Collecting and Handling Personal Data

Punit Bhatia

15 years: Data privacy & GDPR

In the third video of his series on GDPR, Punit explains about when an organization is allowed to collect and process personal data, and how an organization informs individuals about its handling of their personal data.

GDPR

Subscribe to watch

Access this and all of the content on our platform by signing up for a 7-day free trial.

Collecting and Handling Personal Data

12 mins 31 secs

Key learning objectives:

Understand when an organisation is allowed to collect and process personal data
Identify what consent from an individual mean
Understand how an organisation informs individuals about its handling of their personal data

Overview:

Organisations can collect and process personal data so long as there is a legitimate reason permitted by law for doing so. They need to map all processing to one of the legitimate purposes. Organisations must inform individuals about processing purposes and details in a transparent manner.

Subscribe to watch

Access this and all of the content on our platform by signing up for a 7-day free trial.

Summary

When is an organisation allowed to collect and process personal data?

Personal data on a person can be collected and processed if there is a valid reason. GDPR defines the following as the legitimate basis for collection and processing of personal data:

Contractual agreements - When you have a contract with a person, and you need to process personal data to fulfil your contractual obligation
Compliance with the law - A company may need to process personal data to comply with the law. For example, reviewing and analysing personal data and transactions of a customers for anti-money laundering is a legal obligation
Valid Interest - This is when the processing is necessary to protect someone’s life
Public task - When the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
Legitimate Interest - When the processing personal data is a legitimate interest of the company. For example, scanning all traffic including personal data on your servers for privacy and malware protection
Consent - When processing of personal data cannot be mapped under any of the above basis, consent of the individual must be asked

What does consent from an individual mean?

Consent is asking an individual whether their personal data can be processed. An individual may withdraw his or her consent at any time and, upon withdrawal of consent, the processing of personal data must be stopped. In cases where consent is given by electronic means, the mechanism for obtaining consent should be clear, explicit, concise, and unambiguous.

How does an organisation inform individuals about its handling of their personal data?

Organisations are supposed to be transparent with individuals when handling personal data. This usually includes providing answers to basic questions like:

What personal data is being collected?
Why is this personal data being collected?
What is being done with this personal data?
Who is the personal data shared with? And, why?
What are the rights of the individual? And how are these rights respected?
How is personal data protected?
Who can be contacted for more information?

Subscribe to watch

Access this and all of the content on our platform by signing up for a 7-day free trial.

Punit Bhatia

Punit Bhatia is a passionate author, speaker, and advisor. He provides strategic coaching and advice to privacy experts, business owners, and upcoming privacy professionals. Punit is known for providing advice that is simple, pragmatic and business-aligned.

There are no available Videos from "Punit Bhatia"