Get an offer
Inst

Top publication

Sign up for the DPO Europe Newsletter

We will share useful materials with you and talk about the latest news from the world of privacy.

podcast deep dive into data privacy
What is GDPR — General Data Protection Regulation?

What is GDPR — General Data Protection Regulation?

Welcome to the full guide on General Data Protection Regulation or GDPR for short. Here you’ll learn what is personal data is, what the rights of subjects are, how to comply with the regulation.

We undestand that the text can require some effort from you. However we filled it with infographics and tests for you to better memorise all the important things. And also remember: this article is contribution to your knowledge. In our opinion it is better to spend an hour on this article than spend an hour to scroll social media 🙂

We hope, you’ll find this article useful. Thanks for your attention and enjoy reading!

Contents:

  1. What is GDPR?
  2. What is personal data?
  3. What rights did people get thanks to the GDPR?
  4. Data processing principles.
  5. Territorial scope of the GDPR.
  6. What do you need to do to comply with the GDPR?
  7. GDPR Documents.
  8. Where to begin?
  9. Penalties for failure to comply with GDPR rules.

What is General Data Protection Regulation?

Have you ever wondered where your phone stores fingerprints for unlocking? Why is it when you place an order in an online store, you need to fill in your date of birth? Doesn’t it seem to be unnecessary information to buy something? Can anyone access your health record at the clinic? How do companies find your phone number to contact you and tell you about their products and sales? And what do social networks know about their users?

Every day we pass on to others a lot of information about us. Communicating, looking for a job, making an appointment with a doctor — all this needs personal data. People do it without even thinking about what will happen with these data.

In the European Union they have taken up this issue. As a result, they adopted the General Data Protection Regulation on April 27, 2016. The new law entered into force only two years later (May 25, 2018), so that businesses had enough time to get prepared.

The GDPR (General Data Protection Regulation) is an EU regulation. It protects the privacy and personal data of EU citizens. Whether personal data are processed by businesses or governments process, whether within the EU or outside it.

So why do we need this regulation? Technologies are making people more and more generous with personal data. In return we get convenience and comfort. We are so used to it that we cannot imagine our world in any other way. But does this mean that it is safer to live now? Not at all. Any piece of information may be used against us. And we, the data subjects, have lost control over our data in the new digital reality.

The GDPR has changed the previous legal framework of privacy protection in Europe. Data Protection Directive 95/46/EC was almost two decades old and the new data protection regulation replaced it. It leads to a lot of questions: what should we do? How dangerous is non-compliance?

GDPR infographics

Love to work together

We are open to cooperation with developing, enterprising companies.

Get an offer

What is personal data?

GDPR only applies where personal data exist. This concept plays an important role in its implementation. Let’s examine the definition.

Personal data

Personal data are information related to an identified or identifiable person (“data subject”). Please, check this article to find more. You may also find this inforgraphics useful (article and infographics).

Identified individual

An identified individual is a person whose identifier is in the data. An identifier may include one’s name, phone number, personal ID or login.

Identifiable individual

Identifiable individual is a person who you can distinguish from other people.

For example, personal data includes information describing the person. John is 38 years old and a lawyer. In this case, personal information is not only the person’s name, but also his profession and age.

We don’t know the full name. We only know that someone named John in our city is 38 years old. This information will be anonymous to us.

But what if someone told us that a man named John is 38, lives in our city, and works at a small law firm called “John & Associates”? We will be able to identify the person. We can classify this information as personal data.

Without an identifier, the information becomes anonymous. Relating information and an incomplete identifier may constitute personal data. But only if you can “build” the identifier by making an additional investigation and adding this newly acquired information to the one you already have. If this investigation can be performed legally without excessive time and effort, even the incomplete identifier shall be treated as personal data.

If we don’t have a reasonable opportunity to identify the data subject, the data is anonymous. It means, the information is not personal data any more and doesn’t enjoy protection.

Personal data are ot only the identifier itself, but also the information related to a person. And there are certain nuances as well.

In simple terms, name, passport number, ID card, username, nickname, email address, phone number, IP address, bank card details are always personal data. They are identifiers. A vehicle number, handwriting, video, or photo are likely to constitute personal data. They make it easy to identify a person. Address, marital status, sex, gender, e-wallet details, health data, page views, social media posts are also personal data. The only condition — we know to whom exactly they relate.

gdpr dpp training

It is important to note that the definition of personal data is changing. Before the era of computers and cell phones it was different. Now this criterion is narrowed down. Now it’s the circle of people who can potentially gain access to these data and use it for identification.

Based on it, privacy expert Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP, created original formula for personal data.

What are special categories of data?

Under the GDPR, special categories of personal data require enhanced protection. This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership. Additionally, genetic data falls under this classification.

What rights did people get thanks to the GDPR?

The authorities adopted the new regulation due to the technological progress. Now people are under risk to lose their right for privacy. We already told about what privacy is and how it dissipates in the modern world. Now let’s talk about the rights that we, as data subjects, can exercise under the GDPR.

The main rights of data subjects according to the gdpr are:

    • right of access,
    • right to rectification,
    • right to erasure,
    • right not to be subject to a decision based solely on automated processing of data,
    • right to restriction of processing,
    • right to data portability,
    • right to object,
    • right to lodge a complaint with a supervisory authority,
    • right for compensation.

Let’s have a closer look at them.

Right of access (Article 15 GDPR)

Each person has the right to receive their personal data or get access to them. This right extends not only to the information that data subject provided herself. It also means the information that a company (data controller) has collected about them from other sources.

How will a company provide the data subject with the information? The company must provide personal data in any form in which a person requests it: it can be either an electronic file or a paper document.  Alternatively, the company can givea person access to her data, for example, in their personal account. According to the rules of the Regulation, Controllers and processors provide data free of charge.It is only in exceptional cases, when the company can claim a fee from a data subject, for example, if the requests are manifestly unfounded or excessive or when a data subjects requres several paper-based copies.

The data subject may not even suspect that company has collected data. This right enables the data subject to find out:

  • what purposes their personal data is used for;
  • to whom and to which countries data are transferred;
  • how long data are stored;
  • where data were obtained from (data sources);
  • information about important decisions for the data subject, which are made automatically;
  • whether a data subject has the right to delete or rectify the data, or to “freeze” it (restriction of processing). Or whether she has a right to lodge a complaint with a supervisory authority.

Right to rectification (Article 16 GDPR)

A data subject has the right to rectify inaccurate personal data processed by the company. This can happen, for example, if the data subject changes her passport/id card, surname or place of residence. Or when there is a mistake in her personal data. This right is important when processing requires accurate and complete information.

Right to erasure (‘right to be forgotten’) (Article 17 GDPR)

The data subject has the rightto obtain the erasure of personal data concerning him or her. But that’s not that simple. There are only few grounds in GDPR when this right is to be exercised:

If the personal data are no longer necessary for the purposes for which they were collected.

