101 guide on GDPR for coworking spaces (III)

We have finally reached the last part of our GDPR guide for coworking spaces! Soon you will be able to effectively plan how you are going to deal with all personal data in a clear, fair and transparent manner, and what security measures to take.  Let’s continue from where we left off in the second part of our guide, with the steps coworking spaces need to take to be GDPR compliant!

3.4 Establish a procedure for the notification of a personal data breach.

The GDPR states that a procedure must be established to notify of security failures, thus coworking spaces must establish the following PROCEDURE.

What is a security breach? Any incident that causes the destruction, loss, unlawful modification, communication or unauthorized access to coworkers’ personal data, for example: the loss of a laptop or pen drive with personal data, the sending of an email to an unauthorized third party with a coworkers personal data, the deletion of personal data..

The GDPR states that a procedure should be established to notify the data protection Control Authority of each country of a security breach within a period of 72 hours.

The notification MUST INCLUDE the following:

  • The nature of the breach (for example; the theft of a computer, the deletion of data due to a virus...)
  • The categories of data (for example; names, surnames, ID numbers..), records and data subjects affected (coworkers, contacts, suppliers..)
  • Measures adopted by the controller to address the breach (for example: the recovery of personal data by means of a backup)
  • If applicable, the measures taken to correct the possible negative effects  on the data subjects (taking out data protection insurance policy to compensate for any physical or personal damages which might have occurred)
  • Identify the contact point (for example; the owner or administrator of the coworking space.)

It is not necessary to send notification of a breach if it is unlikely that the rights and freedoms of the affected party have been violated (For example, if the personal data has been deleted and immediately recovered, it will not affect the rights and freedoms of the interested party).

The GDPR also states that, if the security breach  represents a high risk to the data subject, the individual concerned must be informed of the risk to their security (for example, if the owner of the coworking space has a computer stolen which does not have a password installed containing the coworkers’ personal data, including copies of their documentation such as  credit card numbers.. obviously there is a high risk of theft, identity theft etc..).

 

3.5 Information for a data subject regarding data processing

Coworking spaces must inform the affected parties in writing, in clear and plain language, at the moment of requesting the personal data, that is before proceeding to collect the personal data, the following points:

  • Contact details of the controller, the representative in charge of data protection.
  • Purpose and legal basis of the processing.
  • Recipients of data and international transfers.
  • Envisaged period for retaining data (difficult to predict), or the criteria used to determine that period.
  • Rights of the interested party: access, rectification or erasure, limitations on processing, objection to processing, the right to data portability.
  • Right to withdraw consent when the processing requires it.
  • Right to lodge a complaint with the supervisory authority
  • If there exists an obligation to provide the data and any consequences in case of a failure to provide them, and if the data communication is a legal or contractual requirement or a necessary requirement for the signing of a contract.
  • The existence of automated decisions, including the preparation of profiles.
  • Any processing for an additional unforeseen purpose.

Therefore, the information mentioned above will be included in personal data collection forms, in contracts that the coworking space has its coworkers sign, in contact forms on its website, and so on.

The following is an example of the clause that would be included in the coworking contract with the coworker:

In compliance with the provisions of Regulation (EU) 2016/679 of April 27, 2016 (GDPR), we inform you that the personal data provided in this contract will be processed by.................. coworking space, in order to manage the provision of the requested service and based on the existing contractual relationship. No data will be communicated to third parties, nor will any international data transfers be carried out.

The data will be stored for the duration of this contractual relationship.

Likewise, we inform you that you have the right to request access, rectification, data portability and erasure of your data and the limitation and opposition to the processing by contacting: ................ Coworking space. Address: .................. .................., or by sending an email to ........................, together with your ID number.

You also have the right to withdraw consent given at any time.

The requested data is essential for the execution of the contract, without it the requested contract cannot be entered into.

You also have the right to file a claim with the ............. Supervisory Authority (the body responsible in each country).

The undersigned acknowledges they have been informed and give their consent for the above data processing.”

 

Given that there is a lot of information that the coworking space is now obliged to provide to those affected, it is also advisable to use information in layers.

In other words, the first layer offers the basic information in a summarized form, at the same time and through the same medium in which the data is collected, and any additional information is given in detail in a second level, for example referring to the website’s privacy policy.

Remember that each coworking space must consult any internal regulations that may have been approved by the country in which it is located, since the GDPR allows the possibility for each Member State to vary the mandatory information that must be provided.

 

3.6 Consent:

As we saw in section 2.1.2, for the processing of personal data to be legal, it must be based on a legitimate basis, for example, in the case of coworkers, the existence of a contractual relationship.

However, what about the case of a person who comes to a coworking space simply to ask for information? Or in the case of a person requesting information through a website contact form? In this case, the legitimacy to process their personal data in a legal manner will be: the consent of the affected party.

Thus, when collecting the consent of those affected, the coworking space must ensure that it does so in accordance with the GDPR.

The GDPR states that consent must be unambiguous, which means that we can demonstrate it, and that it is clear from a declaration or action by the affected party.

