Collecting and Handling Personal Data
Punit Bhatia
15 years: Data privacy & GDPR
In the third video of his series on GDPR, Punit explains about when an organization is allowed to collect and process personal data, and how an organization informs individuals about its handling of their personal data.
In the third video of his series on GDPR, Punit explains about when an organization is allowed to collect and process personal data, and how an organization informs individuals about its handling of their personal data.
Collecting and Handling Personal Data
12 mins 31 secs
Key learning objectives:
Understand when an organisation is allowed to collect and process personal data
Identify what consent from an individual mean
Understand how an organisation informs individuals about its handling of their personal data
Overview:
Organisations can collect and process personal data so long as there is a legitimate reason permitted by law for doing so. They need to map all processing to one of the legitimate purposes. Organisations must inform individuals about processing purposes and details in a transparent manner.
When is an organisation allowed to collect and process personal data?
Personal data on a person can be collected and processed if there is a valid reason. GDPR defines the following as the legitimate basis for collection and processing of personal data:
- Contractual agreements - When you have a contract with a person, and you need to process personal data to fulfil your contractual obligation
- Compliance with the law - A company may need to process personal data to comply with the law. For example, reviewing and analysing personal data and transactions of a customers for anti-money laundering is a legal obligation
- Valid Interest - This is when the processing is necessary to protect someone’s life
- Public task - When the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate Interest - When the processing personal data is a legitimate interest of the company. For example, scanning all traffic including personal data on your servers for privacy and malware protection
- Consent - When processing of personal data cannot be mapped under any of the above basis, consent of the individual must be asked
What does consent from an individual mean?
Consent is asking an individual whether their personal data can be processed. An individual may withdraw his or her consent at any time and, upon withdrawal of consent, the processing of personal data must be stopped. In cases where consent is given by electronic means, the mechanism for obtaining consent should be clear, explicit, concise, and unambiguous.
How does an organisation inform individuals about its handling of their personal data?
Organisations are supposed to be transparent with individuals when handling personal data. This usually includes providing answers to basic questions like:
- What personal data is being collected?
- Why is this personal data being collected?
- What is being done with this personal data?
- Who is the personal data shared with? And, why?
- What are the rights of the individual? And how are these rights respected?
- How is personal data protected?
- Who can be contacted for more information?
Punit Bhatia
There are no available Videos from "Punit Bhatia"