An introduction to GDPR and why personal data processing is something that all companies should keep track of.
GDPR was the word on many people’s lips in 2018 when the EU’s new General Data Protection Regulation (GDPR) began to apply. Many people will certainly remember how their inbox was full of email messages from companies wanting to inform them about how their personal data was being processed. Some people would certainly have wondered how it was possible for their personal data to be in so many different places. GDPR may not be such a hot topic of conversation today, but it is still important for companies to keep up to date and review their personal data processing.
In a digital era, where information is an invaluable asset but privacy is at the centre of public debate, companies face an increasingly complex task: that of navigating laws and regulations governing the processing of personal data. For many companies, this can seem like an overwhelming task. However, taking data protection work seriously and implementing security procedures to ensure compliance with relevant data protection laws not only serves as protection for the business and prevention when it comes to avoiding penalty fees, but also in many cases strengthens customers’ confidence in the company.
WHAT IS THE PURPOSE OF THE GDPR?
The General Data Protection Regulation, commonly abbreviated to GDPR, is an all-embracing regulation that governs processing of personal data throughout the European Union. The GDPR aims to create common legislation that ensures individuals’ right to protection of their private life and guarantees responsible, transparent processing of personal data within the Union.
The stringent requirements imposed by GDPR on organisations and companies that process personal data serve to protect personal privacy in the digital sphere we inhabit nowadays. This means that companies must implement structured processes and security measures to ensure that the processing of personal data complies with the requirements set out in the Regulation. Companies and organisations are not only required to process and store personal data in a secure manner, they are also expected, for example, to inform individuals of the purpose and circumstances of the processing.
What counts as personal data?
Most people are aware that the GDPR applies to the processing of personal data. Nor does the fact that personal data consists of names, personal identity numbers and addresses come as any surprise. However, what personal data actually consists of is not always obvious and it can often consist of significantly more data than many people would initially think.
Personal data consists of all kinds of information that may be directly or indirectly linked to a living person. The requirement that it must be possible for the data to be linked to a natural person therefore means that the GDPR does not provide any protection for data on legal entities such as a company. However, a corporate identity number for a sole proprietorship constitutes personal data because the number is linked to the natural person. The GDPR only applies to living persons and therefore does not protect any data on deceased persons.
Examples of data that may constitute personal data include IP addresses, telephone numbers, photographic and video materials, audio recordings, membership of a political party, health data and information on religious or philosophical beliefs. There is a long list of what can constitute personal data and the decisive factor is whether the data can be linked, directly or indirectly, to a person. Even if a particular item of information could not be used to identify a person by itself, it can be considered to constitute personal data if it is possible for the person to be identified when it is used with other data. For example, it has been established in England that the name of a pet can be considered to constitute personal data relating to the pet’s owner since it could identify a person under certain circumstances.
Personal data that is encrypted or encoded also constitutes personal data if there is a key that makes it possible for the data to be linked to a person. As long as it is hypothetically possible to identify a person, the data constitutes personal data. That means that more data constitutes personal data than most people think.
There are certain types of personal data that are considered as what is referred to as “sensitive personal data”. Examples of sensitive personal data include data on ethnic origin, political views, health and sexual orientation. As a general rule, processing of sensitive personal data is prohibited, but there are exceptions to that prohibition. When processing sensitive personal data, the so-called “personal data controller” must implement security measures at a higher level than is required for personal data that is not classified as sensitive.
Consequently, there are many types of data that may constitute personal data. The company that is the personal data controller should therefore be observant as soon as data that has to do with a natural person is processed because the GDPR applies as soon as processing of the personal data starts.
Who is the personal data controller?
According to the GDPR, there are certain defined operators who have different responsibilities for the processing of personal data. One such operator is the personal data controller. In general terms, it is the company that chooses to process personal data that is the data controller for this so-called “processing of personal data”. The data controller decides what personal data is to be processed and the purposes for which it is to be used. A company normally designates one or more employees to be responsible for data protection within the organisation. Nevertheless, responsibility as data controller lies with the company and the data controller is therefore not the manager of a workplace or an employee. In this article, the use of the term “data controller” refers to a company, even though natural persons may also be data controllers in certain cases.
The data controller may engage a personal data processor to assist it. The data processor processes personal data on behalf of the data controller and on its instructions. The data processor therefore has no influence on what personal data is collected and the purpose for which it is to be used. The fact that the data controller engages a data processor does not mean that the responsibility as data controller has been transferred to the data processor.
Possible examples of a data processor include an external IT supplier which, by supplying IT systems and storing data, will process the personal data processed by its customer. It is not required for the data processor to actually process the data that it accesses. The fact that the data processor stores it on its servers may be sufficient for a processing relationship to arise. Storing the data on behalf of the data controller involves processing personal data.
