Sign up for the DPO Europe Newsletter

We will share useful materials with you and talk about the latest news from the world of privacy.

what-is-gdpr

What is GDPR (General Data Protection Regulation)

Our privacy professionals created GDPR Longread to explain in one article all important rules. Especially we took attention to topics, which are making a lot of employees confused.

Now let’s start to study GDPR step by step.

Contents:

What is GDPR?

Have you ever wondered where fingerprints or face shots are stored to unlock your smartphone? Or why, when placing an order in an online store, you are asked to indicate your date of birth, which seems to be superfluous information for a purchase? Can anyone access your health record at the clinic? How companies find your phone number to contact you and tell you about an exhibition or sale? And what do social networks know about their users?

Every day we share with others what is commonly called personal data. For example, when dating or communicating, when looking for a job or making an appointment with a doctor, ordering goods or paying for services. And all that without even thinking about what will happen with these data further.

So why do we need GDPR? With the advent and development of technology, people have become more generous with personal data, because in return they get convenience and comfort. We are so used to it that we cannot imagine our world in any other way. However, does this mean that it is safer to live now? Not at all. Any piece of information can very well be used against ourselves. And, alas, we, the data subjects, have lost control over our data in the new digital reality.

In the European Union they have taken up this issue seriously. And, as a result, on April 27, 2016, the General Data Protection Regulation was adopted. The new law came into force only two years later (May 25, 2018), so that businesses had enough time to get prepared. The GDPR rules have fundamentally changed the previous legal framework of privacy protection in Europe, which was almost two decades old. And of course, it raised a lot of questions: what should we do? who should we contact? how dangerous is non-compliance?

What-is-GDPR-General-Data-Protection-Regulation

Love to work together

We are open to cooperation with developing, enterprising companies.

What is personal data?

In all matters related to the implementation of the Regulation, the concept of “personal data” plays an important role, because the GDPR only applies where personal data exist. Let’s examine the definition in more detail.

Personal data

It is any information relating to an identified or identifiable natural person (“data subject”, i.e. a person).

Identified individual

It is a person whose identifier (name, phone number, personal ID, login, etc.) is contained among the data.

Identifiable individual

It is a person who can be identified, that is, who can be distinguished from other people.

Personal data is not only the identifier itself but also the information that relates to a person. And there are certain nuances as well.

Without an identifier, the information becomes anonymous. Relating information and an incomplete identifier will constitute personal data only in cases where it is possible to conduct additional “investigation” without using special devices and without excessive time and effort.

That is, if we do not have a reasonable opportunity to identify the data subject, then such information is not personal, but anonymous.

For example, personal data includes information describing the data subject – Ivan Kupala is 38 years old and a lawyer. In this case, personal information is not only the person’s name but also his profession and age.

If we don’t know the full name, but we know that someone named Ivan in our city is 38 years old, that information will be anonymous to us.

However, if we are told that someone named Ivan is 38 years old, lives in our city, and works at a small law firm called “Kupala & Associates Law Office”, we will be able to easily identify the person. This information would be classified as personal data.

In simple terms, name, passport number, ID card, username, nickname, email address, phone number, IP address, bank card details are always personal data because they are identifiers. A vehicle number, handwriting, video, or photo are likely to constitute personal data because they make it easy to identify a person. Whereas address, marital status, sex, gender, e-wallet details, health data, page views, search queries, social media posts are personal data provided it is known to whom exactly they relate.

It is important to note that the definition of personal data is gradually changing. Previously, before the era of computers and cell phones, for data to be considered personal data, it was sufficient that a person could hypothetically be identified by anyone on Earth using that data. Now, this criterion is narrowed down only to the circle of people who can potentially gain access to this data and use it for identification purposes.

Based on all of the above, our privacy expert Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP, created his original formula for personal data.

What rights did people get thanks to the GDPR?

First of all, the new regulation was adopted due to the technological progress as people are under risk to lose their right to privacy. We already told about what privacy is and how it dissipates in the modern world. Now let’s talk about the rights that we, as data subjects, can exercise under the GDPR.

Each person has the right to receive their personal data or get access to them. This right extends not only on the information that data subject provided by theirselves, but also on the information that a company (data controller) has collected about them. Here you can find more details about the roles of the controller and the processor. The data subject may not even suspect that such collection has taken place, and this right enables the data subject to find out about:

How shall a company provide the data subject with the information? The company must provide personal data in any form in which a person requests it:  it can be an email or a paper document. Alternatively, the company can give a person access to their data, for example, in their personal account. According to the rules of the Regulation, data are provided free of charge. Only in exceptional cases the company is entitled to claim the data subject for fee. For example, the company might charge a fee for making additional copies or for providing an overly large amount of information.

In other words this is the right to be forgotten. The data subject has the right to obtain from the controller the erasure of personal data concerning him or her. But that’s not that simple. There are only few grounds in GDPR  when this right is to be exercised:

If the personal data are no longer necessary in relation to the purposes for which they were originally collected.

Indeed, according to the principle of storage limitation, the data should have been deleted anyway.

If the person withdraws their consent to the processing.

When the legal basis for the processing is consent.

If the personal data have been unlawfully processed.

In this case the controller should thank the data subject for contacting the company and not complaining to the supervisory authority.

Let’s take a closer look at the last point.

Article 8 of the Regulation deals with the processing of personal data of children. The child’s consent is valid only if: 1) the child is at least 16 years old or 2) in addition to it, the consent / permission of the parent has been obtained. The fact is that children do not always understand what their actions on the Internet can result. Therefore, when you receive a request to erase such data, you need to do it immediately.

For example, 22-year-old Maria noticed that 8 years ago she registered on various gaming sites that collected and processed her personal data. Parents confirmed her consent to participate in various promotions and sweepstakes on these sites. And now when the GDPR is in effect, Maria can obtain the erasure of all information about her participation in promotions and sweepstakes, which was collected when she was still a child.

information security

The right to be forgotten is not an absolute one. For instance, it is balanced by the freedom of speech and press and the necessity of processing for archiving purposes in the public interest, scientific and historical research.

“Restriction of processing” can be understood as “freezing of processing”. The data is still stored but not used in any way.

The data subject has the right to object to processing of personal data concerning him or her. However, this right can only be exercised if the processing is based on a legitimate or public interest.

