Data Protection – a hot topic for ski schools
There are less than 200 days left before the EU General Data Protection Regulation (GDPR) is implemented. The GDPR takes effect on May 25th, 2018, and imposes a wide range of obligations on enterprises of all sizes regarding the protection of personal data. If these obligations are not complied with or are not fulfilled adequately, severe penalties may be imposed. This will also apply to ski schools.
- Basic Principles
The aim of the GDPR is to standardise the protection of personal data within the EU to a much greater extent and to strengthen the rights of those individuals whose data is being stored.
In order to achieve these targets, the GDPR makes data protection the responsibility of the enterprises themselves. After May 25, 2018, these have to make sure that the personal data they use is protected adequately, essentially meaning the confidentiality, integrity and availability of the data. Personal data has to be safeguarded from being accessed by third parties and from ofcourse from being stolen. It should not be possible for unauthorised parties to change or manipulate the data and in the event of its loss (for example after an attack by hackers or a computer virus) it must be possible to restore the data.
The general principles of data protection have to be complied with. These include for example the lawfulness of processing the data, transparancy, purpose-related limitations, data minimisation, accuracy and the limitation of the storage period.
- Lawfulness and Purpose-Related Limitations
Under the GDPR data processing is probited unless it is “lawful”. Lawful means that one of six conditions named in the regulation have to be fulfilled. Data processing is considered to be lawful, for instance, if the data is necessary for the performance of a contract, if valid consent has been given, if there is a legal duty to process the data or if the legitimate interests of the processor outweigh those of the individual concerned.
Every single time data is processed, the processor has to consider on which basis it is being done. If a ski school saves employees’ data, this will generally be permissible, because tax and social security laws, for instance, require such data to be saved. It will also be permissible for a ski school to save customers’ data, but only to the extent necessary for the performance of the skiing instruction contract.
The complete article by lawyers Georg Huber and Melanie Gassler-Tischlinger is in the issue “RECHT (December 2017) of the Tyrolean Business Magazine eco.nova: Datenschutz – ein heißes Thema auch für Skischulen
Foto: ©Blickfang (Julia Türtscher)