According to the principle of storage limitation, the controller should have deleted the data anyway.

If the person withdraws her consent to the processing.

When the legal basis for the processing is consent.

If the personal data have been unlawfully processed.

In this case the controller should thank the data subject for contacting the company. Because the person could have complained directly to the supervisory authority instead.

If the personal data belong to a child and were collected by the online service with child’s consent.

For more details, see Article 8(1) GDPR.

Let’s take a closer look at the last point.

Article 8 of the Regulation deals with the processing of personal data of children. The child’s consent is valid only if:

  1. the child is at least 16 years old
  2. or in addition to it, the consent/permission of the parent has been obtained. The fact is that children do not always understand what their actions on the Internet can result in. Thus, when you receive a request to erase such data, you need to do it immediately.

For example, 22-year-old Maria noticed that 8 years ago she registered accounts on various gaming sites. They collected and processed her personal data. Parents confirmed her consent to participate in various promotions on these sites. But now the GDPR is in effect. Maria can erase all info about her childhood participation in promotions.

The right to be forgotten is not an absolute one. It is balanced by the freedom of speech and press. Also, there are other exceptions from this right, which are connected with a need to process data for archiving in the public interest, as well as for scientific and historical research.

Right to restriction of processing (Article 18 GDPR)

Article 18 of GDPR gives a data subject the right to restrict processing if one of the following applies:

  • the accuracy of the personal data is contested;
  • the processing is unlawful and the data subject opposes the erasure of the personal data;
  • the controller no longer needs the personal data for the purposes of the processing. But they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing. We are verifying if the controller's interests override those of the data subject. We must inform the subject as soon as we make a decision either to resume or to stop processing.

Right to data portability (Article 20 GDPR)

Individuals have the right to get their personal data from a controller. The data must be in a structured, commonly used, machine-readable format. They also have the right to transfer these data to another controller without any obstacles.

The right to data portability supports «user choice, user control, and user empowerment». It strengthens control over personal data. It allow users to receive and reuse their personal data across different services for their own purposes.

Right to object (Article 21 GDPR)

The data subject can object to processing of her data. This applies if it’s based on legitimate or public interest.

The controller must review the objection, assess the situation. Then the controller decides if the processing is more important than the individual’s interests.

Note: If the objection is related to processing of personal data for direct marketing, the controller must stop the processing immediately.

Right not to be subject to a decision based solely on automated processing (Article 22 GDPR)

Sometimes decisions are made not only by a person, but also by automated means. But algorithm can be erroneous or biased. The GDPR provides data subjects with the right to object to decisions made by a computer and request human intervention.

However, this right does not apply if:

  • the decision is necessary for the entering into or performance of a contract;
  • the decision is based on the data subject’s explicit consent.

Love to work together

We are open to cooperation with developing, enterprising companies.

Get an offer

Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

The data subject has the right to lodge a complaint with a supervisory authority. They can do it in the state of their habitual residence, place of work or place of the infringement (i.e. controller’s place). E.g. a data subject lives and works in Berlin. She can complain to a supervisory authority in France if a French company violated her rights. The supervisory authority must consider the complaint. Then it must inform the complainant on the progress and the outcome of the complaint. If the data subject is not satisfied with the outcome of the complaint she has the right to judicial remedy (Article 78 GDPR).

Right to compensation (Article 82 GDPR)

In case of infringement of the GDPR, the controller (or processor) must not only pay a fine. It also has to provide the data subject with compensation for damages caused by the processing. You can find more information about several rights here.

This all confirms the relevance and importance of the Regulation. Today the Internet has become an essential part of the life of almost every person. Our personal data are far from safety. It is very important for everyone to be aware of the rights that they have according to the GDPR. Companies should inform users about their rights. It’ll help them to avoid problems with customers and supervisory authorities. Articles 13 and 14 of the GDPR require it. Typically, compliance with this obligation involves the publication of a Privacy Policy/Notice.

Sign up for the DPO Europe Newsletter

We will share useful materials with you and talk about the latest news from the world of privacy.

Data processing principles

Directive 96/46/EC, the predecessor of the Regulation, changed EU data privacy law. But the GDPR spelled out these rules in detail. This also applies to the six basic principles of personal data processing. You can find them in article 5 of the GDPR. Let’s go deeper into them.

Principles of processing according GDPR

Principle of lawfulness, fairness and transparency

You can obtain personal data only through legal means. There are only six legal grounds (Article 6 GDPR):

  • vital interests;
  • contract;
  • legal obligation;
  • public interest;
  • legitimate interest;
  • consent.

Before you collect data, you need to find one lawful basis (legal ground) in this list. It should fit your situation. If nothing fits, the processing will be illegal and you will infringe the Regulation. Fines for unlawful personal data processing are high and common..

Also, this principle requires that the data are processed without discrimination or deception. There is an infringement when you use phone model information to charge higher prices to their owners.

Transparent processing of personal data means people can easily access information about its purpose, timing, and scope. It is important for people who do not have profound knowledge of the GDPR to understand specific terms. Subjects shouldn’t have any questions on why and on what basis their data are processed.

Love to work together

We are open to cooperation with developing, enterprising companies.

Get an offer

The principle of purpose limitation

The company must define a clear purpose for data processing and stick to it. Using a customer’s address for anything beyond its stated purpose is not allowed. It can be sending unrelated mail or making a person a part of a marketing campaign without consent.

The principle of data minimization

Companies must collect only essential data for a specific purpose. Any information not crucial to achieving that goal is considered unnecessary. It should not be collected. When delivering a product, an address and phone number suffice. Collecting a customer’s birth date would be excessive.

The principle of accuracy

Personal data should be accurate and actual for its intended use. Companies must update or remove any incorrect information. For instance, if a customer moves, her new address should be promptly updated in the system to ensure correct deliveries.

The principle of storage limitation

Delete personal data once you fulfill the purpose of their processing. Don’t keep information longer than necessary. For example, remove a one-time customer’s address after delivering her order, as it’s no longer needed.

The principle of integrity and confidentiality

In today’s digital age, personal data face increased risks. The law requires protecting data from unauthorized access, damage, or loss. Building strong information security systems is crucial.

For example, you can protect customers’ privacy when delivering medicines. Just cover their names on the delivery list.

The principle of accountability

Under Article 5(2) of the GDPR, we need to be able to prove that we have complied with the principles above at any time. Moreover, failure to prove compliance is tantamount to non-compliance (presumption of guilt).

For example, a company delivers pizza. It can’t prove that their system erases the addresses to which pizzas were delivered. Even through internal documentation or a demonstration of software functionality. Which means the company have infringed the principle of accountability. A supervisory authority can issue them a fine without having to delve into investigating. Even if they were not actually storing data longer than necessary.