The controller is obliged to consider the objection, analyze the situation and make a decision whether this processing is important to the company or the public and the interests of the person prevail in this particular case.

NB! If the subject objects to processing for direct marketing purposes, the processing should be stopped immediately.

In the modern world due to the rapid development of information technologies decisions are made not only by a person, but by automated means. The GDPR provides data subjects with the right to object to decisions made by a computer without a human being, since the algorithm could be erroneous or biased.

However, this right does not apply if:

Love to work together

We are open to cooperation with developing, enterprising companies.

The data subject has the right to lodge a complaint with a supervisory authority in the his or her habitual residence, place of work or place of the infringement (i.e. controller’s place). E.g. a data subject who lives and works in Moscow has the right to lodge a complaint with the supervisory authority in Paris if his or her rights were infringed by a French company. The supervisory authority shall consider the complaint and inform the complainant on the progress and the outcome of the complaint. If the data subject is not satisfied by the outcome of the complaint he or she has the right to judicial remedy (Article 78 GDPR).

In the case of the infringement of the GDPR, the controller (or processor) shall not only pay a fine, but also to provide the data subject with compensation for any damage caused by processing. More information about the right to portability, the right not to be subject to automated decision-making, the right to lodge a complaint with a supervisory authority and the right to compensation can be found here.

All of the above confirms the relevance and importance of the Regulation. Today the Internet has become an essential part of the life of almost every person, our personal data are far from to be safe. Therefore, it is very important for everyone to be aware of the rights that they have according to the GDPR. In order to avoid problems with customers and supervisory authorities, companies shall inform users about their rights. This is required by Articles 13 and 14 of the GDPR. Typically, compliance with this obligation involves the publication of a Privacy Policy / Notice. We have developed the complete GDPR checklist for such policies / notifications.

What-rights-did-people-get-thanks-to-the-GDPR

Sign up for the DPO Europe Newsletter

We will share useful materials with you and talk about the latest news from the world of privacy.

Data processing principles

Directive 96/46/EC, the predecessor of the Regulation, changed European legislation on the protection of personal data considerably. However, the GDPR spelled out these rules in more detail. This also applies to the six basic principles for processing of personal information in the most important article of the law, article 5 of the GDPR. We propose to go into them deeper.

Principle of lawfulness, fairness and transparency

Personal data can only be obtained by lawful means. There are only six lawful bases (Article 6 GDPR):

Before you collect data, you need to find one lawful basis (legal ground) in this list that fits your situation. If nothing fits, the processing will be illegal and you will infringe the Regulation. Fines for unlawful processing of personal data are widely applied and they are quite high.

Also, this principle requires that the data of various people be processed without discrimination or deception, that is, fairly. So there is an infringement when you use phone model information to charge higher prices to their owners.

Transparent processing means that people have access to information about the purpose, timing, and scope of the processing in as clear and simple way as possible. It is important that people who do not have specific knowledge of GDPR can understand what is being talked about. Subjects should not have any further questions on why and on what basis their data is being processed.

Love to work together

We are open to cooperation with developing, enterprising companies.

The principle of purpose limitation

For any processing, the company shall indicate a specific purpose and then strictly adhere to that purpose without going beyond it. For example, if you request a customer’s address to deliver a product to him, you may not send Christmas greetings to that address, because that’s a different purpose that you didn’t define.

The principle of data minimization

It follows from the previous principle that every processing must have a specific purpose and the company must not go beyond that purpose. The data minimization principle, on the other hand, states that companies cannot collect unnecessary customer data. Unnecessary data are those without which the purpose still can be achieved. I.e. the companies are not allowed to process data which are not needed to meet the defined purpose. If you request the information to deliver a product to a customer, an address and phone number for prompt communication is enough, but the date of birth would be unnecessary for your purpose.

The principle of accuracy

Personal data must be accurate and up-to-date to the extent that it accomplishes the stated purpose. Following the Regulation, the company must take all necessary steps to update or delete incorrect information. For example, if a regular customer changes his or her address, we must correct it in our system so that the customer receives his or her package.

The principle of storage limitation

Once all defined purposes have been met, the information should be erased. The storage limitation principle means that personal data cannot be used for longer than it is needed to fulfill the purpose of processing. For example, if someone ordered a pizza from your restaurant one time, you should no longer have that address in your system the next day, because the pizza was delivered (purpose achieved).

The principle of integrity and confidentiality

Personal data have always been a threat to its subjects. But in the era of information society, the amount of data and the level of threats have increased, and therefore the Regulation obliges to protect personal data from unauthorized or accidental access, damage or destruction. It is especially important in the 21st century to build a system of information security that would prevent data breaches.

For example, when delivering medicines at home, we must hide from the recipient the names of other buyers on the list, say, by simply covering them with a piece of paper when the person signs for delivery.

Data-processing-principles

The principle of accountability

Under the Article 5(2) of the GDPR, we are required at all times to be able to demonstrate that we have complied with all of the above principles. Moreover, failure to prove compliance is tantamount to non-compliance (presumption of guilt).

For example, if we are unable, through internal documentation or a demonstration of software functionality, to prove that our system erases the addresses to which pizzas were delivered, then we have infringed the principle of accountability. A supervisory authority can issue us a fine without having to delve into investigating whether or not we are actually storing data longer than necessary.

We hope you now have an idea of all the data processing principles of GDPR. However, this is only the first step. The regulation is not just a set of rules that you can learn and universally apply. There are a lot of exceptions, so if necessary, don’t be afraid to turn to professionals who can help you build the right path to a properly aligned GDPR data protection system.

Privacy Roadmap

Training and support of the working group on the implementation of the GDPR based on the ISO27701 or Nymity Privacy Accountability Framework.

Territorial scope of the GDPR

Any company whose business activities are somehow related to the European Union should consider GDPR compliance. You don’t even have to have offices in EU countries to be subject to the Regulation.

Now let’s explain how you can determine whether your company needs to be GDPR compliant regarding to a particular business process.

Yes, you heard it right. GDPR doesn’t apply to companies, but to particular business processes (“processing”) using personal data. For some companies, all processing will be subject to GDPR, but for others, only some processes. Let’s find out which ones.

First, ask yourself the question: “Is there personal data used in this process?”

Is the answer positive? Then there are five more steps ahead. However, in some cases, you only need one “yes” for the GDPR rules to apply to the relevant process in your company.

