We have provided answers to some of the questions we are commonly asked by our clients.
Who does GDPR apply to?
It applies to both “controllers” and “processors” of personal data. A controller is someone who determines why and how personal data is used and a processor is someone who acts on the controller’s behalf. If you gather and use the personal data of EU citizens, i.e. customers, clients, suppliers or staff, then GDPR will apply to you. GDPR sets out new requirements for processors and places specific legal obligations on them in relation to keeping records of personal data processing activities and data breach handling.
What information does GDPR apply to?
GDPR applies to the processing of personal data that is done by either an automated or manual process. The automated processing can either be in full or partial. The manual processing relates to personal data held in manual filing systems that are structured according to specific criteria. It also includes personal data that is intended to form part of a manual filing system.
What is the definition of personal data?
Personal data means any information relating to a living individual who can be identified from that information either directly or indirectly. GDPR is very clear that an identifier can include a name, an identification number, location data, an online identifier (for example, an IP address). It also includes identifiers specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual.
Remember not to forget about sensitive personal data. GDPR now refers to this as “special categories of personal data”. Most of these categories are the same as in the DPA, however there is now a new category for the processing of genetic or biometric data to uniquely identify an individual. The category for personal data relating to criminal offences has been removed from the “special categories” list but has not been removed from GDPR and now sits separately in Article 10.
What are the lawful basis for processing personal data?
Before you begin to process someone’s personal data you must identify a lawful basis to allow you to undertake the processing and document this. If you do not have a lawful basis the processing is illegal under GDPR.
There are 6 lawful basis that you can rely on, these are:
Consent – the individual has given you their consent to process their personal data
Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation – the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests – the processing is necessary to protect someone’s life
Public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
You need to include the lawful basis and purpose of processing in your privacy notice.
Why do I need a privacy notice?
Having a privacy notice fulfils your transparency obligations under GDPR and provides an individual with all the information they are entitled to under their right to be informed. To find out more about privacy notices we have written some useful blogs on this is particular subject.