Lately, our personal data has become a trading good, collected and used by companies and governments. This raises concerns about our fundamental right to privacy and who we should trust to control these data. Personal data are targeted for product designs and customer needs alignment.

This is the reason why consent over how personal information is managed is important. Digital interconnectivity and tech progress are important, and so are our civil liberties. Obtaining an equilibrium between commercial gains, data safety and privacy rights is a constant challenge.

Since 2018, EU-based legal entities collecting and storing private data must be GDPR compliant. Personal data collection plays a strategic role and offers insights into business customers’ behaviour. However, if they don’t comply with GDPR provisions, data collection will ruin their reputation and expose them to financial risks.

Personal data is private information we can identify with like our names, email addresses, phone numbers, locations, and credit card data. In the EU, the privacy rights protected by GDPR mainly refer to the protection, access, and correction of personal data.

GDPR’s provisions allow us to see who has accessed our private data and what they have done with these data, its role is to prevent the misuse of personal data. The verification of compliance with their provisions as the rising number of fines proves it.

GDPR individual rights protection and EU AI Act

Employers are using AI not only for recruitment purposes and people operations but also in the decision-making process. The possibility of misuse of personal data is raising concerns about transparency, given consent and the potential for bias in automated decisions.

Advancing AI technologies is changing the data protection requirements and privacy protection rules. The recently adopted EU AI Act aims to address risks to safety and fundamental rights and also comply with GDPR provisions. Organisations are developing and implementing AI systems and, as part of that development, automating the decision-making process is adding more concerns about data privacy and individual rights.

GDPR provisions on automated decisions state that we have the right not to be subject to solely automated decisions involving the processing of personal data that result in legal or significant effects. Accordingly, we retain control over decisions affecting us by protecting individual rights against potentially harmful automated decisions. Automated decision-making can apply to recruitment, credit scoring, monitoring employee performance, admissions and grading in educational systems, patient safety and care, etc.

According to European authorities, the EU AI Act obliges the AI system providers to disclose certain information and act transparently, enabling a better understanding of the LLMs – large language models they use. Also, they need policies to respect copyright laws and address racial and gender bias. 

Exposure to risks because of lack of transparency

Data usage has significant legal and reputational implications for businesses, regardless of scale. Both big and small companies may face public suspicion and legal penalties if they do not disclose how they collect, store, and use data. According to GDPR, users should be informed and have consent choices for their collected private data. Even small websites that use third-party companies or analytics need cookies and collecting data terms.

Browsing data can be converted into marketing tools to predict future choices of customers. Cookies can collect data like IP addresses, login data, geo-locations, time on web pages, and bookmarks. All these browsing data are potentially private information depending on the business’s operations and the type of cookies accepted.

These regulations affect the business relationships with countries outside the EU if they want to collect data from EU citizens. Most companies processing personal data inside the EU or doing business with companies outside the EU have responsibilities under GDPR. Any type of organization located or with legal branches in the EU must comply with GDPR.

Also, companies outside the EU that offer services involving processing the personal data of EU citizens have the same obligations. If these organizations are providers based outside the EU and are targeting EU customers, they are subject to the GDPR.

Hiring requirements and personal data

Information such as ethnic origin, biometric data, state of health, or disabilities is sensitive data that can raise real concerns about privacy and safety. Recruitment agencies and employers handle the selection and hiring process online and ask for the candidates’ consent for these data.

Consent and contractual obligations are two of the most important motives for allowing personal data processing. The employee’s consent, granted to employers requires processing data for a clear and specific purpose. Additionally, consent must be voluntary, specific, informed and allowed with a clear affirmative response. Data processing requires organizations to make it easy for people to withdraw their consent to protect their privacy. For instance, the purpose of data processing can change at any moment.

Most companies use Application Tracking Systems (ATS) to solve privacy issues which are now a constant and repetitive task for HR. People provide employers with a CV, social media profiles, and possible copies of professional qualifications. So, employers can collect and process the data under GDPR provisions and ask candidates for clear and specific consent.

Personal data and balance between interests and privacy rights

The contractual obligations are another reason for personal data processing. Whenever we sign a contract, personal data are involved. That is why we are to respect GDPR and the legal requirements involved. So, for example, if you signed an employment contract, that employer company will need to process your data to comply with its legal responsibility as part of the employment contract obligations.

Lawmakers are trying to balance businesses’ legitimate interests in data analytics with people’s privacy rights. The imbalance is created because of what they want to offer and our willingness to grant them access to our private data such as location, phone number, email, and other personal data.

Lawful reasons to process personal data

According to GDPR, legitimate interests should be the main reason for asking people for consent. But, this so-called legitimate interest comes and goes, and the request for consent is a repetitive activity for companies that process personal data. Each EU country has a supervisory authority to process and implement compliance with the GDPR provisions, as requested.

However, we are moving back and forth between our privacy and the necessity of data processing from a security or business operations point of view. In this context, the GDPR’s basic principles, like purpose specification, data minimization, and transparency requirements for systematically collecting data become basic provisions generating balance.

Why should we be interested in companies complying with GDPR?

• Trust. By applying and enforcing private data regulations companies might gain the trust of their customers and employees and be perceived as trustworthy guardians of the private data.
• Protection. Whether customers or employees, we entrust them with sensitive data with the risk of being misused. Regulations provide a framework to handle abuse and possible misbehaviour.
• Control. We gain some control over the personal data provided to the different legal entities through your right to request deletion or correction of our data. For instance, during a recruitment process, you can withdraw the consent, if you are not interested anymore or change your mind.

Depending on the organization’s complexity personal data regulations are not easy to apply. There are still debates about how and when it should be implemented. However, the protection of personal data will always matter because sharing it comes with benefits, but also with risks. If we value our privacy, we’ll always need to be aware of the data protection regulations that apply to us.