FAQ (Frequently asked questions)

GDPR makes no distinction between B2B and B2C and applies for both of them. Even though PECR (Privacy and Electronic Communications Regulations) allowed soft opt-out approach in email marketing, the new ePrivacy Directive is under review and is going to align with the GDPR.

GDPR will officially apply from 25th May 2018, at which time those companies or organizations in non-compliance may be subject to fines. You need to prepare for regulation and have process in place for the main principals , rights of the individual and responsibilities of the controller or processor.

It applies to all 28 EU member states and to entities and organizations outside the EU when processing the data of citizens within it.

If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.

The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​  Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37).  If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​  Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive.

Article 5 of the GDPR states that personal data shall be:

• Processed lawfully, fairly and transparently
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and confined to what is necessary
• Accurate and kept up to date
• Held for no longer than necessary
• Processed in a manner that ensures appropriate security, i.e. guards against:
• Unauthorised or unlawful processing
• Accidental loss, destruction or damage
• Organisations are required to demonstrate compliance with the above principles.

Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay. 

In the GDPR regulation, the definition of personal data is formulated very generally. We cite particular examples and the most common types of personal data on our website, but unfortunately, given the breadth of the regulation, it is not easy to list all the types of data that are considered personal. What can be said is that the regulation applies to any kind of data concerning a determinate or determinable individual. Please visit the ICO web site for guidance and examples of PII.

Yes. Contact data of a natural person are considered personal data. And personal data come under the competence of GDPR. You and the operator of the web app both have to approach them accordingly.

Data which is required by a particular legal act (such as in a police investigation) can be collected without the explicit consent of the subject. But of course, the data must adhere to other requirements of GDPR. For example, they have to be secured against being misused by police.

The right to be forgotten is not an absolute right. It is possible to put it into effect only if the data is no longer necessary for the purpose it was originally gathered or processed for. Another case in which personal data cannot be deleted is when there is another legal obligation or law that directly obstructs the deletion (for instance the archiving law – which requires some documents containing personal data to be kept for a time period defined by law)

There is no particular, regulated, consent language. You can refer to EU language recommendations, or preferably, consult with legal offices that provide consultancy services. It is important to consider all customer touch points , from websites through to face to face applications, orders and contracted services.

The simple answer is yes as existing data can only continue to be used if you already have asked for consent when collecting the information, and also on why you collected it. If you must process the data in order to provide products or services, then the data can also be minimally processed without consent. For example you definitely need an address to be able to send a product to a customer. In your case, you have to consider whether or not you really need the contact information of each customer – it depends on your purposes.

Yes, it is essential to verify the stated age of the person who gives consent for data processing. Parental consent is required when processing personal data of persons up to the age range of 13-16. The particular upper age limit is set by each country in the EU must be selected based on the respective country.

There is no particular, regulated, consent language. If operating across the European community it is advisable to review each member state specific regulatory rules on language .You can refer to EU language recommendations, or preferably, consult with legal offices that provide specific language consultancy services.

Any e-shop that processes personal customer data must comply with GDPR. Basically, any organization with at least 1 employee has to process personal data of employees, and hence it has to protect that data too.

With regard to the volume and sensitive nature of data being processed, we would say that employment agencies will have the obligation to designate a DPO. Even with small agencies the proprietor should take on this responsibility.

Term ”large scale” is not clearly defined in the regulation. According to guidelines from Working Party 29, ”large scale” is defined by several factors: number of individuals, data volume, duration of data processing, and territory range. One example of large scale processing is the processing of patients’ data as a part of routine hospital activities (unlike patient data processing by an individual doctor – this is not considered ”large scale”). Other examples of large scale processing are the use of search engines to target personal data for advertising, and processing customer data as a part of the routine sales activities of an insurance company or a bank.

The handling of personal data should be constantly monitored. Each company should decide for itself whether to designate an internal or external DPO. Your company will be legally responsible for all responsibilities under GDPR. Any third party involvement in data has to be contracted and due diligence carried out.

GDPR requirements apply to organisations, but actions involving data protection responsibilities also naturally pass on to employees who work with the data. All employees who handle personal identifiable information should undergo data protection awareness training.

If the processor has employees and hence processes their personal data, then the processor of course has to comply with GDPR. Such a company can then have two roles – for its clients it can serve as processor, while for its employees it serves as administrator.

According to GDPR, the obligation to protect personal data applies to both administrator, and processor (external company processing the data). Hence, both entities are responsible for their protection, since they both work with the data – even if the administrator only collects the data and sends it to the processor.

It depends on the legal purpose for processing his/her personal data. If the purpose is given by, for instance, a public interest, then the customer can not explicitly prohibit you from collecting the information. But by employing the right of subject access, the customer can raise an objection/question on why a particular type of information is being processed. The processing must always take place on the grounds of the customer’s consent – so the customer is the one who decides which data will be processed.

