The personal data rules apply to manual (hard/paper copies) and electronic information about any living individual (the “data subject”).The GDPR applies to both data ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data. The processor is responsible for processing data on behalf of a controller.
Both controllers and processors have legal responsibilities under GDPR. Processors must ensure they maintain records of personal data and processing activities and are legally liable for any breaches of the way in which data is handled. Additionally, controllers must ensure that their contracts with processors comply with GDPR.
Motor retailers, lenders and brokers can be data controllers, data processors or both depending on how they use the data provided by the customer.
Any information that can directly or indirectly lead to the identification of a person such as name, ID number, mobile phone location and online data. GDPR applies to all formats in which data can be stored such as electronic and manually held data (hard/paper copies).
Sensitive personal data
There are specific provisions relating to special categories of personal data such as: race or ethnic origin; political opinions; religious beliefs; trade union membership;health; sexual orientation; genetic and biometric data; and criminal proceedings or convictions.
Sensitive personal data can only be processed with the explicit consent of the individual if it is required by law for employment purposes, or if dealing with the administration of justice or legal proceedings. It can also be processed if it is necessary to protect the interests of the individual or another individual.
The data subject’s express consent should be obtained before any data is used for marketing purposes. Unsolicited marketing by mail should not be undertaken if an individual is registered with the Mailing Preference Service or by telephone if an individual is registered with the Telephone Preference Service.