Step 1: Does your company have organizational units within the EU?

Before answering this question, we need to understand the concept of ‘establishment’. According to the recital 22, an establishment does not have to be a legal entity. It can be not only a branch or representative office, but also an office, a remote workplace, or even a single employee. If your company has any of the above in any of the EU countries, and that establishment is processing data, then the GDPR is mandatory for that processing.

Let’s explain using the Weltimmo legal precedent. There is a company registered in Slovakia, which operates also in Hungary, where it has a mailbox, a bank account and a representative. The question came up as to whether the law of which country – Slovakia or Hungary – applies to the activities of the company through the representative in Hungary in this case. After a hearing, the European Court of Justice (CJEU) decided that Hungarian law was applicable. The reasoning was that the organization has a representative in Hungary, even if not registered as a branch, sends and receives letters at a Hungarian address, uses a bank account with a local bank, and therefore carries out regular work in Hungary.

Love to work together

We are open to cooperation with developing, enterprising companies.

The GDPR also applies to non-EU processing in the context of the activities of that entity, i.e. processes in your non-European company (subsidiary or parent) that are closely related to the activities of the European entity. For example, in the case of González v. Google Spain” the Court recognized that the search indexing as a processing of personal data which was carried out in the United States is in the context of the activities of the Spanish entity Google Spain, and therefore must comply with European rules.

If you answered ‘yes’ to this Step, then the GDPR applies to your processing of personal data and you do not need to go through the rest of the Steps of the scheme. You can now run the following processing through the schema.

Step 2: Is the data subject in the EU?

It’s not about citizenship. It’s about where the data subjects are located. If you’re working with personal data from people in the EU, go to Step 3. If your subjects are outside the EU, you need to comply with the national laws of the country where the processing takes place (e.g. 152-FZ in Russia).

So, if you have a Spanish citizen working in your office in Moscow, the GDPR does not apply to the processing of his or her information. You don’t need to go through other steps of the scheme.

If one of the data subjects is physically located in the EU, then go to Step 3.

Step 3: Is your processing related to the offer of goods and services to EU entities?

You are currently in this step of the scheme if your company, which does not have any establishment in the EU, sells goods or provides services to Europeans, e.g., via the Internet. In this case, it doesn’t matter whether you charge your customers or not. For example, the free version of the mobile app that you downloaded is also a service.

Since the Regulation applies to the particular processing, you need to analyze a separate process. The processes can be different, for example:

In the above list, retargeting/ remarketing is a direct offer of a good or service, the evaluation questionnaire and password recovery are connected with the provision of a service. Hence regarding these processing operations we answer ‘yes’ to question #3 and move on to Step 4.

But hiring employees to the Moscow office is a processing of personal data not directly related to the offer of goods and services to Europeans. The job offer is neither a product nor a service. Therefore, according to the scheme, we go straight to Step 5, where we will check whether we are monitoring the behavior of candidates for the position.

Another example: a Ukrainian online education platform sells its programming courses in English all over the world, including the EU. Question: does the platform need to comply with GDPR? The online courses on this platform are services and we answer ‘yes’ to the question #3. So we need to go to Step 4 to find out if the activity is aimed at at least one EU country.

corporate training gdpr

Step 4: Do you cover the possibility to provide goods and services to the subjects in the EU?

In fact, this is a question about presence in the European market. Sometimes it can be unclear whether GDPR applies when you receive an order from a person from the EU. In that case, the question to ask is, “Did you intend to offer goods or services in the EU, or is the order incidental?” The answer to this question is not always obvious.

For example, a store from Grodno (Belarus) sells designer clothes. The company’s website is available in Russian, Belarusian and English. Orders are accepted in any currency, and delivery is worldwide. It can be assumed that there is a targeting on the EU market. So, if an order comes from someone who lives in the European Union, you have to comply with the GDPR when processing the order.

Reverse example. The store is located in Minsk and delivers flowers around the city for Belarusian rubles. At the same time, a resident of Poland ordered flowers on the store’s website to deliver them to his girlfriend from Belarus. Since the store initially targets only Minsk citizens and does not intend to go outside the country, the Pole who placed the order will not be protected by the GDPR.

So if your answer ‘yes’ to the question about being in the EU market in Step 4, then the GDPR will apply to your processing. If your answer is “no,” then skip to Step 5.

Step 5: Does the processing involve monitoring the behavior of individuals who are in the EU (e.g., using Google Analytics)?

“Monitoring of behavior” involves surveillance and subsequent behavioral analysis/profiling of individuals. Mostly non-EU companies do this via the Internet in order to predict people’s personal preferences, behavior and attitudes.

Consequently, if you are monitoring your European consumers, this process is governed by the GDPR.

An example of monitoring would be tracking users’ behavior on a website using cookies. This allows you to offer them more relevant products or services, which is often used by online store owners.

A few more cases from the supervisory authority’s guidelines:

An U.S. consulting company advises a mall in France on retail layouts. To do this, it uses WiFi to analyze the movements of people in that mall. In this case, analyzing the movements of shoppers is monitoring their behavior. Since the mall is located in France, the data is also obtained from there. Therefore, the GDPR will apply to this processing.

A developer of mobile fitness apps in Canada analyzes the physical activity of users around the world to optimize performance and improve service quality. This processing is also governed by the European Regulation.

So if you answered the monitoring question positively, the GDPR will apply to the processing. If it’s negative, then you don’t need to apply GDPR to the processing. Don’t forget, though, to comply with your national data protection laws.

As we can see, the scope of GDPR is very broad. A large number of small, medium and large businesses both within and outside of the EU that process their customers’ personal data fall under its scope. We’ve highlighted the list of companies that shall definitely pay attention to GDPR compliance:

The Regulation is one of the most pressing issues of concern to entrepreneurs around the world. But GDPR compliance turns into a competitive advantage. You need to put some time and effort to achieve compliance, and in return you will receive respect and trust of customers and partners.

Love to work together

We are open to cooperation with developing, enterprising companies.

Privacy Roadmap

Training and support of the working group on the implementation of the GDPR based on the ISO27701 or Nymity Privacy Accountability Framework.

What do you need to do to comply with the GDPR?

Obviously, if you’ve got to this point, whether to implement the GDPR or not is definitely out of question. Let’s talk about the specific actions a company needs to take in order to comply.

