I have an inquiry regarding the conduct of reporting internal management systems and the GDPR.
In our internal audit reports of our management system, we include the names and position of the audit participants. Will this pose a breach in the GDPR?
Also, part of the report, as an attachment, is the attendance list containing the names and positions. Is this also a breach as per GDPR?
In general this is not a breach of GDPR because there are no significant risks to the freedoms and rights of the data subjects, but you need to take a few things into consideration to make sure that the processing is fully compliant with the GDPR requirements. Since the name and position of employees are personal data per article 4 GDPR – Definitions, listing these categories of personal data in different reports and attachments is considered to be the processing of personal data. Whenever you are assessing whether the processing of personal data is GDPR-compliant, you must make sure that the processing is necessary (and the same objective cannot be obtained without processing personal data) and that it respects all GDPR principles described in Article 5 GDPR - Principles relating to the processing of personal data:
Lawfulness, fairness, and transparency (employees understand that their data is published in these reports).
Purpose limitation (there is a clear scope of processing).
Data minimization (only data necessary for the purpose is being processed).
Storage limitation (define clear retention timelines after which the data should be anonymized).
The legal ground for this processing could be the legitimate interest of the organization to create meaningful reports that can be used internally and that allows other employees to contact people who worked for these reports/audits. In this case, you should also perform a Legitimate Interest Assessment and allow employees to exercise their right to objection, according to article 21 GDPR – Right to object.