Foundations are an important part of the third sector of the economy. Their main task is to pursue socially or economically useful objectives. To a limited extent, they also have the possibility to carry out economic activities. However, the status of foundations is specific, hence the frequent doubt that arises on the part of the founder regarding the processing of personal data. Can foundations process personal data and how should they protect it?
Foundation as controller of personal data
Foundations, like all other entities operating in the market, may qualify as a controller of personal data within the meaning of the GDPR Regulation. Whether the personal data processed relates to employees, clients, beneficiaries or donors, any operation relating to their personal data will be equivalent to processing.
The Foundation may process both ‘ordinary’ personal data and sensitive data. In both cases, the conditions for this processing will look slightly different.
How do we understand the concept of personal data?
The concept of personal data is defined in Article 4 point 1 of the GDPR Regulation and should be understood very broadly. According to the referenced provision, personal data is information about an identified or identifiable natural person. In particular, it will be a name or PESEL number, but also an email address or IP address.
Sensitive personal data, on the other hand, are those that determine, inter alia, a person’s health status, political opinions, religious beliefs or ethnic or racial origin.
What is the processing of personal data?
The term processing of personal data refers to any operation that is carried out on information that represents personal data. In doing so, it does not matter whether such operations are automated or not. The GDPR Regulation lists, inter alia, the following means of processing personal data:
- collection;
- recording;
- organising;
- arranging;
- storing;
- modifying;
- downloading;
- viewing;
- deletion and destruction.
As can easily be seen, data processing can be both active (e.g. collecting CVs of job applicants at the foundation) and passive (storing the data of the mentees in a database or even just viewing them). Any operation on personal data under the Regulation will qualify in exactly the same way.
Can a foundation lawfully process personal data?
You already know that a foundation can (and usually will) process personal data. The question is how to ensure the lawfulness of such operations?
Central to the lawfulness of the processing is the ability to demonstrate one of the conditions set out in Article 6 GDPR. This provision introduces conditions whose fulfilment makes the processing lawful, thus excluding the controller’s liability in favour of operations on personal data carried out without a legal basis.
The classic legitimising condition is the consent of the data subject to the processing of personal data. It should be voluntary, specific, informed and unambiguous. If there are several purposes for data processing, the consent should relate to each of them separately.
A different ground for processing is the performance of a concluded contract by the foundation. Yet another ground is the legitimate interest of the controller. It is of a vague nature and is usually invoked when it is not possible to indicate a ‘closer’ basis for data processing. In theory, it can be equated with the fulfilment of the statutory objectives, but this should be done carefully so as not to expose oneself to the charge of unlawful processing.
How to take care of personal data in a foundation?
The protection of personal data is often controversial, as the EU legislator has left the controllers free to do so by only indicating what purpose they want to achieve by doing so. Examples of activities in this respect may include:
- backing up digital data;
- using cloud services with appropriate certification and security (e.g. end-to-end 256-bit AES encryption);
- training employees on the ethics of their duties (e.g. locking documents in filing cabinets equipped with locks).
Personal data protection in a foundation
Taking care of a proper standard of personal data protection is of crucial importance, because in the event of an audit by the President of the Office for Personal Data Protection (UODO), it will be the controller who will have to demonstrate that it has complied with the principle of accountability. If you run a foundation or want to set one up and are unsure how to take care of personal data protection, contact us.
Linke Kulicki Law Firm offers comprehensive support in terms of GDPR audits and the development and implementation of effective solutions to minimise the risk of an incident. We support foundations in complying with GDPR regulations and take over the function of Data Protection Officer (DPO) at the foundation. By handing over this function and the associated responsibilities to us, you gain a sense of security. You are assured of receiving data protection support from specialists in this area of law.