GDPR-compliance is, first of all, the alignment of a company’s business processes in accordance with the rules of the Regulation. According to the international ISO standard, implementation of the GDPR includes the following measures.

  1. Identify the context of a company, determine the needs of it with regard to protection of personal data, as well as the persons involved and interested in this and the scope of work. In other words, it is necessary to check the map, select allies and formulate a goal.
  2. Enlist the support of the company’s management (and here we tell how to convince the boss to give money for the implementation of the GDPR), since an extensive change in the processes and significant costs will be needed. What is more, it is not uncommon for companies to limit their marketing activities and make do with less volume of personal data.
  3. Plan measures for protection of personal data, determine the areas of responsibility of various departments and employees.
  4. At the start agree on how the effectiveness of personal data protection program will be assessed. Which means, you have to indicate success markers, KPIs.
  5. Conduct an inventory of personal data and information systems by filling out the register of personal data processing activities under Art. 30 GDPR (RoPA).
  6. Assess the risks for your company in connection with the GDPR (fines, loss of contracts, difficulties in certain markets, customer loyalty). Determine which processes (personal data processing) create most of these risks.
  7. Develop local regulatory acts (information privacy and security policies) based on the level of risks, type of business, corporate culture, organizational structure, market, needs and other characteristics of the company.
  1. Ensure a proper level of the company’s information security. For this reason, it is necessary not only to develop a regulation on information security, but also:
    1. appoint persons responsible for security, vest them with the necessary powers or designate an information security department;
    2. organise processes of information assets control;
    3. develop rules for remote work and use of mobile devices;
    4. ensure management of access to personal data;
    5. screen employees, internal and external audits;
    6. encrypt data;
    7. manage data breaches;
    8. provide physical protection;
    9. agree upon acquisition of new systems;
    10. connect with new providers and monitor them.
  1. Highlight, structure and document all purposes of personal data processing. It is necessary to formulate goals not in legalese, but in plain language, and in such a concrete and clear way, so that:
    1. it is possible to distinguish separate processings in the processes according to the GDPR;
    2. it is possible to determine one single legal basis for each processing;
    3. a typical representative of your primary audience can understand what is going to happen with her personal data.
  2. Choose the correct one of the six legal bases for each purpose / processing of personal data by entering in the Register of Processing Activities (RoPA) one legal basis in each line / for each processing. If the basis is consent, it is necessary to formulate and document it. Then one has to fulfill the requirements of ISO27701.7.2.4, starting the process of collecting consent, ISO27701.3.4 – change or revocation of consent, and ISO27701.2.3 – the process of proving that it was provided. If the basis is a legitimate interest, it should be framed, reinforced with safeguards, and documented by conducting a Legitimate Interest Assessment (LIA) and then implementing the safeguards selected in the Assessment. If the basis is a egal requirement, it is necessary to find the relevant legal provision obligating the processing of the relevant personal data and refer to it in the Processing Register.
  3. If among the processed information there are also biometric, medical and other special categories of personal data, then along with the legal grounds for processing, it is necessary to find one of the exceptions under Art. 9 (2), according to which processing these sensitive data is not prohibited for this purpose.
  4. Among the entire list of processing activities that the company conducts, it is necessary to find all processings, which rely on consent as a legal basis. Further, one has to ensure that the company will be able to demonstrate to a supervisory authority, auditor or data subject that it has indeed obtained consent to process the data. Along with proving the fact of obtaining consent, it will be necessary to record the circumstances of its receipt (time, place of giving consent, as well as its contents).
  5. Receive and register consent to personal data processing received from data subjects. Consent can be obtained electronically, on paper or orally. But even in the case of verbal consent, it is necessary to register this consent in the respective log, journal or customer card. Please note that consent is not obtained for all processing activities, as it is only one out of six legal bases for personal data processing. It is also important to remember that choosing consent instead of a more appropriate legal basis (such as legitimate interest or contract) may be considered a violation of the GDPR.
  6. Conduct a Data Protection Impact Assessment (DPIA) for a certain processing of personal data when it is likely to result in a serious risk in terms of consequences. Moreover, it is important to keep in mind that the risk is assessed not for the company, but in relation to the consequences for the data subject, her rights and freedoms. Please, follow Article 35 GDPR and DPIA guidelines.
  7. To enter into binding agreements with all contractors to whom personal data are transferred. It is necessary to sign a Data Processing Agreement (DPA) in accordance with Article 28 GDPR. The agreement must include all provisions referred to in Article 28(3) GDPR, as well as a list of information security measures to ensure integrity, confidentiality and availability of personal data transmitted.
  8. Identify the processes in which the company determines the purposes and means of processing together with someone else, and enter into one or more contracts with joint controllers. The roles and responsibilities of joint controllers must be documented in either a contract or any similar binding document that contains the terms of joint data processing.
  9. Develop, fill in and keep up to date the Records of Personal Data Processing Activities under Article 30 GDPR (RoPA). It is a catalog listing purposes of data processing, which also includes information about the collected data, processors, retention periods, etc. Checking the Records is usually a starting point for the GDPR compliance audits. What is more, it helps to respond to data subjects’ requests quickly, as it makes the search for their data among departments and information systems much easier.
  1. Determine and document at which points a data subject can check a privacy notice / privacy policy for each processing. This is not just about having a relevant document on the website: it is necessary to come up with ways to inform a data subject in case of offline interaction (in the office or at an event), as well as when communicating on the phone. Similarly, one has to determine what rights under the GDPR the subject has in relation to each processing activity (each process) and how the subject will be able to exercise his rights online on the website, in the application, when receiving emails, SMS, push notifications, paper mailings, or when your employee talks to him on the phone. For example, it is important to find out whether a person has the right to be forgotten in this process and how she will, if needed, request a copy of her personal data.
  2. If you make fully automated decisions, having significant consequences for data subjects, you need to analyze what obligations you have in connection with data subjects due to the fact that such meaningful decisions are made automatically. These commitments must be fulfilled. For example, one has to 1) notify data subjects of the existence and logic of those automated decisions, 2) reduce the risks of harm to rights and interests of people, 3) provide them with the right to object to having the decision made automatically.
  3. Determine the scope of issues, about which the company should inform people in connection with processing of their personal data. This list is needed to fill your privacy policies and notices with information about your processes. It will be used to check the completeness of information provided to data subjects. In the GDPR this information is specified in Articles 13 and 14, as well as in the Guidelines on transparency. What is more, data subjects can request information individually. Article 15(1) of the GDPR provides a list of information to be provided to a data subject.
  4. Provide the data subject (with the help of privacy policy and other notices) with clear and easily accessible information about processing of personal data. For example, among other things, specified in Articles 13 and 14 of the GDPR, it is necessary to stipulate the purpose, legal basis, duration of each processing, as well as recipients of personal data. One also has to name the company, give the contacts of its DPO, as well as provide the names of other companies with which it jointly controls data processing. Privacy policies should be easy to understand for a typical representative of the core audience, which means that the privacy policy needs to be translated into each of the languages of the interface. What is more, when drafting a privacy policy, one has to get rid of legal slang, publish information in a visual form, for example, format and structure the text, add icons, pictures, videos, tables and tips. It is also necessary to translate the content from legal jargon into “human” language, integrate easy navigation through the entire policy, and divide the endless sheet of text into coherent parts to show them at the right moment (just in time notice).
  5. Develop and implement a process for revoking consent to processing of personal data. As part of the process-oriented approach, it is necessary to define the “customers” of the process, its goals and results, performance indicators and the necessary resources, suppliers, executors and the owner of the process of withdrawing or changing consent.
  6. Develop and implement a process for managing objections to processing, which is carried out on the basis of a legitimate or public interest. Unlike the process of withdrawing consent, it is assumed that individual requests will be considered and it will be possible to refuse to exercise this right if the request is unreasonable.
  7. Develop and implement a business process for exercising rights to access, have personal data rectified and/or deleted.
  8. Develop and implement a process for notifying third parties and persons who have received personal data from us that the data subject has exercised his right to withdraw consent, have data rectified or object to their processing. This measure is needed so that the recipients of the data can independently decide whether they also need to delete, block or correct the data.
  9. Prepare to receive data subjects’ requests with regard to 1) access to their personal data (requesting a copy of them) in a human-readable form, as well as 2) data portability in a machine-readable form: determine the volume of data and the information systems involved. The respective business process also needs to be implemented.
  10. Develop and document procedures for giving response to data subjects’ requests without undue delay, but no later than one month. Requests may relate to the right to access, rectification, deletion, blocking of personal data, as well as to the right not to be subject to decisions taken automatically, and the right to withdraw consent and object to processing.
  1. Based on the declared purpose of processing, it is necessary to reduce the amount of collected data to the minimum that is really needed.
  2. When working with data that are stored in the organization’s information system, it is necessary to delete unnecessary information in a timely manner and reduce the circle of persons having access to them.
  3. Determine the level of accuracy needed for each category of personal data processed from the point of view of the company’s declared purpose. For those data, the accuracy of which is important, it is necessary to develop a procedure for clarification (for example, errors in names) and regular updating of obsolete data (for example, residence addresses or telephone numbers).
  4. Use anonymous data whenever possible or switch to using them instead of personal data as soon as possible. With the help of the register of personal data processing activities the company should arrange the information: what information is used for each of the purposes. After that you need to make sure that this information is not used for other purposes.
  5. It is necessary to provide for technical or organizational mechanisms of deletion or complete anonymization of personal data after the expiration of the data retention period.
  6. It is important to identify where exactly in the information system, or in which departments of the organization duplicates or temporary files containing personal information may appear as a result of regular processing of personal data. One has to develop procedures and rules for deleting these files as soon as they are no longer needed.
  7. For each category of personal data processed it is necessary to specify a processing period or criteria for its determination. These dates form Data Deletion Schedules.
  8. Implement and document procedures for disposal of media containing personal data.
  1. One needs to use reliable channels for the transfer of personal data in order to prevent the loss of personal information or its falling into the wrong hands.
  2. It is important to arrange cross-border transfer of personal data (including providing access to them) outside the European Union. The most effective transfer mechanism in many cases is signing of the Standard Contractual Clauses (an appendix to the Data Protection Agreement) subject to regular monitoring of counterparties that have signed the agreement (questionnaires and selective audits).
  3. Another useful measure is to maintain a record of countries to which the company sends personal data.
  4. One also has to register transfer of personal data to any third parties (processors, partners, auditors, government agencies, etc.) and ensure that they facilitate the fulfillment of data subjects’ requests, such as requests for access, deletion, rectification, etc.
  5. It is necessary to register the disclosure of personal data to any third party (processor, partner, auditor, government agency, etc.).

