The General Data Protection Regulation (GDPR) with its implementation date, 25 May 2018, was the source of concerns among Latvians. The worries were partially due to prejudice concerning the minimum activities permitted. Most of the people thoughts every kind of data processing would be prohibited under the new data protection rules. Here is a series of myths (and the truth!) about GDRP collected by The Data State Inspectorate, National Data Protection Authority of the Republic of Latvia.
“Do not process my personal data if I didn’t say Yes”
People used to think that under the GDPR no one will be able to process our personal data without our prior consent
So, let’s make it clear, consent is not always necessary for processing of personal data. However, companies need to explain in their privacy policy the legal basis for the processing. For instance, when concluding an agreement in order to provide Internet services to the person, it is not necessary to obtain consent from the person concerned to process his/her address. In this case, the legal basis of the personal data would be the performance of the agreement.
Though, if a company is intended to use the personal data used to provide a service to provide targeted advertisements, consent is necessary before the further processing of the data.
The right to be forgotten: The debtor’s request!
In Latvia, many people requested to have personal data erased but not always for valid reasons. Some people thought to use the right to be forgotten in order not to be found when having debts.
For example, a Mr Doe has received a service but had not paid it in due time. The service provider decides to recover the anticipated payment in an out-of-court manner, for example by attracting an out-of-court debt recovery service provider (‘debt collector’). Mr Doe thought that because he had not agreed for his personal data to be shared with the debt collector he could request to have his data deleted from both the service provider and the debt collector.
However, in this particular case, it should be taken into account that the service provider is entitled to receive payment and has the right to recover the debt. The service provider is processing the personal data in order to fulfill his legitimate interests and he does not need to obtain prior consent. Moreover, he is not obliged to erase the personal data as they are still necessary for pursuing his legitimate interest – the recovery of outstanding payment obligations.
No more social media!
In Latvia, people used to think that no posting on social media would be allowed after the entry into force of the GDPR.
Today in the digital era, people’s lives are unthinkable without social media. People expose their daily activities by creating, sharing, disseminating and posting photos, videos, personal and general information. Their ‘friends’ are interacting with them by making comments and performing other activities within our social groups on social networks. In general, these activities are thought to be personal activities. The GDPR does not apply to the processing of personal data carried out by a natural person in the course of purely personal household activity.
For instance, the personal photos, such as concert attendance posted on your social media site or informing friends about some private party does not fall under the GDPR.
However, if you decide to target a post on behalf with the view of offering commercial services, then this type of operation, insofar concerns data processing. It will be considered as processing of personal data.
In another words, if you decide to write a commercial post to your friend Linda offering your company’s services for children’s parties because you realised she has just joint to the group called ‘Organising children’s parties’ on a social media, then you will be obliged to seek at least one legal ground to ensure compliance with the GDPR.
“Are you the Rocket or the Sneaker?”
Often, people live in the belief that the replacement of personally identifiable information with, for example, an image will allow the data to be further processed. This myth is especially prevalent in pre-school education.
In schools, fearing the sanctions of the GDPR, the names, surnames of the children were replaced by pictures, for example (tree, flower, car, rocket, sneaker, emojis and other images) on lockers or other types of equipment.
This is a special myth and it is, therefore, necessary to explain two aspects:
Firstly, Giving nicknames such as rocket, or sneakers to someone, does not mean that the data has not been processed. That is because all information that we can relate to the identified or identifiable person is considered as personal data. Even if anonymised, the organisation still process personal data.
So renaming John “The Rocket” or “The Sneaker” doesn’t change the fact that we can somehow identify John. So a company would still need to comply with the various GDPR rules and anonymising on itself is not enough to be compliant.
Secondly, in the case of pre-school the GDPR does not prevent institutions from continuing to use children’s names in the learning process. Acquiring basic social skills, when a child learns letters and words, is essential for learning your name, to know it and to recognise it.
When assessing the risks that might result from the publication of the child’s name on the locker or drawing determined that it unlikely would lead to a risk that could significantly affect person’s fundamental rights and fundamental freedoms. Those are hence not subject to the GDPR.
Written by: the Data Sate Inspectorate of the Republic of Latvia