|
|
|
|
|
|
by JeanMarcS
2940 days ago
|
|
|
Despite the fun part, if they keep notes of their client names, it has to be GDPR compliant. That’s the example I give to my client, but with a hairdresser. If they give you fidelity card and they got a copy of your name in a cardboard box, then yes they have to comply to GDPR. Here in France, even the media says that GDPR is for internet companies, not explaining that it’s for every companies. So most of them are surprised when you tell them they have to be compliant. |
|
|
Maybe, maybe not. Article 2 (material scope) says:
"This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."
Note that for GDPR to apply, the data has to be part of or intended to be part of a "filing system". (It is possible to read the above as saying that the filing system requirement is only for data processed other than by automatic means, but Recital 15 suggests it is not limited that way: "The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system").
What is a filing system? Article 4 tells us:
"‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis"
Recital 15: "Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation"
One could probably make a good case that if you are just randomly tossing cards into a cardboard box, that's not a structured set of data, and so not a filing system, and so GDPR does not apply.