We hope you now have an idea of all the data processing principles of GDPR. However, this is only the first step. The Regulation is not just a set of rules that you can learn and apply everywhere you want. There are a lot of exceptions. Don’t be afraid to turn to professionals. They can help you build the right path to a data protection system aligned with the GDPR.

Privacy Roadmap

Training and support of the working group on the implementation of the GDPR based on the ISO27701 or Nymity Privacy Accountability Framework.

Get an offer

Territorial scope of the GDPR

GDPR applies in many countries, including Germany, France, Italy, Spain, Poland, and other countries across the EEA (EU + Norway, Iceland and Liechtenstein).

Any company with activities linked to the EU should consider GDPR compliance, even without having offices in the EU.

Now, let’s determine if your comply with the GDPR, when a specific business process is concerned.

GDPR applies not to companies, but to specific processes involving personal data. For some companies, all processing activities fall under GDPR, while for others, only some do. Let’s find out what your situation is.

First, ask yourself a question: “Is there personal data in this process?”

Is the answer positive? Then there are five more steps ahead. However, in some cases, you only need one “yes” for the GDPR rules to apply to the relevant process in your company.

Step 1: Does your company have an establishment within the EEA?

Before answering this question, we need to understand the concept of ‘establishment.’ According to Recital 22, an establishment doesn’t need to be a legal entity. It can be a branch, representative office, remote workplace, or even a single employee. If your company has any of these in the EU (from this moment on we will use the “EU” for the “EEA” for convenience), and they process data, the GDPR applies.

Let’s use the Weltimmo case as an example. Weltimmo, registered in Slovakia, also operates in Hungary. There it has a mailbox, bank account, and representative. The question was whether Slovakian or Hungarian law applied to these activities. The European Court of Justice decided that Hungarian law was applicable. The company had a representative, used a local bank account, and conducted activities there.

The GDPR also applies to non-EU processing if it’s related to an EU entity’s activities. For example, in the “González v. Google Spain” case. The Court ruled that Google Spain’s activities linked data processing in the U.S. to the European rules.

If you answered ‘yes’ to this Step, GDPR applies to your data processing, and you can skip the rest of the Steps in the scheme.

Love to work together

We are open to cooperation with developing, enterprising companies.

Get an offer

Step 2: Is the data subject in the EU?

It’s not about citizenship. It’s about where the data subjects are located. If you’re working with personal data of people in the EU, go to Step 3. If your subjects are outside the EU, you need to comply with the contry’s data protection law where the processing takes place (e.g. 152-FZ in Russia).

If you have a Spanish citizen working in your office in Moscow, the GDPR doesn’t apply to the processing of her data. You don’t need to go through other steps of the scheme.

If one of the data subjects is physically located in the EU, then go to Step 3.

Step 3: Is your processing related to the offer of goods and services to EU entities?

You are currently in this step if your company doesn’t have any establishment in the EU and sells goods or provides services to Europeans. In this case, it doesn’t matter whether you charge your customers or not. For example, the free version of the mobile app that you downloaded is also a service.

Since the Regulation applies to the particular processing, we need to analyze every separate business process to find out whether it is regulated by the GDPR. The processes can be different, for example:

  • recruiting employees for the Moscow office;
  • password recovery from an online service;
  • retargeting/remarketing of the visitors who have visited your site;
  • evaluation questionnaire.

Retargeting, the questionnaire and password recovery are parts of the provision of a service. Hence regarding these processing operations we answer ‘yes’ to question № 3 and move on to Step 4.

But hiring employees to the Moscow office is a processing of personal data not directly related to the offer of goods and services to Europeans. The job offer is neither a product nor a service. According to the scheme, we go straight to Step 6. There we will check whether we are monitoring the behavior of candidates for the position.

A Ukrainian online education platform sells programming courses in English worldwide, including the EU. Question: does the platform need to comply with GDPR? The online courses on this platform are services and we answer ‘yes’ to the question #3. So we need to go to Step 4 to find out if the activity is aimed at at least one EU country.

Step 4: Do you cover the possibility to provide goods and services to the subjects in the EU?

In fact, this is a question about presence in the European market. Sometimes it can be unclear whether GDPR applies when you receive an order from a person from the EU. In that case, the question to ask is: “Did you intend to offer goods or services in the EU, or is the order incidental?” The answer to this question is not always obvious.

For example, a store from Grodno (Belarus) sells designer clothes. The company’s website is available in Russian, Belarusian and English. Orders are accepted in any currency, and delivery is worldwide. It can be assumed that there is a targeting on the EU market. If an order comes from someone who lives in the EU, you have to comply with the GDPR when processing the order.

Reverse example. The store is in Minsk and delivers flowers around the city for Belarusian rubles. A resident of Poland ordered flowers on the store’s website to deliver them to his girlfriend from Belarus. The store targets only Minsk citizens. Ir doesen’t intend to go outside the country, the Pole who placed the order will not be protected by the GDPR.

So if your answer “yes” to the question about being in the EU market in Step 4, then the GDPR will apply to your processing. If your answer is “no,” then skip to Step 5.

Step 5: Does the processing involve monitoring the behavior of individuals who are in the EU?

«Monitoring of behavior» involves surveillance and further behavioral analysis/profiling of individuals. Mostly non-EU companies do this via the Internet. It helps them to predict people’s personal preferences, behavior and attitudes.

Consequently, if you are monitoring your European consumers, this process is covered by the GDPR.

An example of monitoring would be tracking users’ behavior on a website using cookies. This allows you to offer them more relevant products or services. It is often used by online store owners.

A few more cases from the supervisory authority’s guidelines:

A U.S. consulting company advises a mall in France on retail layouts. To do this, it uses WiFi to analyze the movements of people in that mall. In this case, analyzing the movements of shoppers is monitoring their behavior. Since the mall is located in France, the data is also obtained from there. Therefore, the GDPR will apply to this processing.

A developer of mobile fitness apps in Canada analyzes the physical activity of users around the world. The aim is to optimize performance and improve service quality. This processing is also governed by the European Regulation.

If you answer the question about behaviour monitoring positively, the GDPR will apply to the processing. If the answer is negative, then you don’t need to apply GDPR to the processing. Don’t forget, though, to follow your national data protection laws.

As we can see, the scope of GDPR is very broad. A large number of businesses both within and outside of the EU process their customers’ personal data and fall under its scope. We’ve highlighted the list of companies that should pay attention to GDPR compliance:

  • IT-product and IT-outsourcers;
  • banks and fintech companies;
  • hospitals and medical centers;
  • online schools and course hubs;
  • e-commerce and online stores;
  • hospitality businesses and hostels;
  • travel services and agents;
  • logistics and transportation (air, road, rail, sea, etc.);
  • communication and telecommunication services.

