ActiveMind.legal`s free privacy contract model helps parties involved in the processing of personal data to provide the necessary clarity to processing managers and subcontractors. Personal data is processed so that the processing manager streamlines the employee absence management system by outsourcing and automating relevant data to achieve higher productivity and lower costs. 4.3 The processor only presents to the subcontractor the provision of the personal data of the persons concerned in the categories covered by paragraph 1 of Schedule 1 (categories of the person concerned) and the types covered by paragraph 2 of Schedule 1 (types of personal data), and the subcontractor deals in any case within the framework or in connection with that agreement; and the subcontractor only processes the personal data of the processor for the purposes of Schedule 1 (use of treatment). The liberal professions are considered to be responsible within the meaning of the RGPD if they themselves determine the means and purposes of the processing of personal data. For example, it can be assumed that the self-employed person determines the working time and location himself, as well as the systems for processing personal data. In this case, the professions must meet all of the data processing obligations and requirements of the RGPD. This includes respect for the rights of the people concerned, for example. B the extent of information obligations. For the company, this has classification and design advantages because neither data processing requirements nor integration into the data protection organization are necessary, as is the case for its own employees. The EU-wide law came into force on 25 May 2018 and aims to strengthen people`s control over their personal and sensitive information. Every company should now be compliant.
However, according to it Q2Q experts, “… 40% of SMEs are still unsure of the rules and regulations surrounding the RGPD. This is a worrying figure – especially since organisations could face high fines of up to 20 million euros, or 4% of the global annual turnover of companies (depending on the highest value). In essence, the RGPD requires organizations to be aware of the specific data they collect, what it is used for and what will display it. It is essentially based on seven fundamental principles: legality, fairness and transparency, limiting purposes, data minimisation, accuracy, memory limitation, integrity and confidentiality (security) and accountability. The Office of the Information Commissioner (ICO), which is responsible for ensuring compliance with the RGPD in the United Kingdom, has very good information on its website, which is quite easy to digest. It`s worth taking a look if you haven`t done it yet. There are also some practical tools and checklists – you`ll find more details at the end of this chapter. But at the most fundamental level, that`s how it collapses. First, you have to decide if you are processing personal data.
Most organizations are at a certain level, regardless of their size. Then you need to know if you are a controller, controller or processor. It depends on your own situation, but the OIC notes that “the organizations that determine the purposes and means of processing are controllers, regardless of how they are described in a service processing contract.” You also need to define the legal basis on which you process personal data. Is it based on consent, contract, legal obligation, vital interest, public mission or legitimate interest? At least one of them will apply. You should also document everything, along with your argument.