42. Appoint a person responsible for personal data protection (in some cases, this is an obligation). The process of bringing a company to the GDPR compliance requires a competent approach. Therefore, for the sake of effectiveness, it is best to consult a professional. But in some cases the Regulation requires a company to hire or outsource a DPO (Data Protection Officer). We advise you to check the questionnaire for hiring a personal data protection inspector, which was developed by our company’s consultants in order to assess the professional skills and experience of a candidate during an interview and not to miss a single important question.

  1. Each processing should have a purpose. For example, a person decides to purchase a plane ticket. You have to explain clearly: the company collects your passport data (processing) so that you can purchase a ticket (purpose 1) and to check if you are not blacklisted to enter this country (purpose 2). There should be a legal basis for each purpose.

    NB! Think of a legal basis, which is appropriate for purpose 1 and purpose 2 (they may be different legal bases).

    The purpose is to be communicated to data subjects in the privacy notice (the so-called “privacy policy”). After that you need to strictly adhere to the purpose declared in order to fulfill the principle of “purpose limitation” (see above). The legal basis is determined on the basis of a purpose.

There are the following types of legal bases for personal data processing:

  1. Vital interest – processing is necessary in order to save a person from death or serious injury. The threat must be real and actual at the moment of processing;
  2. Contract – it is impossible to perform a contract or provide a service without personal data processing;
  3. Legal obligation – when personal data processing is necessary for compliance with a legal obligation;
  4. Public interest – if a processing carried out in public interest is within the competence of a certain governmental authority, and an entity that processes personal data does so to assist the governmental authority. There is an important detail: this legal basis is applied if a governmental authority will not succeed without an entity’s help;
  5. Legitimate interest – if legitimate interests of a company prevail over rights and interests of data subjects. For example, if a company’s business will be under threat if it stops processing personal data for this purpose;
  6. Data subject’s consent – data subject’s permit to process her personal data for a purpose that is of little significance to the data subject. The consent shall be free, specific and given in connection with a particular purpose. The person shall be informed about all significant aspects with regard to use of her data. The consent shall be expressed by an affirmative act.