The Regulation is one of the most pressing issues of concern to entrepreneurs around the world. But GDPR compliance turns into a competitive advantage. You need to put some time and effort to achieve compliance. In return you will receive respect and trust of customers and partners.

Love to work together

We are open to cooperation with developing, enterprising companies.

Get an offer

Privacy Roadmap

Training and support of the working group on the implementation of the GDPR based on the ISO27701 or Nymity Privacy Accountability Framework.

Get an offer

Basic data protection principles: how to reach GDPR compliance?

If you’ve got to this point, whether to implement the GDPR or not is definitely out of the question. Let’s talk about the specific actions a company needs to take in order to comply.

GDPR-compliance is the alignment of a company’s business processes under the rules of the Regulation. According to the international ISO standard you need to take these measures to comply:

  1. Identify the context of the company’s business and determine its needs with regard to protection of personal data. Also identify the people who either shall be involved or are interested in tpersonal data pritection. Determine the scope of work. In other words, it is necessary to check the roadmap, select allies and formulate a goal.
  2. Enlist the support of the company’s management. It is crucial, since an extensive change in the processes and significant costs are likely to follow. What is more, it’s not uncommon for companies to limit their marketing activities and cary them out with less volume of personal data. Make sure that the management is aware of this.
  3. Plan personal data protection measures. Determine the areas of responsibility of various departments and employees.
  4. Agree on how you will assess the effectiveness of personal data protection program. It means, you have to indicate success markers and KPIs.
  5. Conduct an inventory of personal data and information systems. Fill out the register of personal data processing activities under article 30 GDPR (RoPA).
  6. Assess the risks for your company. They arise as a result of being subject to GDPR (fines, loss of contracts, difficulties in certain markets, customer loyalty). Determine which processes (personal data processing) create most of these risks.
  7. Draft required privacy documents (information privacy and security policies). Their content shall correspond the level of risks, type of business, corporate culture, organizational structure, etc.

Ensure a proper level of the company’s security measures. It’s of the utmost importance not only to develop a regulation on information security, but also to:

    1. appoint persons responsible for security. Vest them with the necessary powers or designate an information security department;
    2. organise processes of information assets control;
    3. develop rules for remote work and use of mobile devices;
    4. ensure management of access to personal data;
    5. screen employees, carry out internal and external audits;
    6. encrypt data;
    7. manage data breaches;
    8. provide physical protection;
    9. agree upon acquisition of new systems;
    10. connect with new providers and monitor them.

Highlight, structure and document all purposes of personal data processing. It is necessary to formulate goals not in legalese, but in simple language. Ensure that the text is both specific and clear, so that:

    • it is possible to distinguish separate processings in the processes according to the GDPR;
    • it is possible to determine one single legal ground for each processing;
    • a typical representative of your primary audience can understand what is going to happen with her personal data.

1) Choose one legal ground for each data processing purpose and indicate it in the Register of Processing Activities (RoPA). If you use consent, document it and meet the requirements of ISO27701. Start collecting consent, change or revoke it as needed, and prove consent was given. For legitimate interest, conduct a Legitimate Interest Assessment (LIA). Then document it, and implement safeguards. If the processing activity is basen on following a legal requirement, identify and refer to the relevant legal provision.

2) For processing biometric, medical data, data relating to criminal convictions or other special categories of data, also find an exception under Article 9(2) to ensure processing is allowed.

3) Identify all processing activities that rely on consent. Ensure you can prove to authorities that you obtained consent, including the circumstances (e.g., time, place, content).

4) Obtain consent for data processing either electronically, on paper, or verbally. If verbal, register it in a log or journal. Note that consent is only one of six legal grounds, and using it inappropriately may violate GDPR.

5) Conduct a Data Protection Impact Assessment (DPIA) if processing is likely to pose a high risk to individual’s rights and freedoms. Just follow Article 35 and DPIA guidelines.

6) Enter into binding agreements with all contractors to whom personal data are transferred. It is necessary to sign a Data Processing Agreement (DPA) in accordance with article 28 GDPR.

A DPA is a data processing agreement that must specify the following aspects:

  • scope, nature, and duration of the processing;

  • data subjects (it should be specified whether children’s data are being processed);

  • categories of data;

  • rights and obligations of the controller and processor;

  • technical and organizational data protection measures;

  • relations with sub-processors.

    Identify the processes where you determine the purposes and means of processing not by yourself, but together with another company. Enter into one or more contracts with joint controllers. Document the roles and responsibilities of joint controllers in any similar binding document. It should contain the terms of joint data processing.

    Develop, fill in and keep up to date the Records of Personal Data Processing Activities under article 30 GDPR (RoPA). It is a catalog listing purposes of data processing. It also includes information about the collected data, processors, retention periods. Checking RoPA is usually a starting point for the compliance audits. What is more, it helps to respond to data subjects’ requests quicker and more efficiently, since it makes the search for their data among departments and information systems easier.

  1. Determine and document sites where a data subject can find and read a privacy notice or policy. This is not just about having a relevant document on the website. It is necessary to come up with the ways to inform a data subject in case of offline interaction. For example in the office or at an event. Do the same with communication by phone. Also determine what rights a data subject has under the GDPR in relation to each processing activity. How will the subject be able to exercise his rights in diverse situations?For example, on the website or when using an application, when receiving emails, SMS, push-notifications, or phone calls. It is important to find out whether a person has the right to be forgotten in this process. How they will, if needed, request a copy of their personal data?
  2. If you make automated decisions with significant consequences for subjects, analyze what obligations you have in connection with personal data processing. These commitments must be fulfilled. For example, one has to:
    1. notify data subjects of the existence and logic of those automated decisions,
    2. reduce the risks of harm to rights and interests of people,
    3. provide them with the right to object to having the decision made automatically.
  3. The company should inform people about issues with their personal data. You need to include information about your processes in your privacy notices. It will be used to check the completeness of information provided to data subjects. In the GDPR this information is specified in Articles 13 and 14 and in the Guideline on transparency. What is more, data subjects can request information individually. Article 15(1) of the GDPR provides a list of information to be provided to a data subject upon her request.
  4. Provide the data subject with clear and accessible information about processing. You can do it with the help of privacy policy or notice. Under Articles 13 and 14 of the GDPR, you need to stipulate the purpose, legal grounds, duration of processing and recipients of personal data. Also you need to name the company, give the contacts of its DPO and provide the names of other companies, which either receive personal data from you or control the proccessing activity together with your company. Privacy policies should be easy to understand for a typical representative of the target audience. It means that the privacy policy needs to be translated into each of the languages of the interface. When drafting a privacy policy, get rid of legal slang, and, visualise information. Format and structure the text, add icons, pictures, videos, tables and tips.
  5. Develop and establish a process for revoking consent for processing personal data. Define the “customers” of the process along with its goals and results. Consider the performance indicators, resources, suppliers, and executors. Also, consider the owner of the consent withdrawal or change process.
  6. Create a process for managing objections based on legitimate or public interest. Requests for objection management may be considered, unlike in consent withdrawal, which shall be performed immediately. If a request is unreasonable, we can refuse to act on it.
  7. Create a business process for allowing access to personal data and for rectifying or deleting it.
  8. Establish a process to notify third parties, who received personal data, about relevant changes, for example, when a subject withdraws consent, requests rectification, or objects to processing. This helps recipients decide if they need to delete, block, or correct the data.
  9. Prepare to handle requests from data subjects regarding:
    1. access to their personal data in a human-readable format
    2. data portability in a machine-readable format. Identify the volume of data and the information systems involved. Implement this business process.
  10. Develop procedures to respond to data subjects’ requests promptly, within one month. Requests may involve access, rectification, deletion, blocking of personal data. Some requests may be connected with consent withdrawal, objections against data processing or automated decision-making.