Therefore, we recommend that the affected party gives his/her consent on the paper-based form used for data collection.

For example:

“In compliance with the provisions of Regulation (EU) 2016/679 of April 27, 2016 (GDPR), we inform you that the personal data provided in this contact form will be processed by................... coworking space, in order to comply with your information request.

No data will be communicated to third parties, nor will any international data transfers be carried out.

The data will be stored for the duration of the purpose for which it was collected.

Likewise, we inform you that you have the right to request access, rectification, data portability and erasure of your data and the limitation and opposition to the processing by contacting: ................ Coworking space. Address: .................. .................., or by sending an email to ........................, together with your ID number.

The requested data is essential for the execution of the contract, without it the requested contract cannot be entered into.

You also have the right to file a claim with the ............. Control Authority (the body responsible in each country)."

 In this way, the coworking space complies with its duty to provide information and at the same time obtain the consent of the affected party.

 

In the case of web pages, it is normal that before the affected party sends their personal data by means of the contact form (the subscription to a newsletter or similar), they must click on a checkbox to show their agreement with the web page’s privacy policy, they will be redirected to it, where they will be provided with all the necessary information regarding the processing of their personal data and in this way can give their consent to the processing of said data.

Please note! with the new GDPR this will not be valid if the check box is pre-marked.

Example CONTACT FORM

_ I have read, understood and accept the Privacy Policy.

SEND

If a coworking contract exists we recommend including a clause which details all the information related to the processing of personal data. Even though the existence of a contractual relationship implies tacit permission to process data, it is advisable to ask for consent for processing the data, in the same clause.

Please note! Coworking spaces should also check that the data they have collected prior to the date of application of the GDPR (25/5/2018) meet the requirement that consent is unambiguous, since tacit consent that was previously given will not be accepted.

If data is collected on children under sixteen, their parents or guardians must give consent, although every coworking space must consult its own internal regulations since the GDPR allows European States to lower this age to thirteen.

The GDPR also states that consent must also be unambiguous and explicit in the following cases:

  • It involves processing sensitive data (not typically the case in coworking spaces)
  • Automated decision-making is conducted: in which a device operates without human intervention (for example: financial entities which grant credit based on the creditworthiness of the person requesting it)
  • International data transfers are carried out: (This situation could occur in the case of coworking spaces, for example in the case that the personal data that the coworking keeps on its clients is stored in the cloud and the servers in which it is stored are located outside the EU) In this instance, the unambiguous and express consent of those affected must be requested.

 

3.7 Establishing a procedure for the interested party to exercise their rights

The interested parties have a number of rights regarding their personal data, and, aside from informing them of said rights, as mentioned in section 3.5, coworking spaces must allow the interested parties to exercise their rights should they so wish.

The procedure for exercising these rights must be simple and easily accessible, and should also be free. The submission of applications by electronic means must be facilitated, especially in the case that the processing is carried out by said means.

The INTERESTED PARTIES have the following RIGHTS:

The right of access: Provide the interested party with personal information about their coworking space, and a copy of said information.

The exercise of this right may be denied, if the affected party has already exercised it within the previous twelve months, except for evidence of a legitimate interest, or if required by law.

Right to rectification: When modification is necessary due to inaccurate or incomplete data.

The exercise of this right may be denied if the law so provides.

Right to erasure: When the data is excessive or inadequate.

The exercise of this right may be denied if the law so provides.

Right of ‘right to be forgotten’: In the event that the personal data has been made public (for example on the Internet) and the interested party requests the owner of the coworking space to delete/erase it, the controller must take reasonable steps to ensure its deletion, including any necessary technical measures to carry out such a deletion. An example of this would be data of the interested party indexed in a search engine. At the request of the latter, it should be deleted and, meaning the responsible party must inform the search engine owner that they ought to proceed to de-index the interested party’s data.

Right to restriction of processing: The interested party can ask the coworking space to cease the processing of their personal data if they have challenged its accuracy, if they have opposed the processing, if the processing is illegal, or if the data is no longer necessary to carry out the processing.

Right to object: The interested party may request that the processing of their personal data not be carried out or that their processing is ceased, provided there is just cause.

The exercise of this right may be denied in the event that the coworking space has compelling legitimate grounds for the processing that override the rights of those affected, or for the defence of legal claims.

Right to data portability: The interested party may request the coworking space to provide them with all their personal data, and to provide them in a structured, commonly used and machine-readable format (for example: a pen drive, CD...).

This right implies that personal data is passed directly from one controller of personal data to another.

In coworking spaces, this right will not typically be exercised, but if a coworker exercises it, for example in the case that a coworker leaves a coworking space to go to another, they can ask the first coworking space to directly send all their personal data to the new coworking space.

This right can only be exercised if:

  • The data processing is conducted by automated means (by computer, for example)
  • If the data processing is carried out by agreement or with a contract.
  • When the data requested by the interested party is that which he or she provided to a controller.

