What is meant by the processing of personal data? What does the GDPR tell us about the processing of personal data? Can we process any personal data? What obligations must we take into account when processing personal data?
What is meant by the processing of personal data?
The processing of personal data is understood to mean any operation or set of processes carried out on personal data or settings of personal data, whether done in an automated or non-automated manner, such as the collection, storage or modification of said data. Data, as long as they are part of a file system or structured file.
Types of personal data processing
Among the types of processing of personal data, we find the following (although it is not a complete or exhaustive list, they are the most common treatments):
- adaptation or modification
- transmission communication
- Broadcast or any other way to allow access to them
- I compare or interconnection
Therefore, any action that we carry out on personal data is considered personal data processing, whether we are talking about automated or non-automated personal data processing, as long as it is later included in a file or structured file that can access.
Examples of personal data processing
Here are some examples of personal data processing:
- Management of payroll
- Creation of a list of subscribers to a web page
- Post images on online sites
- Recording of ideas through video surveillance cameras
- Queries to personal databases
- Creation of an email list to send commercial information
- Registration and storage of biometric data by an application
What law regulates the processing of personal data?
The processing of personal data is regulated in the:
- GDPR (General Data Protection Regulation), which establishes the general regulatory framework for the entire EU and the EEA (European Economic Area), has been in force since 2016.
- LOPDGDD (Organic Law on Data Protection and Guarantee of Digital Rights); is the law that introduces and adapts the RGPD to the Spanish legal system, in force since 2018.
- It is essential to point out that complying with law, and the GDPR is complied with since its content is essentially the same, with some modifications and extensions related to law, since the GDPR leaves the door open to legislate its most general aspects in accordance to the legislation of each Member State.
What are the principles of personal data processing?
The GDPR and the LOPDGDD establish a series of principles related to the processing of personal data, which both the person responsible for the processing of personal data and the person in charge must take into account when initiating any processing activity.
Briefly, these principles are:
- Will process personal data in a lawful, loyal and transparent manner concerning the owners of the data (interested parties)
- Must collect personal data for a specific, explicit and legitimate purpose; fulfilled the goal of personal processing data is, they may not continue to be processed.
- The personal data will be adequate, pertinent and limited concerning the purpose for which they will be processed.
- The personal data will be accurate and, when necessary, will be updated (either by deletion or rectification)
- Will only keep personal data for the time needed to fulfil the purposes of the treatment.
- The treatment must always guarantee adequate security, protecting the data from unauthorized treatment, data loss, destruction or accidental damage.
- Those responsible and in charge of the treatment will be subject to the duty of confidentiality, which will be maintained even once the relationship between the interested parties has ended.
When is it lawful to process personal data?
Those responsible and in charge will have legitimacy for the processing of personal data when at least one of the following situations is fulfilled:
- The data owners consent to the treatment for one or more specific purposes. That consent must be unequivocal and explicit (that is, it requires positive action from the interested parties).
- The treatment is necessary to comply with the execution of a contract between the owner of the data and the person in charge of the treatment.
- Processing is necessary to comply with a legal obligation applicable to the controller.
- The processing is necessary to protect the vital interests of the data subject or another natural person.
- The treatment is necessary to fulfil a mission in the public interest or the exercise of general powers conferred on the controller.
- The treatment is necessary to satisfy the legitimate interests pursued by the person in charge of the treatment or by a third party.
Is the express consent of the interested parties mandatory to process their data?
Yes, we must always obtain the express consent of the interested parties to process their data unless the treatment is legitimized for any of the reasons seen in the previous point, in which case, the owners of the data must be informed, among others, that will process your data will process your data and the purpose of such processing.
Is there personal data that cannot be processed?
Yes, personal data cannot be processed unless the exceptions established in the RGPD are met. Specifically, those personal data referring to:
- Ethnic or racial origin
- Political views
- Religious or philosophical convictions
- Union membership
- genetic data
- Biometric data, whose purpose is the unequivocal identification of a natural person
- Health data
Data relating to sex life or sexual orientation
The exceptions established by the RGPD for the treatment of this particular category data are found in article 9.2:
- The interested party has given their explicit consent for processing this data.
- The treatment is necessary to comply with the obligations and the exercise of specific rights of the person in charge of the interested party within the scope of labour law and social security and protection.
- The processing is necessary to protect the vital interests of the interested party or another natural person if the interested party is not physically or legally capable of giving consent.
- The treatment is carried out within legitimate activities. With the due guarantees of a foundation, association or any non-profit organization whose purpose is political, philosophical, religious or union, provided that the treatment refers to current or past members who still maintain regular contact.
- The treatment is carried out on data that the interested party has made public.
- The treatment is necessary for the formulation, exercise or defence of claims or when the courts act in the practice of their judicial function.
- Processing is necessary for reasons of vital public interest.
- The treatment is required for preventive or occupational medicine, evaluation of the worker’s work capacity, medical diagnosis, provision of health or social care or treatment, or management of health and social care systems and services.
- The treatment is necessary for public interest in the health field, such as protection against serious cross-border threats to health or to guarantee high levels of quality and safety of healthcare and medicines or medical devices.
- The treatment is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (according to the provisions of article 89)
- Should note regarding consent that the LOPDGDD establishes that to process this data, the mere consent of the interested party will not be sufficient, and it will be necessary for there to be a legal basis that legitimizes said treatment.
In addition, although it can process the data of minors and can process the data of children when they are under 14 years of age (according to the LOPDGDD), it will be necessary to obtain the consent of their parents or legal guardians to carry out the treatment.
Also Read: Personnel Management For Business