Does GDPR apply only to data that is processed, or intended to be processed, by automatic means?
The GDPR covers the processing of personal data in two ways:
- personal data processed wholly or partly by automated means (that is, information in electronic form); and
- personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).
Does GDPR cover any data about any individual?
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If individuals cannot be identified then the GDPR does not apply.
Is data recorded about the number of times a user accesses a website personal data?
Yes, if user is identifiable. If they are then the GDPR would regard this as personal data as the person:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information
Analytical data collected about the visitors to a website would also be classed as personal data if identifying information, such as the users’ IP addresses, were collected. This is because it is possible to trace an individual household through an IP address.
Is a data controller an individual, organisation, or corporation, who decides the purposes and manner in which personal data is processed?
Yes. The GDPR says that a controller is indicated if:
- We decide to collect or process the personal data.
- We decide what the purpose or outcome of the processing will be.
- We decide what personal data should be collected.
- We decide which individuals to collect personal data about.
- We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
- We are processing the personal data as a result of a contract between us and the data subject.
- The data subjects are our employees.
- We make decisions about the individuals concerned as part of or as a result of the processing.
- We exercise professional judgement in the processing of the personal data.
- We have a direct relationship with the data subjects.
- We have complete autonomy as to how the personal data is processed.
- We have appointed the processors to process the personal data on our behalf.
Can data processor be held legally responsible for the processing of personal data undertaken for a data controller?
No, since GDPR says “Individuals and supervisory authorities can hold both controllers and processors to account if they fail to comply with their responsibilities under the GDPR.”
A call centre operator is engaged to provide customer services for another company. The call centre staff have access to the customer database in accordance with strict, written contractual arrangements. Is the call centre the data controller for the purposes of the GDPR?
No, the call centre operator makes use of an existing customer database and therefore has no control over what data is collected or who the data is collected from. “If you exercise overall control of the purpose and means of the processing of personal data – i.e. you decide what data to process and why – you are a controller.”