Personal data protection in an accounting office (part 3) - What is the processing of personal data?
The right to privacy and data protection is guaranteed by the Constitution of the Republic of Poland. The principles of data processing and the rights of natural persons whose data is or may be processed are regulated, inter alia, in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection ) - hereinafter referred to as the GDPR and in the Act of 10 May 2018 on the Protection of Personal Data (hereinafter: the Act). Therefore, let us explain what the processing of personal data is and who and under what circumstances can do it.
Definition of personal data processing
The GDPR uses the term "data processing". The definition of this activity has been anchored in Art. 4 point 2 and it means any operations performed on personal data, such as collecting, saving, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or otherwise sharing, adjusting or combining, limiting, deleting or destroying.
In practice, data processing should be understood as any operation or set of operations that are performed on personal data by automated means, for which IT systems are most often used.
They can be, among others activities such as: registration, ordering, storage, collection, adaptation, modification, recovery, disclosure, transmission, blocking and even their destruction.
Even performing a one-off operation on personal data may be their processing.
Basic obligations regarding the processing of personal data
The overriding duty of the data controller (both the office and its client-entrepreneur) is to demonstrate that the appropriate legal conditions for data processing have been met, including the fulfillment of the information obligation and ensuring the quality of data processed. When performing these activities, the processor should respect the rights of the data subjects and protect them accordingly.
Identification of the nature of the personal data: "ordinary" personal data and sensitive data
Despite the fact that the provisions on the protection of personal data do not directly regulate the division of data into ordinary and sensitive data, the use of such concepts has become established in practice.
"Normal" Personal Information
By "ordinary" personal data is meant any information relating to an identified or identifiable natural person. On the other hand, an identifiable person should be understood as a person whose identity can be identified directly or indirectly, in particular by reference to an identification number or to one or more specific factors determining its physical, physiological, mental, economic, cultural or social characteristics. Examples of "ordinary" personal data:
first name and last name,
e-mail address (not always personal data).
Under the law, information will not be considered as identifying a person if it would require excessive costs, time or efforts. For example, personal data will not be too general, e.g. Jan Kowalski, collar number 43.
"Sensitive" personal data
The term "sensitive" personal information refers to a range of information that is particularly important for the protection of privacy. Pursuant to the regulations, this may be information concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data to uniquely identify a natural person or data concerning a person's health, sexuality or sexual orientation. .
It is worthwhile cataloging this type of data is closed (Art. 27 of the Act). It will be discussed in more detail later in the article.
Information that has been culturally embraced as sensitive will not be "sensitive" personal information. This applies, inter alia, to age or bank account number.
Conditions for processing "ordinary" personal data
Performing operations on personal data is possible provided that the conditions set out in the GDPR are met. The fulfillment of any of them (jointly or separately) makes the processing lawful.
If data handling is the implementation of a given right or obligation resulting from the provisions, then there is no need for an additional request for the consent of the person to use the data or for justifying that this processing serves the public good.
The requirement for consent to the processing of data when it comes to the implementation of a legal norm (e.g. an accounting contract) is actually misleading. It suggests freedom of choice, while providing data in these circumstances is an obligation without which the purpose of obtaining the data could not be achieved.
According to the law, data processing is allowed only if:
the data subject has consented to the processing of his personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
processing is necessary to fulfill the legal obligation incumbent on the controller;
processing is necessary to protect the vital interests of the data subject or another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the controller;
processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular when the data subject is a child.
Pursuant to the regulations, the consent may also include data processing in the future, if its purpose does not change.
The exception to the rule is the processing of data in order to protect the vital interests of the data subject. Then, conditionally, the data may also be processed without the consent of that person, but not longer than until obtaining consent is possible.
Conditions for processing sensitive personal data
The processing of data that is subject to special protection is in principle prohibited. It results directly from the wording of Art. 9 (1) of the GDPR.
It is prohibited to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data in order to uniquely identify a natural person or data concerning health, sexuality or sexual orientation of that person.
However, the Act provides for certain exceptions to this rule, allowing data processing if:
- the data subject has expressly consented to the processing of these personal data for one or more specific purposes, unless Union law or the law of a Member State provide that the data subject may not revoke the prohibition referred to in paragraph 1;
- processing is necessary for the performance of obligations and the exercise of specific rights by the controller or the data subject in the field of labor law, social security and social protection, insofar as this is permitted by Union or Member State law or by collective agreement under the law of a Member State providing for adequate safeguards for the fundamental rights and interests of the data subject;
- processing is necessary to protect the vital interests of the data subject or another natural person, and the data subject is physically or legally incapable of giving consent;
- processing is carried out as part of authorized activities carried out with appropriate safeguards by a foundation, association or other non-profit entity with political, philosophical, religious or trade union purposes, provided that the processing concerns only members or former members of that entity or persons maintaining permanent contact with it in connection with its purposes and that personal data is not disclosed outside this entity without the consent of the data subjects;
- processing relates to personal data which are manifestly made public by the data subject;
- processing is necessary for the establishment, exercise or defense of legal claims or in the course of the administration of justice by courts;
- processing is necessary for reasons of important public interest, on the basis of Union or Member State law, which are proportionate to the aim pursued, do not infringe the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject ;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the employee's ability to work, medical diagnosis, the provision of health care or social security, treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to an agreement with a healthcare professional and subject to the conditions and safeguards referred to in para. 3;
- processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or to ensure high standards of quality and safety for healthcare and medicinal products or medical devices, on the basis of Union or Member State law, which provide for appropriate , specific measures to protect the rights and freedoms of data subjects, in particular professional secrecy;
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 sec. 1, on the basis of EU law or the law of a Member State, which are proportionate to the aim pursued, do not infringe the essence of the right to data protection and provide for appropriate, specific measures to protect the fundamental rights and interests of the data subject.
Data processing is a fairly broad concept and its scope covers many activities, from the very collection of data to their actual use. It should be remembered that data processing should take place only on a specific legal basis resulting from the Act on the Protection of Personal Data and specific provisions.