Are you aware of all the rules that apply to your situation?
Personal data may, for example, not be used if a so called ‘basis’ is lacking, such as permission or a necessity within the scope of the fulfilment of an agreement. Anyone buying something at a web shop must enter his contact data. The seller is allowed to use those data for the settlement of that sale. However, those data may not automatically be used for other purposes.
The data may be used for other purposes as well only if the seller has informed the buyer beforehand that he intends to make further use of those data and for which purposes and after the buyer has given him permission to do so.
Whether permission must be given tacitly or explicitly depends on the type of data. Sensitive information such as health data requires explicit permission.
Apart from that you must take appropriate technical and organizational measures that ensure protection of the collected personal data. If for the processing of personal data you avail yourself of the services of a third party, you will have to enter into a processing agreement with this party. Examples are the external payroll administrator, your SaaS-supplier or the cloud.
There are two types of reporting obligation: a general reporting obligation for the mere fact that you process personal data and a reporting obligation for data leaking.
Pursuant to the general reporting obligation you must report to the Data Protection Authority that you are processing data and which ones. Fortunately exemptions apply to the usual processing of data with regard to personnel administration, the client base and the ICT-network. These exemptions in their turn do contain conditions though that must be met and of which most companies are not aware.
Pursuant to the reporting obligation you must report to the Data Protection Authority and under certain circumstances also to those involved if a data leak should occur. A data leak is any breach of personal data security that has or is likely to have a serious adverse impact on the protection of personal data.
Application of all rules in any specific case requires a thorough knowledge of those rules and the application thereof in practice. PlasBossinade has that knowledge and shall gladly assist you.