GDPR compliance

When does the General Data Protection Regulation (GDPR or GDPR) apply?

The GDPR applies if:

• your business processes personal data and is based in the EU, regardless of where the data is actually processed
• your business is based outside the EU but processes personal data relating to the provision of products or services to individuals within the EU, or monitors the behavior of individuals within the EU

Businesses not based in the EU but they process data of EU citizens they must appoint representative in the EU.

When does the General Data Protection Regulation (GDPR) not apply?

The GDPR does not apply if:

• the data subject is dead
• the data subject is a legal entity
• the processing is carried out by a person acting for purposes outside their commercial, business or professional scope

What is personal data?

Personal data is all information relating to an identified or identifiable person, who is called data subject. Personal data includes information such as:

• name
• address
• ID card/passport number
• income
• cultural profile
• internet protocol (ip) code
• data held by hospitals or doctors (for the sole purpose of identifying a person for medical reasons).

Special categories of data

The processing of personal data concerning the following characteristics of a person is not permitted:

• racial or ethnic origin
• sexual orientation
• political opinions
• religious or philosophical beliefs
• participation in trade unions
• genetic or biometric data and health data, except in special cases (e.g. where you have given your full consent or where processing is required for reasons of substantial public interest, under EU or national law)
• personal data relating to criminal convictions and offences, unless permitted by EU or national law

Who processes personal data?

During processing, personal data may pass through various businesses or organizations. Within this circle, there are two main profiles that deal with the processing of personal data:

• The controller, who decides the purpose and manner of processing personal data
• The Person performing the processing, who stores and processes the data on behalf of the controller.

Who monitors within the company how personal data is processed?

The data protection officer (DPO) who may be appointed by the business, is responsible for monitoring the processing of personal data, as well as for informing and advising employees processing personal data regarding their obligations. The DPO also works with the Data Protection Authority (DPA), acting as a point of contact between the DPA and individuals.

When should you appoint a data protection officer?

You must appoint a DPO if your business:

• tracks individuals, on a regular or systematic basis, or processes special categories of data
• has as one of its main business activities data processing
• processes data on a large scale.

For example, if you process personal data to target ads through search engines based on people's online behavior, you must set a DPO. If, on the other hand, you only send your customers promotional material once a year, you do not need to set a DPO. Likewise, if you're a doctor and collect data about your patient's health, you probably don't need a DPR. However, if you are processing personal genetic and health data on behalf of a hospital, you must have a DPO.

The DPO can come from within your organization or be an external partner under a service contract. The DPO can be an individual or part of an organization.

Processing data for another business

The data controller can only entrust data processing to a person who provides adequate guarantees, which should be included in a written contract between the parties concerned. This contract must also contain certain mandatory clauses, for example, that the processor will process personal data only when instructed to do so by the data controller.

Data transfer outside the EU

When personal data is transferred outside the EU, the protection afforded by the GDPR continues to apply to that data. This means that if you export data abroad, your business must ensure that one of the following measures is followed:

• the non-EU country applies rules deemed adequate by the EU
• your business takes the necessary steps to provide appropriate safeguards, such as including specific clauses in the agreed contract with the non-EU importer of personal data
• your business relies on specific arguments for the transfer (exceptions), such as the consent of the data subject.

When is data processing permitted?

According to EU data protection rules, processing must be carried out in a fair and lawful manner, for a specific and legitimate purpose and only cover the data necessary to achieve that purpose. To process personal data you must ensure that you meet one of the following conditions:

• you have her consent of the specific data subject
• you need the personal data to comply contractual obligation against the data subject
• you need the personal data to fulfill legal obligation
• you need the personal data to protect vital interests of the data subject
• process personal data to process mission of public interest
• act for the benefit of legitimate interests of your business, as long as the fundamental rights and freedoms of the data subject you are processing are not seriously affected. If the subject's rights override your business interests, you cannot process their personal data.

Consent to data processing

The GDPR sets strict rules for consent-based data processing. The purpose of these rules is to ensure that the data subject understands what he has actually consented to. This means that consent must be given freely, specifically and without ambiguity in a statement expressed in plain and understandable language. Consent must be given by an affirmative act, e.g. by selecting a box on a website or by signing a declaration.

Where consent has been given to process personal data, you may only process the data for the purposes for which consent was given. You must also give the data subject the possibility to withdraw their consent.

Providing transparent information

You must provide data subjects with clear information about who is processing their personal data and why. You must provide at least the following information:

• who are you
• why you process the personal data
• what is the legal basis
• who will receive the data (if any);

In some cases, the following information must also be given:

• what are the contact details of the data protection officer (DPO), if any,
• what legitimate interest the business pursues, when you rely on this legal argument for the processing
• what measures apply to the transfer of data to a country outside the EU
• how long the data is stored
• what are the rights of the data subject regarding the protection of his data (eg right of access, rectification, erasure, restriction, prohibition of use, portability, etc.);
• how consent can be withdrawn (when this is the legal argument for processing)
• if there is a statutory or contractual obligation to provide the data
• what is the rationale, significance and implications of the decision, in the case of automated decision-making.

You must give this information in clear and understandable language.

