Here are some quick ideas about GDPR in practice:
With more and more personal data circulating in an uncomplicated and uncontrolled way, the GDPR has come to standardize procedures. The European Union has tried to clarify the existing rules in several countries related to the new General Regulation on Data Protection and to legislate for the protection of our personal data.
RIGHT TO ERASING OF PERSONAL DATA
The GDPR considers that the data subject has the right to request and obtain from the data controller the erasure of their personal data without undue delay. And it has the obligation to erase the personal data, in this way, at the data subjects request or when the personal data is no longer necessary for the purpose that motivated the collection or treatment of the data.
DATA BREACHES
The data controller should adopt internal and subcontracting procedures (if these circumstances apply) to deal with cases of personal data breaches (likely to result in a risk to the rights of the data subjects). These include identification, investigation of circumstances, mitigating measures, information circuits between the controller and subcontractor, involvement of the data protection officer and notification to the CNPD of the occurrence of breaches of personal data. This must always occur in accordance with the deadlines laid down in the regulation (up to 72h after having been made aware of the data breach).
CONSENT FOR TREATMENT OF PERSONAL DATA
In order to follow the rules of the GDPR, we advise you to have a consent form for the processing of personal data, to be subscribed to by the data subject, if the data treatment applies to an individual other than your employees or contractual partners.
ARCHIVING EVIDENTIARY MANIFESTATION OF CONSENT DOCUMENTATION
The manner of filing documents relating to the Consent manifested by the data subject should accompany the original format. If the consent has been obtained by sending an email, it can be filed in digital format, or by printing and archiving in a hard-copy file. If consent is expressed and provided by signing a paper-based declaration, the file must be in the original paper format.
RIGHT TO MORE DEMANDING INFORMATION
The data subject has the right to more detailed and demanding information, to be fulfilled by the data controller, namely:
- the right of the data subject to access and know all the data that is recorded related to them – the purpose of the collection, the data controller and their contact details, the category of data;
- the right to complain to a controlling authority – CNPD;
- personal data retention periods;
- and, if the data is not collected directly from the data subject, they should be informed of the origin of the data (consultation of identification documents, etc.).