  1. Reduce the collected data to the minimum needed for the declared processing purpose.
  2. Delete unnecessary information promptly. Limit access to data stored in the organization’s information system.
  3. Define the required accuracy level for each personal data category based on the declared purpose. For critical data, create procedures for correcting errors and updating outdated information.
  4. Use anonymous data whenever possible or switch to it as soon as feasible. Use the personal data processing register. It’ll help you map information to purposes, ensuring data is not reused improperly.
  5. Set up technical or organizational methods to delete or anonymize personal data after the retention period ends.
  6. Identify duplicates or temporary files with personal data in the system or departments. Create rules to delete these files when they are no longer needed.
  7. Specify a processing period or criteria for determining it for each personal data category. Use these dates to create Data Deletion Schedules.
  8. Document and implement procedures to dispose of media containing personal data.

  1. Use reliable channels to transfer personal data and prevent loss or leaks.
  2. Arrange cross-border personal data transfers outside the EU carefully. The most effective method is often signing Standard Contractual Clauses. It’s appendix to the Data Protection Agreement. Also you should regularly track counterparties through questionnaires and audits.
  3. Keep a record of the countries where the company sends personal data.
  4. Register personal data transfers to third parties. Ensure they can fulfill data subjects’ requests like access, deletion, or rectification.
  5. Log all disclosures of personal data to third parties (e.g., processors, partners, auditors, government agencies).

Appoint a person responsible for personal data protection (in some cases, this is an obligation). The process of bringing a company to the GDPR compliance requires a competent approach. Therefore, for the sake of effectiveness, it is better to consult a professional. But in some cases the Regulation requires a company to hire or outsource a DPO (Data Protection Officer).

Each processing should have a purpose. For example, a person decides to purchase a plane ticket. You have to explain: the company collects your passport data. It is called processing. We do this so that you can buy a ticket. This is purpose 1. Also we need it to check if you are not blacklisted to enter this country. This is purpose 2. There should be a legal basis for each purpose.

NB! Think of a legal basis, which is appropriate for purpose 1 and purpose 2 (they may be different legal bases).

The purpose must be disclosed to data subjects in the privacy notice (the so-called “privacy policy”). After that you need to adhere to the purpose declared. It’ll allow you to fulfill the principle of “purpose limitation”. The legal basis is determined on the basis of a purpose.

There are the following types of legal bases for personal data processing:

  1. Vital interest. Processing is necessary to save a person from death or serious injury. The threat must be real and actual at the moment of processing.
  2. Contract. You can’t perform a contract or provide a service without personal data processing.
  3. Legal obligation. Personal data processing is necessary for compliance with a legal obligation.
  4. Public interest. You carry out a processing in public interest. It is within the competence of a certain governmental authority. You processes personal data to assist the governmental authority. There is an important detail. You can apply this legal basis if a governmental authority will not succeed without help.
  5. Legitimate interest. Legitimate interests of a company must prevail over rights and interests of data subjects. For example, if a company’s business will be under threat if it stops processing personal data for this purpose.
  6. Data subject’s consent. Data subject permit to process their personal data for a purpose that is of little significance to the data subject. The consent must be free, specific and given in connection with a particular purpose. You must inform the person about all significant aspects with regard to use of their data. The person must express consent by an affirmative act.

In the example of selling an airplane ticket and checking against the “black list”, two different legal bases are used. For purpose 1 – a contract, for purpose 2 – a legal obligation.

Privacy Police Audit/Drafting

Our licensed professionals in personal data protection area will elaborate a Privacy Policy for you which is completely in line with the GDPR requirements.

Get an offer

GDPR Documents

What documents must a company have to follow GDPR requirements? Our consultants are often asked this question. But there is no answer and there can’t be one. The fact is that the documentation reflects the measures taken by the company. I is not required by any legal act per se (since paperwork itself is not a demonstration of compliance). Not all the measures are mandatory for companies. Although there are some that are necessary for most of them.

Examples of GDPR Documents:

    • Binding Corporate Rules (BCR)
    • Bring Your Own Device Policy
    • Business Continuity Plan
    • Contact list for Breach Response Team
    • Cookie Consent
    • Cross Border Personal Data Transfer Procedure
    • Data Breach Notification Letter to Data Subjects (template)
    • Data Breach Register
    • Data Breach Report
    • Data Breach Response Plan
    • Data Processing Agreement (DPA)
    • Data Protection Impact Assessment (DPIA)
    • Data Protection Policy (internal)
    • Data Protection Officer (DPO) Job Description
    • Data Retention Policy
    • Data Sharing Agreement
    • Data Subject Access Request Form
    • Data Subject Access Request Procedure
    • Data Subject Change Request Form
    • Data Subject Consent Form
    • Data Subject Consent Withdrawal Form
    • DPIA Register with Log of DPIA Outcomes and Implementation of Mitigating Controls
    • DPIA Threshold Assessment
    • DPIA Methodology
    • Employee Privacy Notice
    • Enterprise Privacy Risk Assessment
    • Guidelines for Data Inventory and Processing Activities Mapping
    • Incident Report Form
    • Information Assets for Disposal Log
    • Internal Audit Checklist
    • Internal Audit Procedure
    • Internal Audit Report
    • Joint Controllership Agreement
    • Legitimate Interest Assessment (LIA)
    • Letter of Appointment of Data Protection Officer (DPO)
    • Parental Consent Form
    • Parental Consent Withdrawal Form
    • Privacy or Data Protection Notice
    • Processor GDPR Compliance Questionnaire
    • Project Plan for Complying with the EU GDPR
    • Register of Data Transfers
    • Register of Privacy Notices
    • Register of Processing Activities (RoPA)
    • Standard Contractual Clauses (SCC)
    •  

Standard Contractual Clauses (SCC)

Standard Contractual Clauses (SCC) supplement or replace the DPA in the case of cross-border data transfers.