In the example of selling an airplane ticket and checking against the “black list”, two different legal bases are used: for purpose 1 – a contract, for purpose 2 – a legal obligation.

Privacy Police Audit/Drafting

Our licensed professionals in personal data protection area will elaborate a Privacy Policy for you which is completely in line with the GDPR requirements.

GDPR Documents

Which documents must a company have in order to comply with GDPR requirements? Our consultants are often asked this question. But there is no answer and there can’t be one. The fact is that the documentation reflects the measures taken by the company and is not required by any legal act per se (since paperwork alone is not a demonstration of compliance). Not all the measures are mandatory for companies, although there are some that are necessary for most of them.

Examples of GDPR Documents are:

  • Binding Corporate Rules (BCR)
  • Bring Your Own Device Policy
  • Business Continuity Plan
  • Contact list for Breach Response Team
  • Cookie Consent
  • Cross Border Personal Data Transfer Procedure
  • Data Breach Notification Letter to Data Subjects (template)
  • Data Breach Register
  • Data Breach Report
  • Data Breach Response Plan
  • Data Processing Agreement (DPA)
  • Data Protection Impact Assessment (DPIA)
  • Data Protection Policy (internal)
  • Data Protection Officer (DPO) Job Description
  • Data Retention Policy
  • Data Sharing Agreement
  • Data Subject Access Request Form
  • Data Subject Access Request Procedure
  • Data Subject Change Request Form
  • Data Subject Consent Form
  • Data Subject Consent Withdrawal Form
  • DPIA Register with Log of DPIA Outcomes and Implementation of Mitigating Controls
  • DPIA Threshold Assessment
  • DPIA Methodology
  • Employee Privacy Notice
  • Enterprise Privacy Risk Assessment
  • Guidelines for Data Inventory and Processing Activities Mapping
  • Incident Report Form
  • Information Assets for Disposal Log
  • Internal Audit Checklist
  • Internal Audit Procedure
  • Internal Audit Report
  • Joint Controllership Agreement
  • Legitimate Interest Assessment (LIA)
  • Letter of Appointment of Data Protection Officer (DPO)
  • Parental Consent Form
  • Parental Consent Withdrawal Form
  • Privacy or Data Protection Notice
  • Processor GDPR Compliance Questionnaire
  • Project Plan for Complying with the EU GDPR
  • Register of Data Transfers
  • Register of Privacy Notices
  • Register of Processing Activities (RoPA)
  • Standard Contractual Clauses (SCC)

Data Processing Agreement (DPA)

A DPA is a data processing agreement that must specify the following aspects (Art. 28 GDPR):

Standard Contractual Clauses (SCC)

Standard Contractual Clauses (SCC) supplement or replace the DPA in the case of cross-border data transfers.

When we are going to transfer data from the EU outside the EU, the DPA alone may not be enough. In order to perform a cross-border transfer, we first need to know whether the country provides an adequate (sufficient) level of data protection. If the country is “inadequate,” you can find out how to handle a cross-border data transfer here.

In brief, you can use these very SCC approved by the European Commission. Standard Contractual Clauses (SCC) is a model contract that is concluded between the controller and the processor. Its form cannot be changed because it is standard. However, situations may arise where additional provisions need to be specified, such as the allocation of costs for audits of personal data protection. Then we do the following: the company concludes a DPA with these additional provisions, and the SCC is an appendix to it.

Privacy notice (policy)

The privacy notice (policy) is a public document that describes the fate of the personal data that the customer entrusts to us. It explains, for example, what personal data is processed by the company and to whom it is transfered. 

In the past, before the widespread dissemination of the GDPR, only lawyers could understand the text of the document: it had too many complicated terms and constructions. Today, according to one of the requirements of the GDPR (Article 12 of the GDPR), a company must inform users not by means of legal language, but in a concise, transparent, understandable way, without using complex terminology (interactivity is only encouraged). For more details on what and how to write in privacy notices (policies), see GDPR articles 12, 13, and 14, or below in the text.

There are slight differences in the requirements depending on whether the company collects personal data directly from the data subject or through intermediaries (recipients). Let’s look at each case.

If a company collects personal data from an individual directly, it must include the following information in the policy:

If the organization receives your data indirectly (through another company), then the privacy policy should include all the same information, except for the last point. Plus, we must list the types (categories) of personal data that are obtained about the person from a third-party source.

A privacy policy is a unique document for each company, so a template privacy policy will not work. “Data Privacy Office” has developed a special privacy policy checklist that will not allow you to miss anything when you create a privacy policy “from scratch”, or you can check the correctness of an already created document.

Love to work together

We are open to cooperation with developing, enterprising companies.

Data Protection Impact Assessment (DPIA)

DPIA (Data Protection Impact Assessment) is a method used to systematically and comprehensively analyze the risks caused by data processing and to select protection measures.

In fact, we do not look at the risks to the company, but at the risks of violating people’s rights and freedoms. This includes, inter alia, the threat of psychological, physical, social, and economic harm to data subjects.

If you understand that data processing is likely to result in serious risk, make sure you do a DPIA before you start the processing. Article 35(3) of the GDPR provides examples where serious negative consequences are likely to occur. In these cases, a DPIA is mandatory. These are, for example:

Thus, the Data Protection Impact Assessment is a kind of safety cushion that allows you to identify risks and prevent them. It will be the right investment for the future of the company since it protects against problems with supervisory authorities, partners, and customers.

Legitimate Interest Assessment (LIA)

If you work with personal data on the basis of legitimate interest, you have to do a legitimate interest assessment. This is both a formal procedure and a document, the contents of which are clearly stipulated. During a LIA, you have to weigh the pros and cons of processing for both the company and the data subject.

The LIA is conducted in three stages:

  1. Аssessing whether there is a legitimate interest,
  2. Determination of the necessity for processing,
  3. Balance of interests (the interests of the data subject VS the interests of the company).

The legitimate interests of the company should be reviewed periodically. Over time, depending on external and internal factors, the purpose, nature or context of the processing may change. There is a good chance that this will affect the balance between you and the data subject. Consequently, the LIA should be updated accordingly.

