scale that can indicate how risky the processing of personal data is. In addition, there are six supervision concepts that gradually place greater demands on the supervision. You can focus on the supervision concept(s) that are relevant to you, based on how many points you have received in the points scale.
Practical use of the scoring scale
The number of points in the scoring scale depends on four parameters defined by the Data Protection Authority:
- The number of people whose personal data is being processed by your data processor.
- Whether your data processor processes special categories of personal data (sensitive data) on your behalf.
- Whether your data processor processes other personal data of a sensitive nature on your behalf.
- Whether the processing of personal data is closely related to the privacy of those involved.
You don't have to do anything unless you become aware that something is wrong with the data processor.
The data processor confirms - preferably in writing - to you that all requirements of the data processing agreement are still being met.
The data processor provides you with an annual written status on matters covered by the data processing agreement and other relevant areas (e.g. organizational or product-related changes), either directly or via its website.
The data processor has a relevant and up-to-date certification or follows a so-called code of conduct that is relevant to your processing activities.
An independent third party has conducted a documented supervision of the data processor in an area that also covers your processing activities.
You yourself - or together with others - carry out a documented supervision of the data processor.
Methods for ongoing supervision of data processors
There are several ways in which you can supervise your data processors, depending on who and how you want the process to be handled.
Who should perform the supervision?
You can choose to take on the task yourself or outsource it to an external partner.
How should the supervision be documented and managed?
You can carry out the supervision in a static document, or you can use a platform for this purpose.
.legal offers to perform the task of supervising your data processors according to the guidelines of the Danish Data Protection Agency. We manage the process and conduct ongoing follow-up with the data processors, so you don't have to take on this heavy and time-consuming task yourself. Our service covers all supervision concepts, and the risk classification can be done directly in the system.
Read more about our Data Processor Audit Service here.