A second example in recital 43 of the GDPR is a situation in which it is not possible to give separate consent to different data processing operations, even if consent is appropriate in the individual case or if the performance of a contract or the provision of a service depends on consent, although consent is not required for the performance of the contract or the provision of the service. This introduces a second concept in the context of voluntary consent: conditionality. Second, a look at informed consent, which, as we have already mentioned, overlaps with both voluntary and specific consent, but is also mentioned as an element of valid consent as such. The processing of sensitive data is prohibited by default and can only take place in certain circumstances described in the GDPR, so a general recommendation would be to avoid the processing of such data altogether. If this is not possible, seek legal advice to find solutions that provide you with a legal basis for the processing of this data. It is essential to inform data subjects before obtaining their consent so that they can make informed decisions, understand what they agree with and, for example, exercise their right to withdraw their consent (WP29 Consent Policy). The right to data portability is free of charge – is a bank obliged to provide me with information free of charge? Yes, they are required to provide you with information free of charge. Who regulates/controls the wording of the document on the processing of personal data? There is no specific and regulated language of consent. Yu can refer to EU language recommendations or preferably contact law firms that provide consulting services. Who exactly does the GDPR apply to? How about an online store that only has 2 employees but processes the data of hundreds of customers? Any online store that processes customers` personal data must comply with the GDPR. In principle, any organization with at least 1 employee must process employees` personal data and therefore also protect this data. Do employment agencies have to appoint a Data Protection Officer (DPO)? Regarding the amount and type of personal data, we dare to say that employment agencies will have the obligation to appoint a DPO.
The GDPR states that the processing of personal data on a „large scale” triggers the appointment of a DPO. How is „large scale” defined? Is there a certain amount of data that is given? The term „large-scale” is not clearly defined in the regulations. According to the working group 29 guidelines, the „broad scope” is defined by several factors: number of persons, volume of data, duration of data processing and territorial area. An example of large-scale processing is the processing of patient data as part of routine hospital activities (as opposed to the processing of patient data by a single doctor – this is not considered „large-scale”). Other examples of large-scale processing include the use of search engines to target personal data for advertising purposes and the processing of customer data as part of the day-to-day sales activities of an insurance company or bank. If we use an outsourced DPO, how often does it need to perform a check? The processing of personal data should be subject to constant monitoring. Each company should decide for itself whether to appoint an internal or external DPO. Who is responsible in the event of an incident? And who pays the fine? The administrator or the processor? There is no clear answer to this question.
It depends on whether the incident occurs on the administrator or processor side. We recommend a very precise definition of the liability of both issues in a contract. How does the GDPR apply to employees of companies? The requirements of the GDPR apply to organizations, but of course, the responsibility for data protection also falls on the employees who work with the data. Is the processor himself responsible for compliance with the GDPR? If the subcontractor has employees and therefore processes their personal data, the subcontractor must of course comply with the GDPR. Such a company can then have two roles – for its customers it can serve as a processor, while for its employees it serves as an administrator. If our GDPR management is carried out by an external company, who would be fined in the event of a personal data leak? Does the responsibility lie with us or can it be contractually transferred to the supplier? According to the GDPR, the obligation to protect personal data applies to both the administrator and the processor (external company that processes the data). .