Ways of Work - Personal data – All employees
As you may have heard in the media, new legislation regarding the protection of physical persons personal data - the GDPR - has come into effect. As this will have an impact on all of us, we have made this guidance regarding your future handling of personal data.
More information can be found here: https://www.eugdpr.org/
What is personal data?
Personal data is: any information related to an identified physical person (like you).
A few examples of personal data are listed in the below:
- The information we have on you related to your employment: your name, address, bank account etc. Information needed by the company to e.g. pay out your salary.
- Information related to employees at our customers and suppliers (counterparties) like their personal e-mail and address and other personal information like their family relations and personal habits.
Remember! It is only data related to physical persons – not data related to companies (it must be personal)!
The basic new rights and obligations:
This new legislation is made to protect you (and your counterparties) as individual(s). As such it provides new rights and protections to persons and thereby obligations to companies like ours when processing personal data.
First of all - it is important to emphasize that you can continue to process personal data in the future!
However, you can only process personal data if you do this for a specific purpose and have legal basis for it.
By processing we mean the registration, collection, storing, using and forwarding etc. of a persons personal data.
The requirement of a specific purpose could e.g. be when we, as a company, need your bank account information (the personal data) to be able to pay you your salary = purpose.
The requirement of legal basis would be obtained if the processing is either necessary …
… for the performance of a contract (e.g. we need to include your personal data in your employment contract),
… for compliance with a legal obligation (e.g. the disclose of your income information to tax authorities),
… in order to protect the vital interests of a person,
… for the performance of a task carried out in the public interest or official authority, or
… for the purposes of the legitimate interests pursued by the controller (e.g. us as a company).
If you do not have a specific purpose or legal basis you cannot process the personal data unless you receive written consent from the person(s) to process their personal data!
If you do not receive the consent you cannot process their personal data!
You need to be aware, that when you as an employee (and thereby us as a company) is processing personal data of a person, that person now has some new rights, hereunder the right to:
1) receive insight (be informed) of what personal data we have processed,
2) the purpose of our processing,
3) the person can require the processed data corrected or even deleted entirely.
This is the basic principles of the GDPR!
So how is the GDPR changing your ways of working?
The GDPR should not have a major effect on your daily working. However, some departments like HR, Treasury, and IT (departments processing personal data) will face new procedures and requirements. For these departments separate “ways of working” have been made.
Where do I “face” personal data in my working day?
Normally you would face personal data when you are communicating with your counterparties. Maybe your counterparty is giving you his/her private address, mail or phone number (personal data). Maybe he/her is telling you about family relations and their health situations (personal data).
Maybe you are receiving a passport copy (personal data) of the management of your counterparty as part of your credit or KYC assessment or maybe your long-lasting competitor is sending you his/her personal CV (personal data) giving up the battle.
So how should you process this information if received?
Remember! You can only process (e.g. type in and store in CRM) personal data if you have:
1) a specific purpose and
2) legal basis for doing it.
If you e.g. want to store personal information on a person of your counterparties in our CRM system you can do this as this would be of a legitimate interest (our interest in serving in a best manner) pursued by us.
Are there any difference in what kind of personal data I can process?
Yes. There are two types of personal data. Sensitive and non-sensitive (normal) personal data. Sensitive personal data is information about (exhaustive listed): race - ethnic origin - political opinions - religious belief - philosophical beliefs - trade union membership - genetic data - biometric data - health information - sexual orientation. All other information is normal personal data.
Normal personal data you must process in accordance to this guidance – sensitive personal data you should never process.
Unsolicited information received – what do I do?
If you receive a CV or an Application from a person and you have no purpose of having such (meaning that you are not the right channel/department/person), you MUST inform the sender that you are not right person and that you will delete the mail containing the CV/Application
and refer to the right channel or ask for consent to forward the mail to the right person/department.
If you in e.g. a chat program receive unsolicited sensitive personal data information you should delete this from the chat in the best possible way.
Know where you have you processed personal data?
As we have an obligation to inform persons about our processing we always need to know what we have pro-cessed, the purpose of this and e.g. where the information (personal data) is stored.
As such always know what, where and why and always delete personal data you have without a purpose!
We have a uniformed Data Protection Policy in Thorsen-Teknik A/S, applying to all employees, depart-ments and companies.
GDPR Best Practice instruction in handling personal data.
Below are best practice instructions in how you must handle personal data in the future:
- Go through your inbox and folders (physical and digital) and delete personal data stored without a purpose.
- You need to develop a habit of cleaning up in your inbox and never store, forward etc. any personal data without a purpose or legal basis – such as consent from sender.
- All personal data which is just “nice to have” and not “need to have”, must be deleted.
- Do not process sensitive personal data without contacting legal department and CEO.
- Minimize the inclusion of personal data in the CRM system to the minimal.
- Minimize personal data to absolute minimum. That means, don’t store same documents in both local drive and physical folder or briefcase.
- Keep in mind you need to inform the person and maybe ask for consent for/about the processing.
- A person could ask to see what you have noted down about him/her.
If you have any questions, please do not hesitate to contact firstname.lastname@example.org, or
CEO Torben Thorsen at +4529104029.
Read more here about the regulation on the official EU web: https://www.eugdpr.org/