GDPR Basics

Any information related to a person (Data Subject in GDPR language) that can be used to directly or indirectly identify the person qualifies as personal data. It can be anything related to the person: a name, a phone number, an e-mail address, a photo or a video, an address or location, a number of the bank account, a register plate of one’s car, social media account etc.

The GDPR has introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed.  Not having their records in order or failing to report any breaches to the authorities can be fined a maximum of 2% of their annual global turnover. The maximum fine a company can face is 4% of their annual global turnover, of €20 million, whichever is the highest.

GDPR is a regulation, which means that the regulation will come into force as such. Therefore, regulations have binding legal effect in every member state. Directive on the other hand means that the member states can decide how to achieve the goals set out in the directive and transpose them into national laws.

Yes, any company who is processing personal data of the EU citizens, must comply with the General Data Protection Regulation.

Organisations operating outside the European Union, but employing EU citizens, must comply with the GDPR requirements. This means that the EU citizens can exercise their rights according to the GDPR, even if the company does not conduct any business within the EU.

All organisations that process personal data of EU citizens must comply with the GDPR, even when not operating in EU soil.

All companies processing personal data must comply with the GDPR, regardless whether payment is charged or not.

Article 4 (6) of the GDPR sets the definition for a ‘filing system’. If the personal data that the company processes manually is in structured form and the processing is conducted in a database, then yes GDPR does apply. If the processing is one-off and the company does not use a database, then GDPR might not apply.

Organizational Procedures

There is checklist for small and medium-size businesses that vast majority of them has to apply. These include:

  • Keep the records of Data Processing Activities. Be ready to present the report of Data Processing Activities to your local Data Protection Authority.
  • Describe your Privacy Policy and communicate it to your customers as well as partners. As absolute minimum, publish it in your public website.
  • Manage customer requests based on “new rights” the GDPR provides to persons. Most important ones include: a) Right to Know, b) Right to Data Portability c) Right to be Forgotten.
  • Have a list of your Service Providers (called Processors in GDPR language) who are processing Personal Data for you and conclude or amend an agreement with each of them to handle Personal Data processing issues.
  • Manage Data Breaches and report these to your local Data Protection Authority.


Companies need to appoint a Data Protection Officer (DPO) if the company

  • is a public authority,
  • carries out personal data processing on a large scale  regularly and systematically,
  • engages in large scale processing of sensitive personal data.

If you do none of these activities, then you do not need to appoint a DPO.

The DPO has generally two main tasks. To monitor the GDPR compliance operations within the organisation and interact with the supervisory authority and the data subjects whose data is being processed. Data protection officer might also inform and advise the organisation on other privacy related matters and raise awareness by training the employees.

Data controller is the person or a company who defines the purpose, means and conditions of how personal data is being processed. Data processor processes personal data on behalf of the data controller and is usually external entity from the data controller’s company.

Any company (or person) that deals with personal data on your behalf are called a Processor (in GDPR language). Examples of processors include marketing companies, accountants, payment and delivery service providers,  IT /cloud providers etc.

You have to maintain a list of your external service providers (processors), and the data they process, and conclude/review an agreement that defines the rules for handling your company’s personal data. Please note that having access to or just storing the data, equals processing from the GDPR point of view.

With every processor, you should have signed a Data processing Agreement (DPA). You can find more information about DPAs here.

In case of a data breach, you need to inform the supervisory authority within 72 hours when the breach was found.

The notification has to consist of information what was stolen or lost, how the data was protected (ex. pseudonymisation) and how the breach may affect the persons, who’s data it was (Data Subjects in GDPR language). When the breach is severe, and it may affect persons with a high degree, then company needs to inform the possibly affected persons as well.

If the data processing and the collected data may result in a high risk of the rights and freedom of natural persons companies need to evaluate how their processing model may affect natural persons and how to protect these processes from external threats. These impact assessments are required if the company processes (article 35):

  1. systematic and extensive evaluation of personal data by automated means;
  2. processing large scale special category data or criminal convictions and offences;
  3. a systematic monitoring of a publicly accessible area (ex. cameras facing a public area)

Data Subjects

If you are carrying out certain activities involving personal data (e.g. online marketing), you have to ask consent from the persons.