When we are going to transfer data from the EU outside the EU, the DPA itself may not be enough. To perform a cross-border transfer, we need to know whether the country provides an adequate level of data protection. If the country is “inadequate,” you can find out how to handle a cross-border data transfer here.

You can use these very SCC approved by the European Commission. Standard Contractual Clauses (SCC) is a model contract. It is concluded between the controller and the processor. Its form cannot be changed because it is standard. However, situations where extra provisions need to be specified may arise. For example the allocation of costs for audits of personal data protection. Then we do the following: the company concludes a DPA with these extra provisions, and the SCC is an appendix to it.

Privacy notice (policy)

The privacy notice (policy) is a public document that describes the fate of the customer’s personal data. It explains, for example, what personal data we process the company and to whom we transfer it.

In the past, before the widespread dissemination of the GDPR, only lawyers could understand the text of the document. It had too many complicated terms and constructions. Today, according to Article 12 of the GDPR, a company must inform users not by means of legal jargon. It should be concise, transparent, understandable way, without complex terminology. Also interactivity is only encouraged. For more details on what and how to write in privacy notices (policies), see GDPR articles 1213, and 14, or below in the text.

There are slight differences in the requirements depending on how the company collects personal data. It can be direct collection from the data subject or through intermediaries (recipients). Let’s look at each case.

Case 1: a company collects personal data from an individual directly. Then privacy notice must include the following information:

  • the name and contact information of the company, its representative, and data protection officer;
  • the purposes of processing personal data and their legal bases. Also you should include the legitimate interests of the organization;
  • details about cross-border transfers and the data protection mechanism;
  • the data retention period;
  • the rights of the data subjects;
  • the existence of an automated decision-making system, including profiling;
  • whether the provision of personal data is part of a legal or contractual requirement or obligation. The possible consequences of not providing personal data.

Case 2: the organization receives data through another company. Then the privacy policy should include all the same information, except for the last point. Plus, you must list the types (categories) of personal data you get about the person from a third-party source.

A privacy policy is a unique document for each company, so a template privacy policy will not work. “Data Privacy Office” has developed a special privacy policy checklist. It will not allow you to miss anything when you create a privacy policy “from scratch”. Also you you can check the correctness of an already created document.

Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA) analyzes the risks of data processing. It also selects measures to protect data..

In fact, we do not look at the risks to the company, but at the risks of violating people’s rights and freedoms. This includes, inter alia, the threat of psychological, physical, social, and economic harm to data subjects.

If you understand that data processing is likely to result in serious risk, make sure you do a DPIA before you start the processing. Article 35(3) of the GDPR provides examples where serious negative consequences are likely to occur. In these cases, a DPIA is mandatory. These are, for example:

  • a large number of surveillance cameras;
  • handling of medical records in a hospital;
  • credit rating;
  • monitoring employees' work devices and their online activities;
  • collecting geolocation data;
  • use of financial information for payments.

Thus, the Data Protection Impact Assessment is a kind of safety cushion. It allows you to identify risks and prevent them. It will be good investment for the future of the company. It protects against problems with supervisory authorities, partners, and customers.

Legitimate Interest Assessment (LIA)

If you work with personal data on the basis of legitimate interest, you have to do a legitimate interest assessment. This is both a formal procedure and a document, the contents of which are stipulated. During a LIA, you have to weigh the pros and cons of processing for both the company and the data subject.

The LIA is conducted in three stages:

    1. Аssessing whether there is a legitimate interest.
    2. Determination of the necessity for processing.
    3. Balance of interests (the interests of the data subject VS the interests of the company).

You should review the legitimate interests of the company periodically. Over time, depending on diverse factors, the purpose, nature or context of the processing may change. There is a high chance that this will affect the balance between you and the data subject. Consequently, the LIA should be updated accordingly.

This procedure helps to avoid problems in the future. It builds customer trust, while not to the detriment of the organization itself.

Love to work together

We are open to cooperation with developing, enterprising companies.

Get an offer

Sign up for the DPO Europe Newsletter

We will share useful materials with you and talk about the latest news from the world of privacy.

Where to begin?

TRAINING

When you train employees and heads of departments how to manage personal data, you reduce risks and increase loyalty. Start with training courses and certifications by Data Privacy Office and make a step towards compliance.

All training
GDPR data protection training and certification

GDPR Data Privacy Professional

The GDPR Data Privacy Professional course is the most popular GDPR course in the CIS countries, which has been conducted since 2018. It will provide you not only with comprehensive knowledge of the GDPR, but also with understanding of the logic of European standards in terms of personal data protection. The course is suitable for employees of different backgrounds, including non-lawyers. It is available in a group format (both online and offline), as well as in a self-paced mode.

Program

  • The 7 foundational principles of privacy by design by Ann Cavoukian;
  • Privacy by Default;
  • Privacy embedded into design;
  • Full functionality – positive-sum;
  • End-to-End Security – Lifecycle Protection.
  • Review of existing data privacy laws, standards and regulations;
  • Сases, court precedents, guidelines in information privacy;
  • The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data №108;
  • Directive 96/46.
  • Overview of present regulatory framework of data protection in EU (GDPR+);
  • History of EU General Data Protection Regulation (GDPR);
  • Territorial and material scope of GDPR;
  • Structure of GDPR text (recitals, business related articles etc);
  • Overview GDPR related acts;
  • National data privacy legislation;
  • Legal precedents;
  • Guidelines and opinions of Article 29 Working Group (Art29WP) / European Data Protection Board (EDPB);
  • Guidelines of national supervisory authorities (SAs);
  • Overview of risks, fines, responsibilities related to personal data processing;
  • Mapping of the different data protection laws to the rules applicable in EU.
  • The concepts of personal data (PD), identifier, data subject;
  • Formula of Persomal Data “(id-x)+info”;
  • Cases of (non-)personal data;
  • Biometric data.
  • The concepts of personal data (PD), identifier, data subject;
  • Formula of Persomal Data “(id-x)+info”;
  • Cases of (non-)personal data;
  • Biometric data.
  • Transparency of processing;
  • Purpose limitation;
  • Data minimisation;
  • Storage limitation;
  • Accuracy;
  • Integrity and confidentiality;
  • Accountability.

