In this article, you will find answers to questions linked to personal data.
General questions about personal data:
- What is a personal data ?
- What is a personal data processing ?
- What is the legality of personal data processing ?
- What is the information obligation of GDPR ?
Tools to process data:
- What is a Register of Processing ?
Data processing players:
- What is a processor ?
- What is a controller representative ?
- What is a third person ?
- How do you know which cookies have a lifetime longer than 13 months ?
📕 What is a personal data?
Any piece of information enabling to recognize a private person, single or mixed with other (phone number, client number, card number...): they can belong to salaries, clients, furnishers...
📕 What is a personal data processing?
A personal data processing refers to any operation on personal data even when they are pseudonymised (collect, use, compilation...), whatever the number of person is, it could be 1 to infinite.
📕 What is the legality of personal data processing?
An entity can process personal data only in some cases which implies a requirement (legal basis of processing):
- A contract execution necessity that the user affected is a part of or pre-contractual measures submitted by him (for instance : delivery address )
- Legal obligation necessity (for instance : social security number for the pay statement and the mandatory social statements);
- Safeguard of vital interests necessity for the person affected or another private person (for instance : the name for a hospitalization);
- A task carried out in the public interest or in the exercise of official authority the data controller is part of (for instance : tax situation by tax office);
- Legitimate interests necessity for the data controller or a third person, unless the interests or the fundamental rights and freedoms of the person affected predominate ( login data for statistics).
📕 What is the information obligation of GDPR?
The data controller must communicate to the user:
- His identity and coordinates.
- The Data Protection officer (DPO) coordinates.
- The purposes of processing for the personal data (why data are collected) and the legal basis of processing.
- Where applicable the legitimate interests he or a third person is processing for
- The data receivers.
- If he is intending to transfer the data to a foreigner country (a country out of the European Union), an international organism and the existence or not of an Adequacy decision of the Committee or the reference of the appropriate guarantees (such as contract clauses or intra-firm agreement).
- The retention period of personal data - or when not possible - the criteria used to determine this retention period.
- The right he as for access, rectification, erasure, limitation principles, objection and portability.
- The right he as to withdraw his consent when processing is based on consent.
- The right he as to have a recourse with the supervising authorities.
- He must know if the data provision is regulatory or contractual (if it relies on the conclusion of a contract).
- He must know if the data processing includes automated decision-making, even for profiling and where applicable he must have information about the underlying logic and the importance and consequences intended of the processing for the user affected.
📕 What is a Register of Processing?
The Article 30 of GDPR impose to each controller to establish a Register of processing under its responsibility. This register must contain all of this information (some of them are the same ones that need to be communicated to customers).
- Name and contact details of the processor and, where applicable, the co-responsible for processing, the processor's representative and the Data Protection Officer (They are included the information obligation for the articles 13 and 14 of GDPR).
- The purposes of processing (they are included in the information obligation for the articles 13 and 14 of GDPR).
- A description of who is concerned and what data is concerned.
- To what kind of receivers the data have been or will be communicated, including receivers from foreign countries or international organizations (They are included in the information obligation for the articles 13 and 14 of GDPR).
- Where applicable, the personal data transfer toward a foreign country or an international organization, including the country or international organization identification and when it is transferred for Article 49, section 1, second subparagraph, files certifying the existence of the appropriate guarantees (They are included in the information obligation for the articles 13 and 14 of GDPR).
- The deadlines set for data removal (they are included in the information obligation for the articles 13 and 14 of GDPR).
- When possible, a general description of the technical and organizational security measures referred in the Article 32 (for instance the pseudonymization and the encryption of personal data; the measures allowing to guarantee confidentiality, integrity, availability of personal data and the accessibility to them in appropriate delays in case of physical or technical incident, the procedure for checking, analyzing and evaluating regularly the efficiency of technical and organizational measures to insure the security of processing.
Each processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller containing:
- Name and contact details of the processor and, where applicable, the co-responsible of processing for which it is working, and the Data Protection Officer contact details.
- The purposes of processing done for each processor.
- Where applicable, the personal data transfer toward a foreign country or an international organization, including the country or international organization identification and when it is transferred for Article 49, section 1, second subparagraph, files certifying the existence of the appropriate guarantees.
- When possible, a general description of the technical and organizational security measures.
There are exceptions for the obligations of those register in particular for a company that has less than 250 workers, unless these treatments are risky and are not occasional or if they include particular categories of personal data (sensitive data).
📕 What is a processor?
The processor is the person who decides the purposes and the means of processing (How and why data are used ?). It is possible to have a co-responsibility if decision-making is shared.
📕 What is a controller representative?
A controller representative is a person operating under instructions of another one. They don't take any decision upon the personal data use.
📕 What is a third person?
A third person is every private or legal person, public authority, agency or organism other than the concerned person, the processor, or controller representative.
📕 What is a receiver?
A receiver is any person who receive or obtain access to personal data, whether it is a third person or not. There is an exception when some public authorities (customs, tax authority, etc.) receive data during a survey job: since they are not receivers they don't need to be mentioned in the register neither in the information mentioning.
⚙️ How do you know which cookies have a lifetime longer than 13 months?
In order to know which cookies have a lifetime of more than 13 months, you just have to click on "Cookie lifetime" in the compliance report and you will get.
- a list with the name of the cookie.
- its lifetime.
- the name of the domain it is attached to.
- the name of the vendor that dropped the cookie.