How can an interested party exercise their rights?

They must submit a written request to the coworking space, which allows the coworking space to acknowledge it has been sent and received (an online form, written request presented in person, email..) accompanied by a copy of their ID document and indicating the right they wish to exercise.

The coworking space shall respond to the request within a month, a period which may be extended to up to two months in the case of complex requests. The data subject shall be informed of any such extension within the first month.

The coworking space must respond to the request by replying to the individual concerned, whether accepting their request or denying it, if the requirements established by the GDPR are met.

 

3.8 Selection and contracting of those responsible for processing

The person responsible for data processing will be an individual or company that provides a service to a coworking space which as a result of the provision of this service has access to the coworkers’ personal data, for example: an agency that has access to billing, an IT company, a video surveillance company that has access to images of the coworkers, a marketing agency that manages e-mail campaigns.

Thus, with the new GDPR the coworking space must ensure that the person in charge of the service provides sufficient guarantees that personal data is not accessed by unauthorized third parties, is modified, or lost, and that they comply with the GDPR, and in addition, they can prove they have done so, should it be necessary.

According to the GDPR the relationship granting the person in charge of processing access to personal data, must be regulated by means of a CONTRACT, which as a minimum requirement must stipulate:

- The purpose, duration, nature and purpose of the processing

- The nature of the personal data and the categories of data subjects

- The obligation of the controller of personal data to solely act on the documented instructions of the coworking space

  • The possibility of whether they work exclusively for the coworking space and specify when this need not be the case.

The contract must be signed by both parties, both by the coworking space and by the individual/company that provides the service involving the access to the data, and a copy of it must be kept by both parties and presented to the competent authorities upon request.

*In the case of services such as Amazon, Google, Dropbox, Twitter, Facebook ... the coworking space must ensure that when it signs up to them, the terms and conditions of the contract meets all the requirements established by the GDPR with regard to the person in charge of  data processing.

 

3.9 Checking whether you engage in international data transfers.

The international transfer of data can be defined as the processing of personal data that involves the transmission of data outside the territory of the European Economic Area, whether this constitutes a transfer or communication of data, or whether the intention is for the controller of the data to process it in another territory belonging to a European Union Member State.

How could this situation arise in a coworking space? For example, if the personal data that the coworking space keeps on its clients is stored in the cloud on servers which are located outside the EU

In order to carry out an international transfer, the coworking space and the Data Protection Officer, where applicable, must comply with the CONDITIONS established in art. 45 and following of the GDPR. In summary:

- It is not necessary to obtain specific authorization from a Control Authority if the European Commission has decided that the third country GUARANTEES AN ADEQUATE LEVEL OF PROTECTION.

- In the absence of a decision by the European Commission, the person responsible or the controller will only be able to transmit personal data to a third country or international organization if it has offered adequate guarantees and provided that the interested parties have enforceable rights and effective legal actions. These GUARANTEES are:

  1. a legally binding and enforceable instrument between public authorities or bodies;
  2. binding corporate rules in accordance with article 47;
  3. standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93, paragraph 2;
  4. standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93 paragraph 2;
  5. a code of conduct approved in accordance with Article 40, together with binding and enforceable commitments by the third party’s controller or processor to apply adequate safeguards, including those relating to the rights of the parties concerned;
  6. a certification mechanism approved in accordance with Article 42, together with binding and enforceable commitments by the third party’s controller or processor to apply adequate safeguards, including those related to the rights of the interested parties.

- Specific authorization will be required in all other instances, and therefore each coworking space and its Data Processing Officer must request authorization from the Control Authority. Likewise, the supervisory authorities of each Member State will establish binding corporate rules regarding these matters.

 

4 CONCLUSION

Therefore, in order to comply with the GDPR, the coworking spaces MUST

  1. Decide whether it needs to appoint a DPO
  2. Carry out a risk assessment regarding the processing of personal data that it performs
  3. Establish a procedure for the notification of security breaches
  4. Offer information to interested parties regarding the processing of their personal data and review procedures for collecting consent for the processing of personal data
  5. Establish procedures by which the interested parties can exercise their rights
  6. Appoint a data processing controller who can offer sufficient guarantees, and regulate this relationship by means of a contract
  7. Check whether it engages in international data transfers.

 

It is important to bear in mind that under the new GDPR, very high penalties have been established for non-compliance, amounting to fines of 20 million euros, or from 2% to 4% of a company’s maximum annual turnover, meaning it is vital the enterprise ensures compliance with the regulations in order to avoid serious problems.

Remember to have copies of the documentation relating to compliance with the GDPR (risk analysis, security failure notification procedures.) to hand, in case the relevant Control Authority demands to see them in the event of an inspection.

And above all, consult the internal regulations of each of the countries you have dealings with, to see if they have limited or expanded compliance with the GDPR.

 

That’s a wrap! We hope you now have a much better understanding of how your coworking space needs to adapt to GDPR regulations. It’s a lot of information to process but Nexudus has faith in you!!