 

  • The 7 foundational principles of privacy by design by Ann Cavoukian;
  • Privacy by Default;
  • Privacy embedded into design;
  • Full functionality – positive-sum;
  • End-to-End Security – Lifecycle Protection.
  • Consent;
  • Conditions for consent;
  • Getting consent in UX;
  • Contract;
  • Legal obligation;
  • Vital interest;
  • Public interest;
  • Legitimate interest;
  • Balancing test of Legitimate Interest Assessment (LIA).
  • Modalities for exercise of the rights of the data subject;
  • Right to information about processing;
  • Right to access personal data;
  • Right to rectification;
  • Right to restriction of processing;
  • Right to be forgotten;
  • Right to data portability;
  • Right to object;
  • Right to not be subject of automated decision-making;
  • Data subject’ rights restriction;
  • Case “Nightmare letter from data subject”.
  • Check-box approach vs risk based approach;
  • Concept of risk;
  • Risk likelihood and severity;
  • GDPR terminology related to risks (high risk, likely etc);
  • Data Protection Impact Assessment (DPIA) requirement under GDPR;
  • When DPIA is mandatory;
  • BIA (Business Impact Assessment) or SIA (Security Impact Assessment) as triggers for DPIA;
  • General approach to conduct DPIA;
  • Describing processing operations, personal data and supporting assets;
  • Legal and risk-treatment controls;
  • Risk sources, feared events, threats and risks;
  • Tools for Data Protection Impact Assessment.
  • GDPR requirements to information security;
  • Data breach notification of supervisory authorities and data subjects;
  • Technical and organisational measures of managing information security risks.
  • Overview of GDPR rules on cross-border data flow;
  • Documenting international transfers of personal data;
  • Data Processing Agreement;
  • Binding Corporate Rules;
  • Standard Contractual Clauses;
  • Codes of conduct and certifications;
  • Derogations relating to cross-border data transfers for specific situations.
  • Representative in EU;
  • Data Protection Officer / DPO.
Learn more

GDPR Data Privacy Manager

A practical course on creating a data protection system based on the ISO international standard. It will give privacy specialists everything they need to manage a company's personal data protection system throughout its lifecycle. As a result, these managers will not only know and understand the requirements of the GDPR, but also how to make it all work in any organisation.

Program

  • Concepts of privacy, data privacy, data protection. Types of privacy;
  • History of data privacy;
  • Taxonomy of privacy by Daniel Solove;
  • Social implications of data privacy;
  • Overview of evolution of privacy laws.
  • Analysis of information assets, business needs, and regulatory and contractual requirements;
  • Organizational entity dealing with data protection;
  • Needs and expectations of stakeholders;
  • Scope of privacy programme;
  • Governance models of privacy programme.
  • Nymity Accountability Status Workbook;
  • Nymity Data Privacy Accountability Scorecard;
  • Assessment and treatment of the data privacy risks;
  • Selection and implementation of controls.
  • Internal policies;
  • Policy types.
  • Determination of the necessary resources and their allocation;
  • Acquisition and maintenance of competencies
    Raising Awareness;
  • Internal communication;
  • External communication.
  • Support of management and other stakeholders;
  • Role and Responsibility Matrix for GDPR implementation;
  • Distribution of responsibilities with RACI Chart;
  • Privacy Team;
  • Data Protection Officer.
  • Process approach;
  • Maintaining the records of processing activities (Data register) under the GDPR;
  • Conducting Data Protection Impact Assessment (DPIA);
  • Assessing vendors;
  • Processing requests from personal data subjects (DSARs);
  • Data breach notification.
  • Conditions for collection and processing;
  • Obligations to data subjects;
  • Privacy by design and privacy by default;
  • Sharing, transfer and disclosure of personal data.
  • Monitoring, measurement, analysis and evaluation;
  • Audits, their stages and types;
  • Nonconformity and corrective action.
Learn more
DPT DPO EUROPE

Data Privacy Technologist

A practical course on the technical side of privacy and security in IT products. We tell you how to develop private software, protect data at all levels of architecture and use modern technologies correctly. A course for those who want to speak the same language as the technical team. Learn more from our managers.

Learn more

CONSULTING

The decision to resort to a consultant is important when deadlines are tight and there can’t be a mistake. The consultants will ensure that your actions are correct. They provide you with a clear rationale. When you turn to Data Privacy Office consultants, they take into account peculiarities and recources of your business.

Data Privacy Office customers often order complex products: GDPR Roadmap or DPO Outsourcing. We will talk about them below. Some opt for separate services under the GDPR: GDPR Compliance AuditPrivacy Policy and Notice AuditData Protection Impact AssessmentGDPR Gap AnalysisData MappingPrivacy Engineering Team OutsourcingRecord of Processing Activities.

All solutions

GDPR Roadmap + Implementation Program

We designed the program for a systematic implementation of personal data protection under ISO 27701. This international standard on data protection is suitable for all types of companies. It is your opportunity to delegate coordination of the project and bring your business to compliance. We use our own “GDPR Roadmap” methodology. It allows us to set up personal data protection in small companies without their own well-built business processes.

Implementation steps:

  • Creating a privacy team. It will conduct training for the members of the. The course bases on the body of knowledge of the international certification CIPP/E.
  • Identifying gaps under the GDPR.
  • Selection of and planning suitable ISO27701 activities according to their priority.
  • Assessment of resources needed to implement the GDPR Roadmap.
  • Creation of an action plan for implementation of a privacy protection system.
  • Implementation of the GDPR into the processes. Elimination of violations of the GDPR while not interfering into pursuing business goals.
Learn more

DPO (Data Protection Officer) Outsourcing

The company gets an experienced and competent specialist. They are able to resolve issues related to the GDPR. And – what is equally important – they take responsibility for them. The Data Privacy Office expert embodies your protection against the supervisory authority. The functions of the DPO include the following:

  • Taking care of communication and consulting colleagues on any privacy issues;
  • Coordination of work on the protection of personal data;
  • Consideration of requests from personal data subjects;
  • Analysis of operations, which are not compliant with the GDPR;
  • Maintaining the register of processing activities under Article 30 GDPR;
  • Regular update of internal and external documents;
  • Conducting a Data Protection Impact Assessment (DPIA) for risk processes;
  • Management of personal data breaches and notifications of data subjects and supervisory authorities.
Learn more

Penalties for failure to comply with GDPR rules

As you may have realized, the General Data Protection Regulation is a serious legal act of direct application. Its violation which entails serious sanctions. The European Union has set quite severe penalties. It’s all for the sake of the protection of personal data.

Violations of the Regulation are subject to fines of up to EUR 10,000,000 or up to EUR 20,000,000. The amount varies depending on the GDPR article. If the company’s turnover exceeds half a billion euros, the largest penalty is a percentage of last year’s global turnover.It varies from 2% to 4%. The sanctions are set by Article 83 of the GDPR.

Supervisory authorities can fine both controllers and data processors. Fines can be imposed instead of, or together with other measures.

