Access to personal data
Access to personal data
In order to preserve confidentiality, and to minimize the risk of data exfiltration, access by members to personal data is very strictly regulated.
The DPO must approve access by any member to any personal data we store. This approval is not transitive: in other words, if the DPO approves your access to a particular collection of personal data, that does not give you the authority to grant access to that data to anyone else, including other members of the Company who may report to you or work on the same project. If you wish to share access to personal data with another member of the Company, make a request to the DPO and state the business case.
Do not share personal data with anyone who has not been approved by the DPO to see that specific data. This includes all possible communication media (e.g., do not disclose personal data verbally to someone not authorized to access the data) and any sub-parts of that data (e.g., do not disclose even a single piece of personal data to someone not authorized to access the entire collection of that personal data). Any violation of this rule is potentially quite serious:
- it is a breach of public trust;
- it could lead to substantial fines for the Company; and
- it may even be illegal, depending on the circumstances.
Do not take another members' word that they are authorized to access personal data. You must receive an explicit approval from the DPO for the specific member and specific personal data collection. Once approved, it is the responsibility of the DPO and the member's manager to manage (and potentially revoke) the member's access to that particular collection of personal data.
Be especially wary of phishing attempts and/or social engineering efforts to trick you into providing access to personal data to an unauthorized party.
If you are authorized to share personal data with another member, you must do so by giving that member access to the personal data via the same system that is already being used to process the data. For example, if you are authorized to share data in a CRM with another member, do not copy any personal data from the CRM into a chat system — you may only give the other member access to the data via their own account in the same CRM system.
Access to personal data shall be granted on a case-by-case basis. Do not assume that because you have access to personal data in one system that you should have access to personal data in another system.
Unless expressly authorized by the DPO, and unless it was specifically agreed to by the data subject who shared their personal data with us in the first place or required in order to run the business (e.g., payroll data shared with our third-party payroll processing service), you must not give access to personal data that we have collected to a third party. Note that this exclusion also applies to contractors and for-hire arrangements the Company may make with external agencies or individuals. Approved third-party data processors are obviously exempt from this rule, as this rule applies to third parties as data controllers, but if there is any doubt, request a clarification from the DPO. Generally speaking, this rule is relaxed for the following specific purposes where there is a clear legitimate interest, contract basis, or legal obligation:
- sharing members' business- and contract-related personal data (as is commonly necessarily for the purposes of running the business);
- sharing members' tax status with the relevant tax authority; and
- sharing customers' payment processing data with third-party payment processors such as Stripe.
If you believe anyone (either a member of the Company or a third party) has access to personal data that they should not have access to, either intentionally or by mistake, inform the DPO immediately.
If you witness or know of anyone (either a member of the Company or a third party) sharing access to personal data with someone who you believe not to be authorized to access that data, record the date, time, and method of sharing, and inform the DPO immediately.