In the past few days, a picture circulating around showed a poster in a butcher shop that said:
In our butchery, we could sometimes ask your name and remember your tastes in terms of meat.
If this annoys you, please enter shouting: “I deny my consent”.
From now on, we’ll pretend not to know you.
Now, it’s not important to know if it really happened or it’s fake news; what is important is to highlight one of the most innovative aspect of the GDPR that went unnoticed.
Differently from what happens under the Legislative Decree 196/2003, according to which every action of the private or professional life involves personal data processing:
Section 4 Definitions
For the purposes of this Code:
a) ‘processing’ shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a data bank;
the scope of protection under the GDPR has been limited, as article 2 sets out:
Article 2 Material scope
1.This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
It excludes, in fact, its application when the processing is performed manually and data are retained in unstructured files.
Sometime though it’s not easy to understand whether the particular situation falls under the scope of protection. Recital (15), which says what we just reported, underlines possible risks of circumvention.
(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.
However, it is quite clear that the butcher, by asking its clients’ names and remembering their tastes, doesn’t do any automated processing and probably not even any manual processing, since clients’ preferences are just “remembered” and not manually noted in a registry.
Therefore, the butcher doesn’t need to worry, he can keep asking clients’ names and remembering their tastes without implementing any fulfillment required by GDPR.
This, at least, until the payment of purchased goods happens.
Here, in fact, two different situations lie ahead.
If the payment is made by cash, the butcher is actually processing data anonymously, and despite issuing a receipt could be maybe considered a form of automated processing (not to be confused with electronic tools usage), no client’s personal data is processed therefore we are still outside the scope of application of the GDPR.
Whereas, in case the payment is done by credit card, it means we are actually processing personal data of an identifiable individual (even though not by the butcher). Therefore, this opens up new and complex scenarios that will have to be carefully considered together with the needed actions.
Our hero’s situation is similar to dozens of other controller’s position, but as is clear from the article, only a specific and precise analysis of information flows and a no less precise analysis of processes can determine whether the personal data processing falls within the GDPR scope.
You can see that no generalization is really possible, therefore one of the major ability required for those who deal professionally with data privacy is exactly to analyse processes and data flows, as they really occurs for controllers.
As a consequence, you need to beware of copy paste solutions, of others’ documents reuse, of thinking that copying some documents makes you compliant with GDPR: compliance with privacy norms is a tailor-made dress, that every controller must build on his reality.
Translated by Matilde Bobbio