Consent has to be asked clearly and explicitly. It  has to be separate from all other text, it needs to be clear, freely given and specific, so that the person would know, to what they are giving it. Pre-ticked boxes, silence or inactivity is not considered as consent by GDPR; therefore, companies need to ask a direct and formal consent.

Also, persons have the right to withdraw their consent (opt out) at any time they like. You have to make it as easy as possible to do so.

According to the GDPR, the data subject can withdraw their consent at any time. However, withdrawing the consent applies only to future processing of personal data, not to data that has already been processed. If the obtained consent does not fulfill the requirements of the GDPR, the consent must be re-obtained.

Right to be forgotten is individual’s (data subject’s) right to demand companies to erase or anonymise their personal data (this is called “right to be forgotten” or “right for erasure” in GDPR terms).

According to GDPR, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”. “Undue delay” should be understood as the latest within one month of receipt of the request for erasure or receiving identity verification or a fee, if such can be applied.

The data subject has the right to have their personal data erased if:

  • The personal data is no longer necessary for the original purpose of collection or processing.
  • The company is relying on a data subject’s consent as the legal basis for processing the data and that individual withdraws their consent.
  • The company is relying on legitimate interest as its legal basis, the data subject objects to this processing, and there is no overriding legitimate interest for the organisation to continue with the processing.
  • The company is processing personal data for direct marketing purposes and the data subject objects to this processing.
  • The company processed a data subject’s personal data unlawfully.
  • The company must erase personal data in order to comply with a lawful obligation.

However, a right to process someone’s data might override their right to be forgotten in the following situations:

  • The data is being used to exercise the right of freedom of expression and information.
  • The data is being used to comply with a lawful obligation.
  • The data is being used to perform a task that is being carried out in vital or public interest.
  • The data is being used for the establishment of legal defence or in the exercise of other legal claims.

The individual has the right to be informed about how and why their personal data is being processed. Grounds for processing is usually explained when asking for the consent from the individual. Individual has a right to be informed after giving the consent as well, meaning that the company should be able to provide the individual with concise, intelligible, easily accessible, free of charge and clearly written information about the processing.

What information do you need to provide?

  • The name and contact details of our organisation.
  • The name and contact details of our representative or data protection officer (if applicable).
  • The purposes of the processing.
  • The lawful basis for the processing.
  • The categories of personal data obtained (if the personal data is not obtained directly from the individual).
  • The recipients or categories of recipients of the personal data.
  • The details of transfers of the personal data to any third countries or international organisations (if applicable).
  • The retention periods for the personal data.
  • The rights available to individuals in respect of the processing.
  • The right to withdraw consent (if consent is used as a legal basis).
  • The right to lodge a complaint with a supervisory authority.
  • The source of the personal data (if the personal data is not obtained directly from the individual).
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
  • The details of the existence of automated decision-making, including profiling (if applicable).

Right to Data portability for person means possibility to obtain his personal Data from one service provider and reuse it at another for his own purposes in easy and safe way. It allows to get data from one IT environment in structured, commonly used and machine-readable format and put that into another without affecting its usability (if technically possible).

According to GDPR Article 16, The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The data controller should take reasonable steps to ensure that the data is accurate and to rectify the data if necessary. The controller should take into account the arguments and evidence provided by the data subject.

Consent from the parents is required when processing data of children under the age of 16 for online services.

Digital marketing and direct marketing are based on the data that the company has collected, therefore marketing activities must comply with the GDPR as well. Consent must be obtained from the subjects and existing consent forms must be reviewed. There are several guidelines that must be followed when initiating contact in B2B and B2C. Read more about marketing in B2B and direct marketing rules and exceptions under the GDPR.

GDPR Terminology

“DPO” is meaning a Data Protection Officer. The role of the data protection officer (DPO) is to ensure that organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules. Data protection officers are responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements.

DPO assists the organisation with monitoring it’s internal compliance, informs and advises on data protection obligations, provides advice regarding Data Protection Impact Assessments (DPIAs) and acts as a contact point for data subjects and the supervisory authority.