Standards for data availability for internal employees [migrated]
Our organization possesses a lot of personal data, and when we provide the data to external partners we are very strict on complying with all the data confidentiality rules, recommendations, etc. The external partners must provide a valid reason to get the personal data. We work in the EU, so the GDPR is our base document when dealing with personal data. There is the data minimisation principle:
Personal data shall be:
<...>
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
We currently interpret this principle on the level of the organization, i.e., the whole organization is the data "processor".
But we often debate how to deal with personal data access for internal employees. My understanding has always been that data access internally should be regulated according to the same standards as externally. But I am having a hard time proving this to fellow employees.
Does the GDPR's data minimisation principle apply to every employee individually? Is there another data-protection-related document/ article which I could provide or even cite to my colleagues, saying that internal and external information security should comply with the same standards?