Special rules for children

If you collect personal data from a child based on consent, for example from a social media account or download account, you must obtain parental consent first, e.g. by sending notice to the child's parent or guardian. The age up to which a person is considered a child varies by country of residence, but is usually between 13 and 16.

Right of access and right of data portability

You must ensure that data subjects have the right of access to their personal data, free of charge. If you receive such a request, you must:

• to inform the data subject whether or not you are processing their personal data
• to provide him with information about the processing (purpose, categories of personal data subject to processing, recipients of the data, etc.)
• give them a copy of their personal data that you are processing (in an accessible format)

When the processing is based on consent or a contract, the data subject can also ask you to return his personal data to him or to transfer it to another company. This is known as the right to data portability. You must provide the data in a widely used and machine-readable format.

Right to rectification and right to view objections

If a data subject believes that his personal data is incorrect, incomplete or inaccurate, he has the right to request their correction or completion without any delay.

In this case, you must inform all recipients of the personal data that any of the personal data you shared with them has been changed or deleted. If you have transmitted personal data in error, you may have a duty to inform anyone who saw it (unless this would require disproportionate effort).

The data subject he can also object – at any time – to the processing of his personal data for a specific use, when your business processes them based on its legitimate interest, or for reasons of public interest. In this case you must stop processing the personal data, unless you have a legitimate interest that overrides the interests of the data subject.

Similarly, the data subject may request the limited processing of his personal data if it has been determined whether your legitimate interest overrides his own. However, in the case of direct marketing, you are always obliged to stop the processing of personal data if requested by the data subject.

Right to erasure ("right to be forgotten")

In some cases, the data subject can ask the controller to delete his personal data, e.g. when these data are no longer needed to achieve the purpose of the processing. However, your business does not have to do this if:

• the processing is necessary in order to respect the freedom of expression and information
• you must store the personal data in order to comply with a legal obligation
• there are other public interest reasons for storing the personal data, such as public health or scientific and historical research purposes
• you must save the personal data in order to raise a legal claim

Automated decision making and profiling

The data subject has the right not to be subject to a decision based solely on automated processing. However, there are some exceptions to this rule, such as when the data subject has given explicit consent to a decision based on automated processing. Unless the automated decision is based on a legislative act, your business must:

• to inform the data subject about automated decision-making
• to grant him the right to delegate the examination of the automated decision to a specific person
• enable him to challenge the automated decision

For example, if a bank takes an automated decision regarding the granting of a loan to a particular person, that person must be informed of the automated decision and have the possibility to challenge the decision and request human intervention.

Data breaches – providing appropriate notice

A data breach is when the personal data you are responsible for is made public, accidentally or illegally, to unauthorized recipients, become temporarily unavailable or corrupted.

If a data breach does occur and the breach compromises the rights and freedoms of the data subject, you must notify the Data Protection Authority within 72 hours of becoming aware of the breach.

Depending on whether the data breach poses a high risk to those affected, your business may be required to notify them.

Processing applications

If your business receives a request from a data subject who wishes to exercise their rights, you must respond without delay and in any case within 1 month of receiving the request. Your response time may be extended by 2 months for complex or multiple requests, provided the data subject is informed of the extension. Applications are processed free of charge.

If a request is rejected, you must inform the data subject of the reasons for the rejection and of his right to lodge a complaint with the Data Protection Authority.

Impact assessment

Conducting a Data Protection Impact Assessment (DPIA) is mandatory when the impending processing poses a great risk the rights and freedoms of the data subject, e.g. when using new technologies.

Such a high risk arises when:

• automated data processing and profiling mechanisms are used when evaluating individuals
• a public area is monitored over a large area (e.g. CCTV cameras)
• special categories of data or personal data related to criminal convictions and offenses are processed on a large scale (e.g. health data)

Note: Data Protection Authorities may also consider other categories of data processing to be high risk.

If the measures set out in the DPIA fail to eliminate all identified high risks, the Data Protection Authority must be consulted before the planned data processing takes place.

Record keeping

You must be able to demonstrate that your business is acting in accordance with the GDPR and fulfills all its obligations – especially upon request or as part of an inspection by the Data Protection Authority.

One way to do this is to keep detailed records of items such as:

• the name and contact details of the business involved in the data processing
• the reasons for processing the personal data
• the description of the categories of persons providing personal data
• the categories of organizations that are recipients of personal data
• the transfer of personal data to another country or organization
• the period of storage of personal data
• the description of the security measures applied during the processing of personal data

Your business must also maintain – and regularly update – written procedures and instructions and communicate them to its staff.

Data protection by design and by definition

Data protection by design means that your business must consider data protection in the early stages of planning a new way of processing personal data. According to this principle, a data controller must take all the technical and organizational actions necessary to implement the principles governing data protection and the protection of the rights of their subjects. These actions could include, among other things, pseudonymization.

Data protection by default means your business should always choose the most privacy-friendly settings as default settings. For example, if two privacy settings are possible and one of the settings prevents third parties from accessing personal data, that setting should be used as the default setting.

Violation of the rules and penalties

Failure to comply with GDPR rules can lead to significant fines that can reach up to €20 million or 4% of the company's total turnover for certain violations. The Data Protection Authority may also impose additional remedies, e.g. ordering you to stop processing personal data.