FREQUENTLY ASKED QUESTIONS
Any information related to a person (Data Subject in GDPR language) that can be used to directly or indirectly identify the person qualifies as personal data. It can be anything related to the person: a name, a phone number, an e-mail address, a photo or a video, an address or location, a number of the bank account, a register plate of one’s car, social media account etc.
The GDPR has introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed. Not having their records in order or failing to report any breaches to the authorities can be fined a maximum of 2% of their annual global turnover. The maximum fine a company can face is 4% of their annual global turnover, of €20 million, whichever is the highest.
GDPR is a regulation, which means that the regulation will come into force as such. Therefore, regulations have binding legal effect in every member state. Directive on the other hand means that the member states can decide how to achieve the goals set out in the directive and transpose them into national laws.
Yes, any company who is processing personal data of the EU citizens, must comply with the General Data Protection Regulation.
Organisations operating outside the European Union, but employing EU citizens, must comply with the GDPR requirements. This means that the EU citizens can exercise their rights according to the GDPR, even if the company does not conduct any business within the EU.
All organisations that process personal data of EU citizens must comply with the GDPR, even when not operating in EU soil.
All companies processing personal data must comply with the GDPR, regardless whether payment is charged or not.
Article 4 (6) of the GDPR sets the definition for a ‘filing system’. If the personal data that the company processes manually is in structured form and the processing is conducted in a database, then yes GDPR does apply. If the processing is one-off and the company does not use a database, then GDPR might not apply.
There is checklist for small and medium-size businesses that vast majority of them has to apply. These include:
- Keep the records of Data Processing Activities. Be ready to present the report of Data Processing Activities to your local Data Protection Authority.
- Manage customer requests based on “new rights” the GDPR provides to persons. Most important ones include: a) Right to Know, b) Right to Data Portability c) Right to be Forgotten.
- Have a list of your Service Providers (called Processors in GDPR language) who are processing Personal Data for you and conclude or amend an agreement with each of them to handle Personal Data processing issues.
- Manage Data Breaches and report these to your local Data Protection Authority.
Companies need to appoint a Data Protection Officer (DPO) if the company
- is a public authority,
- carries out personal data processing on a large scale regularly and systematically,
- engages in large scale processing of sensitive personal data.
If you do none of these activities, then you do not need to appoint a DPO.
The DPO has generally two main tasks. To monitor the GDPR compliance operations within the organisation and interact with the supervisory authority and the data subjects whose data is being processed. Data protection officer might also inform and advise the organisation on other privacy related matters and raise awareness by training the employees.
Data controller is the person or a company who defines the purpose, means and conditions of how personal data is being processed. Data processor processes personal data on behalf of the data controller and is usually external entity from the data controller’s company.
Any company (or person) who deals with personal data on behalf of you is called a Processor (in GDPR language). Examples of processors include marketing companies, accountants, payment and delivery service providers, IT /cloud providers etc.
You have to list all your external service providers, the data processed (having access to data equals to processing from the GDPR point of view) by each of them, and conclude/review an agreement that defines the rules of handling your companys personal data.
In case of a data breach, you need to inform the supervisory authority within 72 hours when the breach was found.
The notification has to consist of information what was stolen or lost, how the data was protected (ex. pseudonymisation) and how the breach may affect the persons, who’s data it was (Data Subjects in GDPR language). When the breach is severe, and it may affect persons with a high degree, then company needs to inform the possibly affected persons as well.
If the data processing and the collected data may result in a high risk of the rights and freedom of natural persons companies need to evaluate how their processing model may affect natural persons and how to protect these processes from external threats. These impact assessments are required if the company processes (article 35):
- systematic and extensive evaluation of personal data by automated means;
- processing large scale special category data or criminal convictions and offences;
- a systematic monitoring of a publicly accessible area (ex. cameras facing a public area)
If you are carrying out certain activities involving personal data (e.g. online marketing), you have to ask consent from the persons.
Consent has to be asked clearly and explicitly. It has to be separate from all other text, it needs to be clear, freely given and specific, so that the person would know, to what they are giving it. Pre-ticked boxes, silence or inactivity is not considered as consent by GDPR; therefore, companies need to ask a direct and formal consent.
Also, persons have the right to withdraw their consent (opt out) at any time they like. You have to make it as easy as possible to do so.
According to the GDPR, the data subject can withdraw their consent at any time. However, withdrawing the consent applies only to future processing of personal data, not to data that has already been processed. If the obtained consent does not fulfill the requirements of the GDPR, the consent must be re-obtained.
Persons have the right to demand companies to delete personal data about them (this is called “right to be forgotten” in GDPR terms). Companies must comply with the demand of the person and delete (or anonymise) their data. For example: if the person withdraws their consent, collecting and processing of personal data is no longer necessary (excluding the case of contract ended). The data has to be erased without undue delay (maximum 30 days normally).
In some cases, (e.g. due to comply with another law or legal obligation), right to be forgotten does not apply.
The individual has the right to be informed about how and why their personal data is being processed. Grounds for processing is usually explained when asking for the consent from the individual. Individual has a right to be informed after giving the consent as well, meaning that the company should be able to provide the individual with concise, intelligible, easily accessible, free of charge and clearly written information about the processing.
Right to Data portability for person means possibility to obtain his personal Data from one service provider and reuse it at another for his own purposes in easy and safe way. It allows to get data from one IT environment in structured, commonly used and machine-readable format and put that into another without affecting its usability (if technically possible).
Consent from the parents is required when processing data of children under the age of 16 for online services.
Digital marketing and direct marketing are based on the data that the company has collected, therefore marketing activities must comply with the GDPR as well. Consent must be obtained from the subjects and existing consent forms must be reviewed. There are several guidelines that must be followed when initiating contact in B2B and B2C. Read more about marketing in B2B and direct marketing rules and exceptions under the GDPR.