This procedure helps to avoid problems in the future and build customer trust, while not to the detriment of the organization itself.

Sign up for the DPO Europe Newsletter

We will share useful materials with you and talk about the latest news from the world of privacy.

Where to begin?

TRAINING

By training employees and heads of departments how to deal with personal data the company reduces its GDPR risks and increases customer loyalty. Starting with training courses and certifications by Data Privacy Office is an effective step towards GDPR-Compliance.

GDPR data protection training and certification

GDPR Data Privacy Professional

The GDPR Data Privacy Professional course is the most popular GDPR course in the CIS countries, which has been conducted since 2018. It will provide you not only with comprehensive knowledge of the GDPR, but also with understanding of the logic of European standards in terms of personal data protection. The course is suitable for employees of different backgrounds, including non-lawyers. It is available in a group format (both online and offline), as well as in a self-paced mode.

Program

  • Concepts of privacy, data privacy, data protection. Types of privacy.
  • Review of existing data privacy laws, standards and regulations
  • Сases, court precedents, guidelines in information privacy
  • The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data №108
  • Directive 96/46
  • Overview of present regulatory framework of data protection in EU (GDPR+)
  • History of EU General Data Protection Regulation (GDPR)
  • Territorial and material scope of GDPR
  • Structure of GDPR text (recitals, business related articles etc)
  • Overview GDPR related acts
  • National data privacy legislation
  • Legal precedents
  • Guidelines and opinions of Article 29 Working Group (Art29WP) / European Data Protection Board (EDPB)
  • Guidelines of national supervisory authorities (SAs)
  • Overview of risks, fines, responsibilities related to personal data processing
  • Mapping of the Belarusian, Ukrainian and Russian data protection laws to the rules applicable in EU.
  • The concepts of personal data (PD), identifier, data subject
  • Formula of Persomal Data “(id-x)+info”
  • Cases of (non-)personal data
  • Biometric data
  • The concepts of personal data (PD), identifier, data subject
  • Formula of Persomal Data “(id-x)+info”
  • Cases of (non-)personal data
  • Biometric data
  • Transparency of processing
  • Purpose limitation
  • Data minimisation
  • Storage limitation
  • Accuracy
  • Integrity and confidentiality
  • Accountability
  • The 7 foundational principles of privacy by design by Ann Cavoukian
  • Privacy by Default
  • Privacy embedded into design
  • Full functionality – positive-sum
  • End-to-End Security – Lifecycle Protection
  • Consent
  • Conditions for consent
  • Getting consent in UX
  • Contract
  • Legal obligation
  • Vital interest
  • Public interest
  • Legitimate interest
  • Balancing test of Legitimate Interest Assessment (LIA)
  • Modalities for exercise of the rights of the data subject
  • Right to information about processing
  • Right to access personal data
  • Right to rectification
  • Right to restriction of processing
  • Right to be forgotten
  • Right to data portability
  • Right to object
  • Right to not be subject of automated decision-making
  • Data subject’ rights restriction
  • Case “Nightmare letter from data subject”
  • Check-box approach vs risk based approach
  • Concept of risk
  • Risk likelihood and severity
  • GDPR terminology related to risks (high risk, likely etc)
  • Data Protection Impact Assessment (DPIA) requirement under GDPR
  • When DPIA is mandatory
  • BIA (Business Impact Assessment) or SIA (Security Impact Assessment) as triggers for DPIA
  • General approach to conduct DPIA
  • Describing processing operations, personal data and supporting assets
  • Legal and risk-treatment controls
  • Risk sources, feared events, threats and risks
  • Tools for Data Protection Impact Assessment
  • GDPR requirements to information security
  • Data breach notification of supervisory authorities and data subjects
  • Technical and organisational measures of managing information security risks
  • Overview of GDPR rules on cross-border data flow
  • Documenting international transfers of personal data
  • Data Processing Agreement
  • Binding Corporate Rules
  • Standard Contractual Clauses
  • Codes of conduct and certifications
  • Derogations relating to cross-border data transfers for specific situations
  • Representative in EU
  • Data Protection Officer / DPO

The syllabus is based on the body of knowledge of CIPP/E international certification in the light of CIS specific features, namely the need to cover the following modules in details. This course covers 80% of tasks and questions with regard to the GDPR and helps to save on consulting services.

GDPR Data Privacy Manager

It will provide those who are already working with GDPR “in the field” with everything they need to organize, maintain and manage a company's personal data protection system throughout the entire lifecycle of the system. As a result, such managers not only know and understand the requirements of the GDPR, but also know how to make all this work in any company. This course can be taken in a group (online).

Program

  • Concepts of privacy, data privacy, data protection. Types of privacy.
  • Analysis of information assets, business needs, and regulatory and contractual requirements
  • Organizational entity dealing with data protection
  • Needs and expectations of stakeholders
  • Scope of privacy programme
  • Governance models of privacy programme
  • Nymity Accountability Status Workbook
  • Nymity Data Privacy Accountability Scorecard
  • Assessment and treatment of the data privacy risks
  • Selection and implementation of controls
  • Internal policies
  • Policy types
  • Determination of the necessary resources and their allocation
  • Acquisition and maintenance of competencies
    Raising Awareness
  • Internal communication
  • External communication
  • Support of management and other stakeholders
  • Role and Responsibility Matrix for GDPR implementation
  • Distribution of responsibilities with RACI Chart
  • Privacy Team
  • Data Protection Officer
  • Process approach
  • Maintaining the records of processing activities (Data register) under the GDPR
  • Conducting Data Protection Impact Assessment (DPIA)
  • Assessing vendors
  • Processing requests from personal data subjects (DSARs)
  • Data breach notification
  • Conditions for collection and processing
  • Obligations to data subjects
  • Privacy by design and privacy by default
  • Sharing, transfer and disclosure of personal data
  • Monitoring, measurement, analysis and evaluation
  • Audits, their stages and types
  • Nonconformity and corrective action

CIPP/E Official Training Course

Official preparation course for the GDPR – Certified Information Privacy Professional Europe exam, delivered by a certified professional in partnership with IAPP.

Course Outline

Introduces key European data protection laws and regulatory bodies, describing the evolution toward a harmonised legislative framework.

Defines and differentiates between types of data as defined by the GDPR, including personal, anonymous, pseudonymous and special categories.

