There are 6 possible bases:
Necessary for the performance of an agreement
Personal data is often required for the execution of the agreement. For example, think of web shops that need the name and address of a customer in order to be able to send the right products to the right person and the desired address.
Also read: The GDPR points of attention for digital marketers
Legal obligation
For example, the legal obligation may apply because you have to keep some invoice data for the tax authorities.
Legitimate interest
A legitimate interest can be a business interest, for example for statistics or to attract customers. With this basis, a balance must always be struck between the interest of the controller (usually the company) and the interests and fundamental rights of the data subject. In other words, processing personal data on this basis may not infringe too much on the privacy interests of the data subject.
Permission
The last possible basis is that of consent. But beware: consent can also be withdrawn, so using this basis is not preferred. After all, the basis may not be changed. Once you have used 'consent' as a basis, the legal obligation or other basis cannot be used after the consent has been withdrawn.
The basis of general interest can actually only be used by (semi-)government, in certain cases. Vital interests of the person concerned is also not a valid basis for most organizations. This interest can be used, for example, if a person is treated in a hospital after an accident. Then it is in the interest of the person concerned that the hospital registers the personal data properly.
Goals are not set in law. They may be determined by yourself. It is important that you inform the person concerned (via the privacy statement ) about the goal and that the data is only used for that goal.
4. Business cards
What is the value of a business card in the context of the GDPR? What does it actually mean? You have a business card to give to others, so that they can contact you. It is therefore always permission to contact that person. You need that to prevent yourself from being a spammer. For spam we have the Telecommunications Act, which will be replaced by the ePrivacy Regulation in 2019. The GDPR only concerns the processing of personal data.
Do you get a business card? Then you can also include it in your address file. You are not allowed to send this person newsletters or other commercial messages just yet. These people must be able to know what you do with their data. It is a bit difficult to share all the information with them when you receive that business card. switzerland whatsapp number Therefore, make sure that you make that information available via a privacy statement that you can send during the first email contact or to which you can refer with a link.
5. Who needs processing agreements?
A processing agreement regulates, among other things, what the processor must comply with and who is responsible and liable for what.
You may not always realize it, but for many things that happen on a computer with personal data, third-party services are used. Is everything in the cloud ? Then another company probably offers that server space. They will not do anything with that personal data that you do not want (they probably will not even look at it), but they do 'process' it by storing it for you on a server. Many services that also offer storage, for example a lot of online software, are also processors.
You need to conclude processor agreements with all these parties. Both the controller and the processor must ensure that this agreement is in place. One does not necessarily have a greater obligation in this than the other, although as a controller you do of course have a greater responsibility for the personal data itself. The more control you want to have over the agreements and the more you want to reduce liability, the better it is to draw one up yourself (or have it drawn up) and offer it to the other party.
General interest and vital interests
-
- Posts: 25
- Joined: Sun Dec 22, 2024 3:18 am