You may not be aware – but EU General Data Protection Regulation (GDPR) impacts any and all businesses that store personal information about EU citizens, NOT just businesses that exist within Europe. Personal information can include many things from email addresses to bank details.
We’re very big on security at Aintree Group, so in the interest of best practice, we have introduced policies across the board that comply with EU regulations. We encourage all businesses to do the same where possible, because it’s only a matter of time before these regulations apply for Australian data as well!
Who does the law apply to?
- A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- A company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.
If your company is a small and medium-sized enterprise (‘SME’) that processes personal data as described above you have to comply with the GDPR.
If processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply to you. But it’s better to be safe than sorry!
Informed consent to store data
One big condition for processing personal data is that the individual has given consent to the processing of his or her personal data for one or more specific purposes. This is one of the key differences between Australian privacy laws and the EU privacy laws.
Consent must be freely given, specific and informed. If the individual is below 16 years of age, then their parent’s consent must be given.
What information must be given to individuals whose data is collected?
At the time of collecting their data, clients must be informed clearly about:
- Who your company/organisation is (your contact details, and those of your DPO if any);
- Why your company/organisation will be using their personal data (purposes);
- The categories of personal data concerned;
- The legal justification for processing their data;
- For how long the data will be kept;
- Who else might receive it;
- Whether their personal data will be transferred to a recipient outside the EU;
- That they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
- Their right to lodge a complaint with a Data Protection Authority (DPA);
- Their right to withdraw consent at any time;
- Where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.
Other conditions for data collection under GDPR:
- Personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing.
- The individual has given consent to the processing of his or her personal data for one or more specific purposes.
- You must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You can’t simply collect personal data for undefined purposes.
- You must collect and process only the personal data that is necessary to fulfil that purpose.
- You must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it’s processed, and correct it if not.
- You can’t further use the personal data for other purposes that aren’t compatible with the original purpose of collection.
- You must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected.
- You must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology.
- If data is processed unlawfully it must be deleted.
- In the case of an individual, data collected when they were still a minor must be deleted.
- Personal data should only be processed where it isn’t reasonably feasible to carry out the processing in another manner.
- Where possible, it is preferable to use anonymous data.
- Where personal data is needed, it should be accurate, relevant and limited to what is necessary for the purpose.
- Data must be stored for the shortest time possible.
- Data should be reviewed every quarter in order to update inaccurate data and delete unnecessary data.
- We must conduct a DPIA prior to data processing, where a type of processing is likely to result in a high risk for the rights and freedoms of individuals.
Aintree Group clients, please note:
As your tax agent, it is implied in our initial engagement that you consent to Aintree Group collecting and storing personal details. If you choose to revoke that consent, please get in touch with our office.
If you hold a European citizenship, bank account or have any connection to the EU, please contact us as soon as possible so we can arrange your formal consent.
Click here for more information about the EU GDPR.