The individual whose data is processed by a data controller and in some cases by a data processor is known as the data subject.
What does processing of personal data involve?
Compliance with the rules of the GDPR is required when the data controller processes personal data. The term “processing of personal data” includes, in principle, everything that can be done with personal data. It can consist, for example, of registering it, issuing it, collecting it, storing it or erasing it. The starting point for the activity should therefore be that processing takes place as soon as personal data is handled in any way. It is extremely rare for a company not to process personal data in any way since, in principle, any contact with personal data involves processing.
Basic principles in order for processing of personal data to be lawful
When processing personal data, the company must bear the basic principles of the GDPR in mind at all times. Those principles form the core of the Regulation and establish the overall framework for what constitutes lawful processing of personal data. The principles may be summarised as follows:
- In order to guarantee correct lawful processing of personal data, the data controller must confine the collection to specific purposes and limit the amount of personal data processed.
- Only personal data that is necessary for the specific purpose may be processed and the company must not process superfluous data.
- When the data is no longer necessary for the original purposes for which it was collected, it must, as a starting point, be deleted because personal data may not be stored for longer than is necessary.
- The data controller must make sure to protect the personal data and implement security measures in order to prevent unauthorised access to the data.
- The data controller needs to be able to demonstrate compliance with the GDPR, which means that it is important to produce documented processes and procedures to enable regulatory compliance to be proved and guaranteed.
Another fundamental principle that the data controller needs to take into consideration before the processing of personal data begins is the fact that there needs to be a legal basis for the processing.
What does a legal basis for processing personal data mean?
In order for a company to be permitted to process personal data at all, there needs to be a legal basis for the processing. Without any such legal basis, the processing of personal data is not lawful, even if it complies with the principles set out above. There are six legal bases under the GDPR. They are as follows:
The data subject has consented to the processing of personal data.
- Agreement with the data subject
The processing is necessary because the data subject has entered into or will enter into an agreement with the data controller, for example.
- Legal obligation
The processing is necessary because laws or rules stipulate that the data controller must process certain personal data.
- Protection of fundamental interests
The processing is necessary to protect a data subject in situations where he or she is unable to give consent to the processing.
- Exercise of public authority and tasks in the public interest
The personal data needs to be processed in order to carry out a task in the exercise of public authority or in the public interest.
- Balancing of interests
The data controller’s interest in processing the data outweighs the data subject’s interest in not having their data processed.
The legal basis that is appropriate for supporting the processing depends on who the data controller is and the purpose of the processing. The type of data subject in question can also be a factor in the choice of legal basis, e.g. employees are rarely considered to be able to give valid consent to the employer’s personal data processing since the power relationship between the parties is considered to be far too unequal. In addition, there is a certain difference between private businesses and public authorities when it comes to the legal bases they are able to use to support their processing.
The data subjects must receive information on which legal basis the data controller uses to support its processing of personal data and it is therefore important to determine the legal basis before the processing of personal data begins. The decision to choose a particular legal basis and the controller’s reasoning when choosing the legal basis should be documented.
Balancing of interests is a legal basis that is often used by private operators. A company may, for example, have a legitimate interest in processing its customers’ email addresses to enable it to send out newsletters by email and thus market its products. The company’s assessment may have been that its interest in marketing its products outweighs the individual’s interest in not receiving an advertising email. A legal basis is required for each specific purpose for which the personal data is processed. If the company intends to use its customers’ email addresses for purposes other than marketing, that purpose must therefore also be supported by a legal basis in order for the processing to be lawful.
Consent is a legal basis that is often misused. Using consent as a legal basis for processing personal data should often be avoided as far as possible. Only if the processing of personal data cannot be supported on any of the other five bases should the use of consent from the data subject as a legal basis be considered. The reason for this is as follows.
Companies that process personal data often consider themselves to have obtained consent for processing as long as the customers have provided their data voluntarily. However, it is not sufficient for the data subject to have accepted or voluntarily provided their data in order for valid consent to be considered to exist. Consent is probably misused in many cases because there is a discrepancy between the concept of consent as used in an everyday context and the concept of consent under the GDPR.
Specific requirements must be met in order for valid consent under the GDPR to exist. Consent must be voluntary and must be preceded by information on the processing and it must be just as easy for a data subject to withdraw consent as it is to give it. That means that companies that use consent often need to have easily-accessible forms that make it easy for data subjects to withdraw their consent. If the data subject withdraws his or her consent, all processing of the personal data that takes place on the basis of the consent also needs to cease, which can cause major problems if, for example, the company needs the data subject’s data to enable it to deliver a product or for its accounts. For these reasons, it is more appropriate for the data controller to use a legal basis other than consent to support its processing of the personal data if possible.
