Internal audit of management systems and GDPR
Assign topic to the user
In general this is not a breach of GDPR because there are no significant risks to the freedoms and rights of the data subjects, but you need to take a few things into consideration to make sure that the processing is fully compliant with the GDPR requirements. Since the name and position of employees are personal data per article 4 GDPR – Definitions, listing these categories of personal data in different reports and attachments is considered to be the processing of personal data. Whenever you are assessing whether the processing of personal data is GDPR-compliant, you must make sure that the processing is necessary (and the same objective cannot be obtained without processing personal data) and that it respects all GDPR principles described in Article 5 GDPR - Principles relating to the processing of personal data:
- Lawfulness, fairness, and transparency (employees understand that their data is published in these reports).
- Purpose limitation (there is a clear scope of processing).
- Data minimization (only data necessary for the purpose is being processed).
- Accuracy.
- Storage limitation (define clear retention timelines after which the data should be anonymized).
- Security
The legal ground for this processing could be the legitimate interest of the organization to create meaningful reports that can be used internally and that allows other employees to contact people who worked for these reports/audits. In this case, you should also perform a Legitimate Interest Assessment and allow employees to exercise their right to objection, according to article 21 GDPR – Right to object.
Please also consult these links:
- Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
- Article 5 GDPR – Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
- Article 21 GDPR – Right to object: https://advisera.com/eugdpracademy/gdpr/right-to-object/
- Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
- A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
Comment as guest or Sign in
May 29, 2022