What happens, nonetheless, when our contact with personal data is more passive in nature? For instance, when do we know that the data is in a system to which we have access, or when the data is transferred for secure removal to an external company dealing with document disposal?
Think about the following case. What do you think, has XYZ carried out any sort of personal data processing activities?
Case study
Edward, a man in his 60s, actively looking for a job, came to XYZ. He left his CV with a cover letter at the reception. Unfortunately, it so happened that XYZ did not need anyone for the position Edward would like to apply for. The receptionist ignored Edward’s candidacy and she put his CV and letter in a drawer. The documents had been kept in the drawer for almost 4 years until a new receptionist came to the company. He found the CV in the desk of his predecessor while cleaning it up and, not knowing what to do with it, threw it into a shredder.
If you believe that XYZ has been processing data in this case, then you are right.
Conclusions?
Many times you may have thought that you were not processing personal data when, in fact, it was exactly the opposite. Not only may your organization pay for the consequences of wrong processing, but also you – indirectly. That is why it is so important that we know not only what personal data is, but also in what situations its processing is the case. If you are wondering whether or not you are processing personal data and you do one of the following:
- you store data in binders, in your desk, on a desktop, in an email mailbox,
- you destroy documents containing personal data in a shredder,
- you have access to the system in which personal data is processed, despite the fact that you enter it only in extreme situations (e.g. in the case of maintenance activities in the application supplied to the customer),
- the answer is – “yes” :)