The data subject’s rights
Withdrawing consent to processing of personal data, which obliges the data controller to cease the processing, is one of the rights that data subjects have under the GDPR. Data subjects have a number of other rights, including:
- Data subjects have a right to access what data is processed by the data controller.
- Data subjects have a right to have their data corrected if it is inaccurate.
- In some cases, data subjects also have a right to require the data controller to erase the data. However, the right to erasure is not absolute and there are situations in which a data controller may continue to process data despite the fact that the data subject has requested erasure of it.
- Data subjects also have a right to receive information on how the personal data is processed, which means that the data controller has an obligation to provide the data subjects with information on the processing. It was data subjects’ right to information that led to the large-scale email information mailings when the GDPR began to be applied in 2018.
The data subject’s right to information on the processing of personal data
The fact that the data subject has a right to obtain information as to whether his or her personal data is being processed implies, conversely, an obligation for the data controller to be able to provide the data subject with that information. The information must clarify aspects including what personal data the company processes, the purposes for which it is processed, what legal basis the company uses to support its processing and how long the data will be processed for.
WHY IS IT IMPORTANT TO COMPLY WITH THE GDPR?
There are many reasons why it is important to comply with the requirements of the GDPR. The fact that a company protects the personal privacy of its customers and partners is not just a means of creating goodwill for the business, it also reduces the risks of needing to pay penalty fees for non-compliance with the GDPR.
Penalty fees for non-compliance with the rules of the GDPR can, for private businesses, amount to EUR 20 million or four per cent of the group’s global annual total sales, whichever is higher. In 2022, a Swedish ruling against Google gained legal force, which meant that a penalty fee of SEK 50 million was imposed on the company for violating the right to have search results removed in its processing of personal data.
A data subject who feels that his or her personal data has been processed incorrectly has a right to file a complaint with the Swedish Privacy Protection Authority [Integritetsskyddsmyndigheten (IMY), which is the Swedish supervisory authority authorised to initiate inspections of companies in order to check compliance with the GDPR. The IMY is also an authority with the power to make decisions on the imposition of penalty fees. The IMY carries out complaint-based supervision, which means that every complaint received from an individual must be assessed and can lead to an inspection and penalty fees. The IMY’s decisions can be appealed before the Administrative Court.
The IMY launched an e-service in 2023 that enables individuals to submit complaints on the IMY website. The service was designed to manage the inflow of complaints to the authority in an efficient manner. The IMY’s latest annual report shows that the authority dealt with approximately 15,800 national cases in 2022, approximately 2,400 of which related to complaints from individuals. The resources allocated to inspections have more than doubled in comparison with previous years. Since the GDPR began to apply, the IMY has more than doubled its workforce and prior to 2023 the authority announced that it intends to recruit an additional 50 new employees.
In view of this, it may be noted that the IMY’s ability to initiate more inspection cases will increase. At the same time, it will be easier for individuals to file complaints through the new e-service launched during the year. Since the authority has an obligation to assess all the complaints it receives, it is extremely important for businesses to try and prevent the occurrence of complaints. Ways of doing this include ensuring that relevant, up-to-date information on their personal data processing is available to persons whose personal data is processed by the company.
Although the risk of penalty fees can provide a powerful incentive for companies to comply with the GDPR, it may not be the argument that weighs most heavily for all companies. Continuous work on data protection in the business and protecting the personal privacy of customers and others with whom the company comes into contact has in many cases proved to be profitable in business terms. The company gains the trust of customers and others if the data subjects feel safe with how their personal data is processed. On the contrary, it can be very damaging for a company that fails to take privacy issues seriously enough. An incident in which personal data has leaked or has otherwise been processed incorrectly risks destroying trust in the brand and it is not unusual for reports of such incidents to receive a lot of attention in the media. Avoiding reputational damage is therefore yet another reason for ensuring that the company’s personal data processing takes place in accordance with applicable laws.
The GDPR can be seen by many as a complex Regulation that is difficult to understand. But we should state that its importance is increasing with each passing day. An increasing number of private individuals are aware of their rights under the Regulation and it is not unusual for data subjects to impose requirements on the companies that process their personal data. It is clear that a conscientious approach to personal data processing can increase a company’s goodwill. However, processing personal data correctly can also save the company from needing to pay large sums in penalty fees.
At a time when more private individuals are aware of their rights, where the IMY has launched a service that makes it easier to file complaints and the IMY is investigating more cases than ever, companies that do not already have their personal data processing in order should therefore make sure to take data protection work seriously and ensure that the business has adequate protection for the personal data that is processed.
Finally, it must be said that the above is only an overall summary of some issues relating to the GDPR. This article does not therefore constitute legal advice in an individual case.
About the author of the article
Ida Hjorth is a member of the Lindahl specialist GDPR and Data Protection team. Questions about GDPR? Contact Ida. At Lindahl, we have extensive experience of data protection work.