Personal data and GDPR can be a difficult nut to crack, but oh so important. In order to feel free when communicating and marketing, you must first and foremost have laid the foundation correctly. This mainly means that you know who to contact, with what message and on what terms. We will therefore in this post tell you about everything you need to know about the handling of personal data in accordance with the GDPR.
What is personal data according to GDPR?
In the digital world we live in, the difference between an email address and a social security number is subtle. Just as only you have your social security number, only you have your e-mail address. Most people quickly link GDPR and social security numbers as the typical personal data. But since only you own your e-mail address, it also counts as personal information.
What does the GDPR say about personal data?
Personal data is any type of information that can be used to identify a living person, and this also applies to the combination of different data that can identify someone (for example in an analysis).
What personal data is covered by the GDPR?
All kinds of information that can be directly or indirectly linked to a natural person who is alive is counted as personal data. Picture and sound recordings can also be counted as personal data, if you can see or hear who it is about, even if no names are mentioned. Encrypted or encrypted information is also personal information if someone has a key that can link them to a person.
Examples of information that counts as personal data:
- Email address
- IP number
- Social security number
- Phone number
- Residential address
- Customer number
What doesn’t count as personal information?
Because the consequences of violating the GDPR or handling personal data in an irresponsible manner can be severe, companies usually take the safe before the unsafe. But there are of course information that does not count as a sensitive personal information and it is for example:
- organization number (except in the case of a sole proprietorship, in which case it is considered a personal data)
- e-mail addresses such as info@företag.se.
Important regarding personal data
What does your company need to keep in mind when it comes to personal information?
- Find out and document what personal information you collect today and motivate why you collect it.
- Make sure you can handle all new rights (eg the right to be forgotten).
- Clean up your database and throw away old data that is no longer used or is active / valid.
Almost all companies have a database that contains contact information for customers, prospects, leads or newsletter subscribers. If that database contains names, e-mail addresses or telephone numbers, it means that this information has been processed at some point.
How your company processes personal data, English and Swedish, is an important part of the new data protection regulation, and below we try to explain what applies with it:
According to the GDPR, “processing of personal data” means almost everything that is done with personal data, except to communicate.
If you have contact information for customers in Rule, they have been processed at some point. It will be a requirement that there is someone responsible who can ensure that the treatment itself takes place in the right way.
Here are some examples of what counts as personal data processing according to the GDPR:
- To send an email address to one or more of your systems.
- To automatically analyze and add additional information, based on the information you already have (also called “populate”).
- To divide different personal data into groups / segments to limit or allow certain communication.
- Extract an Excel file to manually add names, phone numbers or the like.
There is also a law called the Personal Data Act, so what is the GDPR law in relation to it? The GDPR Act states that companies must be able to show what they want to do with the personal data that is collected, saved or registered. The Personal Data Act (PUL) is more about what is done with the information once it has been collected or registered.
What your company should think about the regarding GDPR and personal data
In order for your company to be allowed to process personal data, there must be a legal basis that allows the processing. There are really only 3 points that your company needs to keep track of in order to collect new leads and email addresses according to the new data protection regulation:
- Consent – The data subject has given his consent for his personal data to be processed for one or more specific purposes.
- Agreement – The processing is necessary to fulfill an agreement of which the data subject is a party or to be able to fulfill certain agreements, before the data subject accepts such an agreement.
- Legitimate interest – Personal data may be processed in certain other situations listed by law. If the processing is necessary and if the person responsible for personal data considers that the processing cannot violate personal integrity, this is permitted. In other words, it is a personal trade-off from the person responsible for personal data, and if it can in any way lead to a violation of the privacy of the data subject, there may be heavy fines or other consequences for the company in question.
Sensitive personal data according to GDPR
So, what GDPR sensitive personal data should you really be aware of?
We list them below:
- ethnic origin
- political opinions
- religious or philosophical belief
- membership in a trade union
- a person’s sexual life or sexual orientation
- genetic data
- biometric data used to uniquely identify a person
Is it allowed to email personal data according to the GDPR?
The same assessment should be made for the processing of personal data in e-mail as the processing of personal data in any other system. The recommendations that IMY (the integration authority) writes on its website are as follows:
- When you have received and read the e-mail, assess whether the information should be retained and, if so, where it should be done to meet the requirements that apply to this particular information.
- Do not send sensitive personal information in unprotected e-mail.
- Inform everyone in your organization about the rules and routines for how you process personal data in your organization. Also make sure that the routines are kept alive.
Disclose personal data to third party GDPR
There is a legal basis called balancing of interests, which means that you as a company may in certain cases process personal data. What applies then is if your interests outweigh those of the registrant and if the processing of personal data is necessary for the purpose. When you have a balance of interests as a legal basis, you may disclose personal data to third parties, ie to a recipient who has a legitimate interest. But before you give out the information, you should find out three simple but important things:
- why they want the personal data
- what they are to use the personal data for
- and if they really need them
Once you have provided the personal information, you must also be able to justify your disclosure. It’s then the responsibility of the third party to justify the legal basis on which they themselves support the treatment.
What personal data may be stored?
How can you save data in accordance with the GDPR and how long can you save personal data? Personal data may be stored with the personal data processing for as long as it is needed for the purpose. According to GDPR, you must delete personal data that you have saved when it is no longer needed for the specific purpose. Then it’s time to delete or de-identify them.