Personal data may only ever be stored and processed for a permissible purpose, about which the persons concerned must always be informed. Data may only be passed on to third parties for a specific purpose, e.g. passing on address data to the parcel shipper.
Examples of the transfer of data that must be documented in the list of processing activities and about which the data subjects must always be informed:
- Disclosure of employee data to external accounting / payroll department.
- Forwarding of data subject names and delivery addresses to logistics companies
- Passing on of customer data for creditworthiness checks
- Collection of customer data in a hosted e‑shop of a cloud provider
- Sharing of billing data with cloud software for electronic invoicing
- Passing on online payment data to a payment service
- Sharing web traffic metadata with a cloud analytics service
- Sharing data subject names and email addresses with a cloud newsletter tool
Educate your employees about the major consequences of processing data outside of the agreed purpose or sharing it with third parties not previously defined. Be sure to consult data protection experts when transferring data to a non-EU country.
Previous article: Employee Data Protection Awareness: #3 Transparent Processing
Next article: Employee Data Privacy Awareness: #5 Data Minimization
