Navigation path

How do I make sure I comply with personal data protection rules?

How do I make sure I comply with personal data protection rules?

Your online customers may well provide you with their name, address, bank or credit card details without much thought, but you as an online trader, must protect their personal data from misuse and respect their right to privacy in the processing of personal data.

Personal data is defined as information relating to an identified or identifiable individual (referred to as a ‘data subject’).

Examples of personal data that can be used to identify an individual are: name, gender, an identification number, credit card number, contact information (address, phone number, e-mail, etc.), age and date of birth,  security registration number, tax registration number, language spoken, biometric data (e.g. fingerprints, or DNA).

Certain types of personal data fall into a category known as sensitive data, i.e. categories of data that reveal: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information on health or sex life. You may not process sensitive data unless you have explicit consent from the data subject (“opt-in”).

“Processing” is considered as any operation that is performed on personal data, also by automated means, such as collection, recording structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Follow Data Protection requirements regarding data collecting entities

On 25th of May 2018, the General Data Protection Regulation (GDPR) has entered into force; the GDPR constitutes a major reform on EU data protection rules, and effectively updates the Data Protection Directive 95/46. All you need to know about the rules for businesses and organizations can be found at the European Commission website on the reform of EU data protection rules.

The GDPR rules apply not only when you are established in, or operate within the EU, but also when you process personal data from EU data subjects from outside the EU.

Under EU data protection rules, you are considered to be a data controller, if you are the person (either alone or jointly) who determines why (i.e. the purposes) and how (i.e. the means) you process your customers’ personal data.

If you are the person processing personal data on behalf of the data controller (e.g. as a cloud provider, a market research company or a payroll company), you are considered to be a data processor.

In addition to gaining the trust of your customers, the data collecting entities, are liable to:

•    Ensure that data is collected in all honesty and transparency, and that customers are properly informed of what specific processing of personal data you carry out;
•    Collect and process personal data only if the purpose is legitimate, that is if it is needed (e.g. for a contract);
•    Respect certain obligations in relation to the processing of personal data. Among others, you can only collect personal data on behalf of a controller, if a written contract is in place which imposes a number of mandatory terms on the data processor, as set out in the GDPR. Processor must also maintain records of data processing activities and make them available upon request to the supervisory authority. You must ensure that your data subjects can access, rectify, remove or block incorrect data about themselves and that personal data are not kept any longer than strictly necessary;
•    Respond to complaints received regarding data processing operation;
•    Collaborate with national data protection supervisory authorities, who are responsible for monitoring your compliance with national data protection laws, and to hear claims lodged by individuals about the processing of their personal data.

Note that you would remain legally responsible if someone who works for you were to disclose personal data and breach data protection legislation.

Notify your customers

You are obliged to inform your customers if you are processing personal information. For this purpose, you should publish a privacy notice on your website “in an intelligible form, using clear and plain language”.

As the data collecting entity, you should provide at least the following information:

•    The full name of your company, entity or yourself (as the data controller);
•    Your contact details;
•    A description of the purposes for which data will be used;
•    The place of the processing operation;
•    A description of the person, public authority, agency or any other body to whom data might be disclosed;
•    How individuals can consult their personal data and exercise their rights in relation to it (e.g. how to access, rectify and delete personal data), as well as how they can object to the use of their data for direct marketing.

A privacy notice may also include additional details, such as how long personal data will be retained, how personal data is safeguarded, etc.

Austria Complete the notification via  Österreichische Datenschutzbehörde website before starting the processing activity.
Belgium Complete the notification via Commission for the protection of privacy website before starting the processing activity.
Bulgaria Complete the notification via Commission for Personal Data Protection website before starting the processing activity.
Croatia Complete the notification via Croatian Personal Data Protection Agency website before starting the processing activity.
Cyprus Complete the notification via Commissioner for Personal Data Protection website before starting the processing activity.
Czech Republic Complete the notification via The Office for Personal Data Protection website before starting the processing activity.
Denmark Complete the notification via Datatilsynet website before starting the processing activity.
Estonia Complete the notification via Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) website before starting the processing activity.
Finland Complete the notification via Office of the Data Protection website before starting the processing activity.
France Complete the notification via Commission Nationale de l'Informatique et des Libertés website before starting the processing activity.
Germany Complete the notification via Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit website before starting the processing activity.
Greece Complete the notification via Hellenic Data Protection Authority website before starting the processing activity.
Hungary Complete the notification via Data Protection Commissioner of Hungary website before starting the processing activity.
Ireland Complete the notification via Data Protection Commissioner website before starting the processing activity.
Italy Complete the notification via Garante per la protezione dei dati personali website before starting the processing activity.
Latvia Complete the notification via Data State Inspectorate website before starting the processing activity.
Lithuania Complete the notification via State Data Protection website before starting the processing activity.
Luxembourg Complete the notification via Commission nationale pour la protection des données website before starting the processing activity.
Malta Complete the notification via Office of the Information and Data Protection Commissioner website before starting the processing activity.
Netherlands Complete the notification via College bescherming persoonsgegevens
(Dutch Data Protection Authority) website before starting the processing activity.
Poland Complete the notification via The Bureau of the Inspector General for the Protection of Personal Data website before starting the processing activity.
Portugal Complete the notification via Comissão Nacional de Protecção de Dados website before starting the processing activity.
Romania Complete the notification via The National Supervisory Authority for Personal Data Processing website before starting the processing activity.
Slovakia Complete the notification via Office for Personal Data Protection of the Slovak Republic website before starting the processing activity.
Slovenia Complete the notification via Information Commissioner website before starting the processing activity.
Spain Complete the notification via Agencia de Protección de Datos website before starting the processing activity.
Sweden Complete the notification via Datainspektionen website before starting the processing activity.
United Kingdom Complete the notification via The Office of the Information Commissioner Executive Department website before starting the processing activity.

 

Sources of information

Follow Personal Data Protection requirements

•    European Union Agency for Fundamental Rights & Council of Europe, (2014), Handbook on European DataProtection Law
•    EU Data Protection Directive (Directive 95/46/EC)
•    Data Protection Directive: http://ec.europa.eu/justice/data-protection/index_en.htm
•    EC Justice (2014), Protection of Personal Data, available at http://ec.europa.eu/justice/data-protection/index_en.htm
•    EC Justice, Article 29 Working Party, available at http://ec.europa.eu/justice/data-protection/article-29/index_en.htm

Declare to the national authority

•    EU Data Protection Directive (Directive 95/46/EC)

Notify to your customers on your website

•    European Union Agency for Fundamental Rights & Council of Europe, (2014), Handbook on European DataProtection Law
•    EU Data Protection Directive (Directive 95/46/EC) – Article 10

Country specifics

Suggested country specifics to be covered:

National Data protection authority

Questions:

•    Do you agree that the above list of country specific elements is relevant to the audience of European Digital Entrepreneurs?
•    Do you have suggestions for other than the above country specific elements that are relevant to the audience of European Digital Entrepreneurs?
•    What sources of information can you provide as an input for describing the country specifics?