Yes, if it is possible to identify a particular natural person on the grounds of this information. Sole traders and partnerships are also treated as individual persons.

The management of personal data takes teamwork, but companies are obliged to provide contact information for only one person performing the DPO’s function. This will be the main contact person, for example, the supervisory authority.

First of all, it is necessary to examine the extent of ISMS to find out if it really applies to all kinds of personal data processing in the organization. One of the important points within ISO 27001 is compliance with legal acts – including GDPR. Last but not least, GDPR does not apply to personal data security alone, but also to many other areas (rights of data subjects, transfer of personal data abroad, etc.) – so make sure that the processes are also set correctly when it comes to these areas.

Yes, video surveillance systems also process personal data (identifying activities of a natural person), so they also come under GDPR. Getting permission of the people is of course not physically possible in these cases. That is why it is important to identify the legal base for the processing of video recordings, and then choose a transparent approach towards the privacy of citizens (the primary condition being suitable notification in the monitored area). Further GDPR requirements are of course valid.

If there is no legal act that requires you to archive personal data, then you should delete them from all memory files, including archives.

Providers of these kind of services of course have to ensure compliance of their services with GDPR. Both Google and Microsoft have recently announced that they are working hard to bring their services into compliance with GDPR. However, it’s important to mention that by using these services you are not automatically freeing yourself from your own responsibility for complying with GDPR. GDPR impacts your whole organization and by just transferring all personal data to G-Suite you are not doing enough to comply with it.

Certainly, yes. An employee is a natural person and if a record of his/her attendance is unambiguously connected with his/her identifier, then it is considered to be personal data.

Each company determines the rules of selection procedures itself, but it has to meet the obligations set by GDPR about handling and processing personal data. We are not sure what exact kind of documents the question is referring to, but companies are obliged to protect all documents that contain the personal data of natural persons.

Yes, GDPR does apply to information collected before May 25th, 2018. We recommend you to revise all consents gathered up to this point, and to make sure they are unambiguous and designated for the particular purpose of processing. If data have to be processed for some other legally ordained purpose (for instance public interest), then the consent is not required. It could be useful to run a company audit of legal titles which the data processing is based on.

If the information is publicly accessible on the website of the person in question, so that people can contact him/her, you don’t have to ask the person for permission. But if you intend to use this piece of information for other reasons (let’s say direct marketing of your services), then we recommend asking for the person’s consent.

In the case when archiving is demanded from you by a particular legal act, the right to be forgotten does not therefore apply to these records.

To answer the other part – by using either of the two options you named, you do not transfer the burden of GDPR to anybody else. It is you who is considered to be the data administrator and who carries the responsibility for GDPR, the provider remains solely a provider.

It’s anticipated that compliance with GDPR will, with time, become one of the audited items in companies. The ICO advise that companies need to audit their existing data and if they process large amounts of personable identifiable information that they also conduct a Data Protection Risk Assessment. If called upon to provide evidence of compliance these documents along with specific consent will form a key part of a regulatory request for information.

Yes, but this consent has to be recorded and documentable for cases of a control by a supervisory authority, and it has to meet all the GDPR requirements for correct consent granting.

Anonymization is not required for every scenario of handling personal data. GDPR article #32 doesn’t provide a complete list of scenarios for anonymization– it is rather a list of areas your company should focus on. If a specific law applies to your business then you should follow it.

GDPR can cost you up to 4% of global turnover in fines (or $20,000,000, whichever is higher), along with bad publicity and class action lawsuits. It affects everyone worldwide, not just organizations based in the EU, so senior management needs to take it seriously.

The GDPR provides users (data subjects) with the right to demand data controllers (the organisations holding the data) provide their data back to them, in machine readable form. You have to provide this data at no charge and within 30 days of the request.

Data subjects can demand that their data be deleted, the only exception would be contractual and legal grounds, such as HMRC , Police etc..

There are many areas that cover data collection, consent, data use and the length of time data is kept. Often, marketing departments are not sure of the rules. You need to be able to answer a regulator asking “where did you get the data and how did the data subject agree to it being collected?” additionally are collecting only the data required to process the purpose for which it is being collected?

Assuming you are a data controller (someone who collects data, such as through a web site), you are responsible for the safe keeping of that data no matter who is handling it.  You are ultimately responsible if a data processor (outsourcer or cloud provider) loses that data. Are you sure of their policies, procedures, and technology to keep it safe?

You don’t want to be informed of a data loss incident from the users themselves or from the data protection authority. Do you have technology that can detect breaches that have taken place, forensics available to investigate how the data was lost (or changed), and can you go back in time with full user logs and identify the incident to understand its scope and impact?