GDPR in practice: How to handle personal data at the doctor or at work?

When do you need consent to process personal data and how do you get it?

In order for consent to the processing of personal data to be considered legally valid, it must meet several criteria. Valid consent is freely given, specific, informed and unambiguous. So it’s not enough just to tick a box somewhere that says “I agree”. The consent checkbox in question must not be pre-filled and the consent must be separate from the terms and conditions so that you have the option to approve or reject both separately.

Consent is needed if you want to send a newsletter to people who are not your customers, for example. Likewise if you want to share photos of children from a school event on the website or send out photos from a team building event to all employees. You can also do without it if you want to process a person’s data for marketing purposes (for example, profiling).

To help you get out of these situations gracefully, you’ll want to have a template written consent form ready and ideally stored in both digital and physical formats – this can be a scanned document or an electronic form with a logged time and IP address. We will be happy to prepare a bespoke GDPR template for you, just use our online legal advice service.

So let’s take a look at what working with personal data looks like in different situations.

What to look out for as an employer

Large amounts of personal data are often processed by employers. They collect data ranging from name and address to medical conditions or information about an employee’s movements.

What employers should look out for:

CCTV: If you monitor the premises in any way in the workplace then you must inform your employees and have a legitimate reason for using CCTV. This may be for example to protect property. For example, you cannot place a camera in a changing room or kitchen for no reason.

Attendance systems and biometrics: If you record attendance using, for example, a fingerprint, then you should be aware that this is a special category of data processing that requires written consent. However, with biometrics it is questionable whether consent can actually be voluntary. This is because the employee is in a weaker position and more or less has no choice in such cases whether or not to give consent if they are genuinely interested in the job.

Data sharing: before the GDPR came along, there were myths where we were afraid that we would not even be able to forward an email between colleagues with the signature or email address of other colleagues. However, care needs to be taken especially when passing on data to third parties, for example payroll accountants. If you work with external bodies then you must have a data processing agreement with them.

It is a common mistake for employers to track their employees using GPS on their phones or company cars without informing them of this fact. However, in this case they are committing a breach of the GDPR. If you learn that your employer is tracking you unlawfully, you have the right to defend yourself. We will be happy to help you do so.

What e-shops and website operators need to watch out for

Website operators are very often confused about what they need to have processed on their website. Yet even a simple contact form already constitutes the processing of personal data.

What to look out for on the website:

Cookies: most websites now use tracking and marketing cookies to better target advertising, for example. However, these cookies require the active consent of the site visitor (not just the information in the message at the bottom of the page). The cookie bar must allow the visitor to refuse all optional cookies (especially marketing and analytics cookies). Technical cookies, which are necessary for the operation of the site, do not require consent.

Processing of order data: name, address, email – all of these data may only be kept for as long as necessary. For example, if a customer has placed an order, you may keep their data for warranty or tax records and the like, but no longer.

Passing on data to carriers: If you use an external carrier, then you must inform your customers that you will pass on their address and telephone number to, for example, a parcel delivery company or PPL.

You should therefore have a document on your website called your privacy policy which clearly describes what data you process, for what reason, for how long, to whom you transfer it if necessary and what rights the data subject has. We will also prepare this document for you if you wish.

How does it work in medical facilities or with a therapist

Even with a doctor, it’s not what it used to be since GDPR. A psychologist or a doctor’s office no longer deals with a special category of personal data. This is sensitive data, the processing of which is under stricter regulation.

What to watch out for:

Medical records: whether you’re a doctor or a therapist, you certainly keep information about your clients that shouldn’t fall into anyone else’s hands. Medical records need to be secure, so you should keep them in a locked cabinet or on an encrypted drive and with limited access. Hospitals or facilities with extensive processing must even have a privacy officer.

Visitor log: Do your clients have to register when they arrive? Then you should know that the appointment book in the waiting room should be anonymised – it must not be publicly visible who has made an appointment and for what.

GDPR is very strict for healthcare professionals and similar professions. We therefore recommend using a detailed GDPR model processing agreement with entities that provide IT, cloud storage or billing for you.

Schools and not-for-profit organisations are not exempt from GDPR either

Schools and non-profit organizations are literally havens for unintentional GDPR violations. Typically, this happens, for example, when photographing events or posting competition results on a notice board.

What to watch out for in schools and similar institutions:

Photographs of children: while it is common to share photos of events to promote and show how the organisation works, bear in mind that you will need written consent from the child’s legal guardian to post photos on the website or social media. For internal documentation (such as the school chronicle), sometimes legitimate interest is enough, but it is always better to have consent.

Records of members and pupils: even name and date of birth are personal information. Therefore, make sure that you store this data securely, that only authorised persons have access to it and that you have a record of the purpose of processing this data.

Sharing data: do you need to share lists of children between parents, for example to organise a trip? This can also be a problem. You need at least informed consent to share this data.

If you run a club or sports club, we recommend preparing a GDPR model policy and consent form and attaching it to your application form at the start of the school year.

Summary

The introduction of the GDPR has brought new requirements for the processing of personal data into everyday practice – whether for e-shops, employers, schools, doctors or non-profit organisations. The key is to know when you need informed and voluntary consent and when you can rely on another legal basis. Sensitive data such as biometric data or medical records deserve special attention. It is always important to have the right internal processes, data security and contractual relationships with external processors. Whether it’s a CCTV system in the workplace, a cookie bar on a website, or a child’s photo on a school website, personal data needs to be treated with respect and in accordance with the rules. Professional legal advice or bespoke template documentation can help you set these up.