Describes the roles and relationships of controllers and processors as defined by the GDPR.

Defines data processing and GDPR processing principles, explains the application of the GDPR and outlines the legalgrounds for processing personal data.

Describes data subject rights, applications of rights, and controller and processor obligations as set out in the GDPR.

Explains controller obligations for providing information about data processing activities to data subjects and supervisory authorities as set out in the GDPR.

Outlines options and obligations under the GDPR for transferring data outside the European Economic Area, including adequacy decisions and appropriate safeguards and derogations.

Discusses the applications of European data protection laws, legal bases and compliance requirements for processing personal data in practice, including employers processing employee data, surveillance, direct marketing, and internet technology and communications.

Discusses considerations and duties of controllers and processors for ensuring security of personal data and GDPR specifications for providing notification of data breaches.

Investigates accountability requirements, including data protection management systems, data protection impact assessments, data protection policies and the role of the data protection officer.

Describes the role, powers and procedures of supervisory authorities; the composition and tasks of the European Data Protection Board; the role of the European Data Protection Supervisor; and remedies, liabilities and penalties for noncompliance as set out in the GDPR.

CONSULTING

The decision to resort to a consultant is especially important when deadlines are tight and there is no room for error. The consultant will ensure that your actions are correct and provide you with a clear rationale. If you turn to Data Privacy Office consultants, they will also take into consideration peculiarities of your business, as well as the resources and processes available.

Data Privacy Office customers often order complex products like GDPR Roadmap or DPO Outsourcing. We will talk about them below. But some opt for separate services under the GDPR, such as GDPR Compliance AuditPrivacy Policy and Notice AuditData Protection Impact AssessmentGDPR Gap AnalysisData MappingPrivacy Engineering Team OutsourcingRecord of Processing Activities.

01. GDPR Roadmap + Implementation Program

The program is designed for systematic implementation of personal data protection in accordance with the international standard ISO 27701. It is suitable for all types of companies: from IT startups to large banks and fintech companies. This is your opportunity to delegate coordination of the project to bring your business to GDPR-Compliance. We use our own “GDPR Roadmap” methodology to quickly set up personal data protection in small companies that do not have a set of well-built business-processes yet.

Implementation steps:

DPO (Data Protection Officer) Outsourcing

The company gets an experienced and competent specialist who is able to promptly and correctly resolve issues related to the GDPR and – what is equally important – to take responsibility for them. The Data Privacy Office expert embodies your protection against the supervisory authority. The functions of the DPO include the following:

Outsourced Privacy Engineering Team

PE Team is a group composed of licensed GDPR professionals, a designer (software application architect), and, if required, several developers. All you have to do is to examine the work and execute decisions.

Outcomes

Оptimization of procedures (workflow), included needed performance (automatization of the enjoyment of the subject’s rights, establishing system guidelines for information erasure, and advancement of personalized paperwork, e.g. privacy notice, checkboxes, cookie banner, DPA, SCC, Statement of GDPR conformity, and so on). Your team acquires experience and understanding in the application of the approaching projects and jobs.

Penalties for failure to comply with GDPR rules

As you may have realized, the General Data Protection Regulation is a serious legal act of direct application, the violation of which entails serious sanctions. The European Union, endeavoring to guarantee the protection of personal data, has set quite severe penalties.

Violations of the Regulation are subject to fines of up to EUR 10,000,000 or up to EUR 20,000,000: the amount varies depending on the GDPR article. If the company’s turnover is over half a billion euros, the maximum penalty is calculated as a percentage of the global turnover for the previous year: from 2% to 4%. The sanctions are set by Article 83 of the GDPR.

Importantly, supervisory authorities have the right to impose administrative fines on both controllers and data processors. Fines can be imposed instead of, or together with other measures prescribed by the supervisory authorities.

The top 6 largest fines during the period of application of the Regulation:

In January 2019, Google was fined €50 million because their privacy policy did not comply with GDPR requirements.

The policy was written on many pages and in complicated language, preventing users from understanding how their personal data was being processed. In addition, the consent for processing personal data also did not comply with the Regulation, as all the boxes had already been pre-ticked for the users.

H&M was fined 35.3 million euro by the Hamburg supervisory authority.

This decision was made after the Swedish mass-market brand had monitored hundreds of its employees. This processing included data about the personal lives of employees, which subsequently became available throughout the company.

TIM (telecommunications operator) was fined 27.8 million euro by the Italian supervisory authority.

The company committed a number of violations, including: lack of consent for marketing activities, approaching data subjects who asked not to contact them with marketing offers, invalid consents collected in TIM applications, lack of adequate security measures to protect personal data, and lack of clear data retention periods.

In July 2018, British Airways was fined €22 million for not having proper technical information security measures under Article 32 of the GDPR.

Hotel group Marriott International, Inc. was fined 20.5 million euros.

In 2016, Marriott acquired another group of companies, which was also related to the hotel business. Later it turned out that since 2014 this group of companies had a serious vulnerability in the data protection system. Marriott only found out about it in 2018, after the leak. It affected 339 million users. The information included banking information and other personal data.

Amazon was fined €746,000,000.

The Luxembourg Data Protection Authority (CNPD) fined Amazon a record 746 million euros following a 19-page complaint from French privacy group La Quadrature du Net in 2018. The complaint, on behalf of more than 10,000 consumers, alleges that Amazon manipulates customers for commercial purposes in choosing which ads and information they receive.

These five cases only prove the importance of complying with the GDPR. Implementing GDPR is usually much more profitable for a company than acting on a “maybe we’ll get away with it” principle. Regulators usually find violations due to dissatisfied customers, the media, bloggers, disgruntled former employees, etc. In addition, privacy becomes a marketing differentiator for new brands and attracts customers. Finally, getting your systems in order and putting processes in place is a task that any business seeking success will face sooner or later.

We hope you found this article helpful. Now you understand the basic rules of the GDPR and how to work with them. However, if it is difficult for you to cope on your own, then you can always turn to our experts for help. This will become an investment in the future of your company, as well as a competitive advantage in the market right now. So, as a GDPR-Compliant, you will earn trust and respect from customers and partners, which is undoubtedly a valuable resource for any business.

Contact Sales

Learn what Data Privacy Office Europe can do for you.

Fill out the form and we will contact you as soon as possible!