Google Analytics does not process personal data because IP addresses are anonymized
During the legal management of third party analytical cookies (e.g. Google Analytics), you may have been reassured by IT personnel that the “masking” of IP addresses is applied, and therefore personal data is anonymized, enabling you to activate these cookies by default, without the user’s prior consent.
The corporate email address is not personal data
Although several clarifications have already been made in this regard over the years, it can still be heard today that the e-mail address with a corporate domain is not personal data because it belongs to a legal entity (the company).
In fact, the matter was already clarified by the competent authorities quite some time ago. At national level, we refer to the position expressed by the Data Protection Authority in the Guidelines on Promotional Activities and Fight against Spam, according to which the corporate e-mail address of an employee containing his or her personal data (e.g. name.surname@___) should be considered a “personal” e-mail address, and its assignee should be considered the “data subject”, and therefore the relevant regulations on the protection of personal data shall apply. In line with this position, at European level, reference is made to Opinions No 4/1997 and No 5/2004 of the Art. 29 Group as well as the most recent position expressed by the European Commission (see Answer given by Ms Jourová on behalf of the Commission, 21 February 2018, Question reference: E-007174/2017).
The time employed by the Processor to notify a Data Breach to the Controller decreases the time assigned to the Controller for the notification to the Supervisory Authority
When negotiating data processing agreements, some Data Controllers claim that the hours recognized to the Data Processor to notify them of a data breach should be deducted from the 72-hour period required by law to the Data Controller for notifying the breach to the Supervisory Authority.
In reality, in this respect, the GDPR merely states that <<The controller shall inform the controller without undue delay after becoming aware of the breach >> (Article 33 (2)). On the other hand, more detailed guidelines concerning Data Breaches are provided by the WP29, which states: << (…) in principle, the controller should be considered as “aware” once the processor has informed it of the breach.>> and therefore the 72-hour period for notifying the Authority would start from the moment the Processor notifies the breach to the Controller. Of course, the Data Controller and Processor may define in the contract the maximum time period available to the Data Processor for the notification of the Breach to the Data Controller.
Learn more about Data Breach! We have published a new content about this topic:
A Data Subject’s right to be forgotten implies the obligation to immediately delete all their personal data
When faced with a request for Data Erasure made in accordance with Art. 17 GDPR, the first reaction of many Data Controllers is to immediately delete all personal data relating to the requesting Data Subject.
Actually, before proceeding with the erasure, it is necessary to accurately map the personal data of the subject in our possession and that have been communicated to other recipients, then check whether the regulatory conditions are in place to proceed with their erasure, either total or partial. The right to be forgotten is not an absolute right, but it can be exercised in the cases provided for by the regulation. In addition, we should never confuse the mere “logical” deletion of data from systems with their real, physical deletion: many applications limit themselves to carrying out a logical deletion, providing a functionality such as the “recycle bin” that lets us recover them again, or maintain the behavioral data of the subject even after their “apparent” deletion. Therefore, be certain to carry out an effective and complete deletion of the data, both at logical and physical levels.
It is up to the Data Controller to decide which Data Processing Agreement to use
Those of you who, limited to one or more data processings, have been put in the shoes of Data Processors, will probably have received instructions by the Controller to sign their own Data Processing Agreement because, as Data Controller, they would have the right to impose their own contract document.
Actually, this is an assumption that has its root in the old text of the Italian Privacy Code according to which it was the Controller who unilaterally designated the Data Processor by means of a document, consistently called “Agreement”. With the entry into force of the GDPR, Article 28 (3) has reformed the point by providing that <<Processing by a controller is governed by a contract or other legal act under Union or Member State law, (…) >>. Therefore, The Appointment as Data Processor has turned into a real contract document which reflects the instructions given by the Data Controller, and whose content is jointly defined between the parties. In the event that the supply involves the processing of data through the provision of complex and articulated services, it could therefore be beneficial for both parties to discuss a joint text starting from that proposed by the Data Processor, who will probably have “tailor-made” the contract based on the technical services they are able to provide.
And what do you think? Have you come across other myths in our industry?
To talk about it together, write to us at firstname.lastname@example.org: your experience could become the subject of further study for the benefit of everyone in the industry.
* This Article does not constitute legal advice in any way.