If in the period immediately following the entry into force of the EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data everyone was talking about the new GDPR rules and there was a constant interest of economic operators to comply with them for fear of the fines that could be applied, lately there has been an unjustified relaxation in the area of personal data protection, as the data show that more and more operators are being penalized for various violations of the GDPR rules.
There have been and are many myths about the GDPR rules, who they apply to, what we can/cannot do,
First of all, we must remember that the GDPR rules apply to any company, regardless of its size. Thus, whether we are talking about a licensed individual , limited liability company or a multinational corporation, all entities fall under the scope of data protection. Moreover, even an individual can be guilty of non-compliance with GDPR rules and sanctioned as such.
Another myth is that if I work exclusively with companies in the course of my business, the GDPR rules do not apply to me.
Indeed, the EU Regulation 2016/679 establishes a protection of individuals with regard to the processing of personal data and the free movement of such data and is not applicable when the data relates to a legal entity.
However, we are losing sight of a number of key issues and which counter this unfounded myth.
Whether we are talking about partners or suppliers – legal entities – or customers – legal entities – in the course of doing business, we will always identify an individual and come into contact with various personal data belonging to that individual.
For example, if my suppliers are legal entities, I have to establish by additional acts to the contracts concluded with them applicable rules, limits and measures that we are obliged to implement in order to protect personal data, must include clauses on confidentiality and protection of personal data.
In relation to various contractual partners – legal entities – we may have the status of Processors and the latter as Processors for the processing of data belonging to us. In this respect, a GDPR Agreement should be concluded, defining the obligations, the way of processing, etc. in extremely clear terms, especially as the Controller is responsible for the actions of the Processor.
Then, in relation to customers – who are legal entities – we can also be a Processor and we must bear in mind that the liability of the Processor does not remove the liability of the authorized Person, which is why, again, we must ensure that there is a document that defines in clear terms the way of working.
Even if the processing of personal data is not at the core of the main contract, but access to data is entirely indirect, e.g. the main contract is for systems maintenance and access to data is entirely indirect and not the main purpose of the contract, we still need to adopt procedures, confidentiality and personal data protection agreements.
In conclusion, we are not supposed to be GDPR-protected just because we only work with legal entities, which is why we advise you to contact a specialist in personal data protection for a correct and complete assessment and to offer practical solutions tailored to the specifics of your business.