GDPR Compliance Service
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a pan-European law that intends to strengthen and unify data protection for all individuals within the European Union (EU). It also covers the export of personal data outside the EU. The main objective of the GDPR is to give citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When does the GDPR apply?
The GDPR applies if:
- Your company processes personal data and is based in the EU, regardless of where the actual data processing occurs.
- Your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU.
Non-EU based businesses processing EU citizen’s data have to appoint a representative in the EU.
When doesn't the GDPR apply?
The GDPR does apply if:
- The data subject is deceasad.
- The data subject is a legal person.
- The processing is performed by a person acting for purposes which are outside their trade, business or profession.
Why is it important?
This regulation aims to protect the personal data of European Union citizens and covers all entities that process EU citizens’ data. Citizens have the right to access the data that an entity holds about them, the right to be forgotten and the right to explicit consent. In other words, citizens have greater rights than before, while giving companies new obligations, like the mandatory reporting of security breaches within 72 hours.
What if a company breaches the GDPR?
The GDPR includes significant fines for those who don’t comply. Penalties are the greater of €20,000,000 or 4% of a company’s turnover. In addition, it may entail a prohibition on processing personal data, which may prevent the processing of invoices.
Process of complying with GDPR?
- Company data collection. We study the traceability of data and the electronic devices used, among others.
- Recording of processing activities.
We will generate and update the Register of Processing Activities, which contains information on:
– The processing of the data and the personal data processed
– The recipients of the data
– The deadlines foreseen for their deletion
– The purpose of the processing
– The technical and security measures adopted by the company to carry out the processing.
- Risk assessment report. We will provide a GDPR compliance information checklist for the client to complete on the company’s data processing and activity.
This risk assessment allows us to generate the necessary legal documentation as well as regularly updating to remain compliant. We also propose any security measures that need to be implemented.
- Review and drafting of clauses, contracts and documentation. Review and drafting of all types of documents which includes personal data that is processed in accordance with the GDPR.
- Drafting of all necessary documents. Drafting of the necessary documentation in order to comply with and be able to accredit the principle of proactivity, as well as other obligations.
- Training of staff in data protection. In order to ensure that the security protocols implemented in the company are complied with.
Find you Corporate Lawyer
Frequently Asked Questions
Yes. It covers any company or organisation that processes personal data (whether of its employees, customers and/or suppliers), regardless of size or the volume of data it handles.
This is a good starting point, but the GDPR establishes new obligations. Therefore, you will have to review them and adapt your privacy policies to the new Regulation.
Yes. Also, it’s important that your suppliers comply with the GDPR and that you work with trustworthy brands.
Yes. All companies that offer goods and services and handle data of EU citizens must comply with the regulation, even if you are based outside the EU.
It depends if the data subject has given you their express consent to transfer their data. Have you informed them of the risks involved in transferring their data to a country that lacks adequate safeguards?
Also, do you need to communicate the information in order to perform or execute a contract between your company and the data subject? If not, do you have the authorization of the Spanish Data Protection Agency?
This means it is up to the company to decide what security measures are in place to protect the data and privacy of individuals. The business must also show that these measures are effective and comply with the regulation.
The new regulation requires that data should be collected for a specific purpose and only a minimum amount of personal data is necessary for legitimate processing purposes. You should analyse what measures, both technical and organisational, your company has in place to avoid jeopardising the rights and freedoms of data subjects.
The person who is receiving the advertising or promotions must have given their express consent. It is no longer sufficient, for example, for you to have a pre-ticked box in which they give their consent.
Therefore, you must check that all database records are aware of what and how their data will be used. You need to ensure that they have given you clear approval. This requires a review of all the information clauses that have been used up to now.
No, it is no longer obligatory.
However, there must be a Register of Processing Activities, which is documents who is responsible for the data and makes an inventory of the type of data, how it is processed and protected.
If your company has more than 250 employees or processes special categories of data, like health or ideology, this register is mandatory. Smaller businesses don’t need to do this but it is recommended as it demonstrates that you comply with the GDPR.
This person is designated by the company, internally or externally, to supervise, coordinate and disseminate your data protection policy. In addition, they liaise with the Spanish Data Protection Agency.
Their appointment is only mandatory in certain cases, like: if you are a public body or company (except the courts); if your company conducts regular and systematic observation of people on a large scale, such as internet tracking, location of users through apps, profiling, scoring, loyalty programmes or if you handle large-scale data on people on sensitive subjects, like health, ideology and sexual orientation.