Fines during the period of application of the Regulation:

Meta — €1.2 billion

At the heart of the violation is the transfer of Facebook user data from the EU to the US. This practice the DPC deemed a risk to the “fundamental rights and freedoms” of EU citizens under the GDPR. The primary concern is the potential exposure of EU citizens to privacy violations by US surveillance programs.

Amazon — €746 million

The Luxembourg Data Protection Authority (CNPD) fined Amazon a record €746 million. The fine followed a 19-page complaint from French privacy group La Quadrature du Net in 2018. The complaint was on behalf of more than 10,000 consumers. They alleged that Amazon manipulates customers for commercial purposes. The company was choosing which ads and information they receive.

These five cases only prove the importance of complying with the GDPR. Implementing GDPR is usually much more profitable for a company than acting on a “maybe we’ll get away with it” principle. Regulators usually find violations due to dissatisfied people. Among them: customers, the media, bloggers, disgruntled former employees. Also privacy becomes a marketing differentiator for new brands and attracts customers. Getting your systems and processes organised is a task that any business seeking success will face someday.

We hope you found this article helpful. Now you understand the basic rules of the GDPR and how to work with them. However, if it is difficult for you to cope on your own, then you can always turn to our experts for help. This will become an investment in the future of your company as well as a competitive advantage in the market right now. So, as a GDPR-compliant, you will earn trust and respect from customers and partners. It is undoubtedly a valuable resource for any business.

LinkedIn — €310 million

The Irish Data Protection Commission’s website says: “The inquiry examined LinkedIn’s processing of personal data for behavioural analysis and targeted advertising of users who have created LinkedIn profiles.”

What did they do wrong?

      1. Invalid Consent for Third-Party Data. LinkedIn improperly relied on Article 6(1)(a) of the GDPR. It requires valid consent for processing third-party data. The consent obtained was not freely given, lacked enough information. It was neither specific nor unambiguous.
      2. Misuse of Legitimate Interests. The company failed to justify its processing of first-party personal data under Article 6(1)(f) for legitimate interests. LinkedIn’s interests were outweighed by the rights and freedoms of its users on their privacy.
      3. Inappropriate Use of Contractual Necessity. LinkedIn wrongly invoked Article 6(1)(b) about contracts. It needed to process first-party data for behavioral analysis and targeted ads.It was not valid in this context.
      4. Lack of Transparency in Information Provided. The information provided to users about the legal bases for data processing didn’t follow Articles 13(1)(c) and 14(1)(c) of the GDPR. They failed to inform data subjects about their rights and the processing activities.
      5. Violation of Fairness Principle. LinkedIn’s practices breached Article 5(1)(a) of the GDPR. It mandates that personal data processing must be fair. Users found the methods used for behavioral analysis and targeted advertising unfair.

WhatsApp — €225 million

The Irish Data Protection Commission conducted an inquiry into whether WhatsApp adequately informed its users and non-users about personal data processing. The inquiry revealed significant deficiencies in WhatsApp’s privacy policy and related materials. The information about the legal bases for processing was confusing. It didn’t clearly explain which basis applied to specific processing activities. WhatsApp also failed to adequately inform users about data retention practices and the categories of recipients of personal data.

Google — €150 million

CNIL stated the websites facebook.com, google.fr and youtube.com do not allow easy opt-out of cookies.

H&M — €35.3 million

This decision was made by Hamburg after the Swedish mass-market brand had monitored hundreds of its employees. This processing included data about the personal lives of employees. It subsequently became available throughout the company.

TIM (telecommunications operator) — 27.8 million

The company committed a number of violations. Issues include: lack of consent for marketing, contacting those who opted out, invalid consents in TIM apps, weak security for personal data, and unclear data retention periods.

British Airways — €22 million

Hackers accessed British Airways’ internal network with login credentials from a third-party supplier. They remained undetected for almost six weeks. Investigators determined that the airline failed to recognise the security vulnerabilities. It allowed the attack to occur according Article 32 GDPR.

Hotel group Marriott International, Inc. — €20.5 million

In 2016 Marriott acquired another group of companies. It was also related to the hotel business. Later it turned out that since 2014 this group of companies had a serious vulnerability in the data protection system. Marriott found out about it in 2018, after the leak. It affected 339 million users. The information included banking information and other personal data.

Contact us

Fill in the form and we will contact you as soon as possible!

Inst

Frequently Asked Questions

What is GDPR and who does it apply to?

GDPR, or General Data Protection Regulation, is a comprehensive data protection law in the European Union that applies to any organization that processes personal data of individuals within the EU. This includes businesses and entities outside the EU if they collect or process personal data of EU citizens.

What types of personal data are protected under GDPR?

Personal data under the GDPR includes any information that relates to an identified or identifiable individual, such as names, email addresses, biometric data, and other identifiers. This regulation also categorizes certain types of data as sensitive, which require additional protections.

How does GDPR define consent in relation to personal data?

GDPR defines consent as a clear and affirmative indication of the data subject’s agreement to the processing of their personal data. Consent must be freely given, specific, informed, and unambiguous. Organizations must also provide an easy way for individuals to withdraw consent.

What are the rights of data subjects under GDPR?

The rights and freedoms of data subjects under GDPR include the right to access their personal data, the right to rectification, the right to erasure (‘right to be forgotten’), the right to restrict processing, the right to data portability, and the right to object to processing.

What are the obligations of a data controller under GDPR?

A data controller must ensure that personal data is processed lawfully, transparently, and for specified purposes. They are also required to implement appropriate technical and organizational measures to protect personal data and to appoint a data protection officer if necessary.

What happens if an organization violates the GDPR?

Violating the GDPR can result in substantial fines and penalties. The European Data Protection Board has the authority to impose fines that can reach up to 20 million euros or 4% of the organization’s total global turnover, whichever is higher.

How does GDPR impact the processing of biometric data?

Article 9 of the GDPR specifically prohibits the processing of biometric data unless specific conditions are met. Biometric data is considered sensitive personal data, and its processing requires explicit consent from the data subject or must meet other legal criteria.

What is the role of the European Data Protection Board?

The European Data Protection Board (EDPB) is responsible for ensuring consistent application of GDPR across the EU. It provides guidance, issues recommendations, and facilitates cooperation between national data protection authorities to uphold data privacy laws across member states.

Can data be transferred outside the EU under GDPR?

Yes, data may be transferred outside the EU, but organizations must ensure that adequate protections are in place for the data. This can be achieved through mechanisms such as Standard Contractual Clauses or by ensuring that the third country has an adequate level of data protection recognized by the European Commission.

What is GDPR — General Data Protection Regulation?
What is GDPR?

A full guide on General Data Protection Regulation or GDPR for short. Here you’ll learn what is personal data, what are the rights of subjects, how to comply with the regulation.

Learn more

Contact Sales

Learn what Data Privacy Office Europe can do for you.

Fill out the form and we will contact you as soon as possible!