Personal data, that information that makes us different from other people and that allows us to identify ourselves, must be protected both by ourselves and by third parties who may have access to it.
It is not always easy to know how a company or entity can properly protect the personal data it has in its systems. Because this will depend on multiple factors, such as the type of company or entity, whether it is public or private, the service or product it provides, the information it collects, the technologies it uses, the country in which it operates, etc. This complexity means that it is essential for companies and entities to have legal advice, expert in data protection.
However, we would like to give you, our readers, some general guidelines, so that you know how to handle personal data, especially if it is not your own data, but information belonging to third parties.
- Legal or legitimate basis: The legal basis is what authorizes us or our company or entity to manage and maintain in its systems data of third parties. Nowadays, the consent of the person to whom these data belong must always prevail, which may be by means of an express authorization or a contract. Only in the event that a law requires collecting data from third parties or we are providing a public service of vital interest to that person or general interest to the public, the collection of consent may be exempted. But these will be very extreme cases, such as, for example, when the person receives health care due to an emergency situation and their data must be processed in order to identify them.
- Transparency: From the moment we process personal data of third parties, whether we must request consent, or whether we are legally authorized to process it without consent, we must always always always always inform that person about the processing of his or her data. This implies informing about:
-
- What data we will process.
- How we will treat them.
- When we will start treating them and for how long.
- Why we are going to use this data.
- Where we will treat and store them (both in what type of physical or digital system, and in what country).
-
- Security: It should be taken into account how to protect the data by applying technical security measures (such as a password), but also physical (a locked drawer) and organizational (limiting the use to those people who really have to work with those data). In order to know what security measures to follow, the ideal is to keep up to date with the policies, procedures, manuals and guides made available by our company or organization, which help us to protect personal data and also confidential information, even if it does not belong to individuals, in a secure way.
- Right of the data subject: The data subject is the person to whom those data we are working with belong. The information, when it is about personal data, does not belong to the company or entity and neither to the worker who manages it, it belongs to the third person to whom that information identifies. Therefore, if that third party asks us to exercise one of the following rights, we must always attend to it simply and free of charge, because it is their right to choose whether they want their data to be used or not:
-
- Access (receive information on all the points indicated in transparency and request copies of the same)
- Rectify (modify the information because if it is out of date it may affect you)
- Delete (delete data and stop using them)
- Porting (taking the data away and no longer using it)
- Limit (restrict the use of data to the minimum necessary)
- Object (prevent further processing of data for certain purposes to which you do not consent)
-