Optical retailers providing online services must ensure that the processing and documentation of personal data comply with the EU General Data Protection Regulation (GDPR). Accountability and keeping registers up to date whenever necessary are essential parts of routine data protection work.
The GDPR regulates, among other things, the collection, processing, and disclosure of personal data, as well as the related rights and obligations. Personal data includes, for example, names, phone numbers, and other information that can be linked to an identifiable individual, which optical retailers may have collected, for instance, for marketing purposes.
The processing of patient and health data included in the Kanta system is governed more specifically by the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (159/2007).
The GDPR also requires data controllers to ensure the accuracy of personal data and the proper maintenance of customer registers. According to data protection principles, personal data must be updated when necessary, meaning that inaccurate or incorrect data must be erased or rectified without delay.
Data protection principles must be followed at all stages of personal data processing. Since optical retailers act as data controllers for their customer registers, they must also be able to demonstrate compliance with data protection legislation.
Accountability of the data controller
Accountability is a key principle of the GDPR. For example, if a data controller detects a data breach, accountability enables them to demonstrate that they have actively sought to identify data protection risks and implemented appropriate measures to safeguard personal data.
Failure to demonstrate compliance with GDPR obligations may result not only in reputational risk but also in administrative penalties.
The purpose of accountability is also to show how the data controller respects the privacy of data subjects, i.e. individuals whose personal data is being processed. Implementing accountability increases trust in the data controller’s operations.
GDPR checklist for optical retailers
1. Record of processing activities
A record of processing activities is an internal organizational document intended to help the business owner understand how personal data is processed. Its purpose is also to demonstrate that personal data is handled in accordance with data protection legislation.
Supervisory authorities may, if necessary, assess the lawfulness of processing activities based on this record, which must be provided upon request.
More detailed guidance is available from the Office of the Data Protection Ombudsman:
https://tietosuoja.fi/en/record-of-processing-activities
2. Informing the data subject
The data controller must provide the data subject with all information related to the processing of personal data in a concise, transparent, intelligible, and easily accessible form. More detailed guidance is available here:
https://tietosuoja.fi/en/inform-data-subjects-about-processing
3. Secure processing of personal data
Both the data controller and the data processor must ensure that anyone with access to personal data processes it only in accordance with the controller’s instructions and data security principles. Staff competence must be ensured through onboarding and/or training. Confidentiality agreements can be concluded with employees when necessary.
4. Ensure accountability
The data controller must implement appropriate technical and organizational measures to meet accountability requirements. Accountability also implies a duty to document, meaning that certain measures must be carried out and recorded in practice.
The GDPR includes several accountability-related requirements, the applicability of which must be assessed on a case-by-case basis. The extent of accountability depends, among other factors, on the size of the organization, the volume of personal data, and the type of data being processed.
Data controllers must take accountability into account already at the planning stage of personal data processing.
More guidance on accountability is available from the Office of the Data Protection Ombudsman: https://tietosuoja.fi/en/accountability
Note: Under the GDPR, businesses are required to enter into a written agreement if they outsource the processing of personal data. In such situations, personal data is considered to be transferred to a data processor—that is, a service provider processing personal data on behalf of the data controller. Such service providers may include, for example, accounting firms or IT support providers.
