Here a re a list of some frequently asked questions by our clients. if you don’t find the answer you seek, please feel free to contact us.
General Data Protection Regulation (GDPR) is the Data Privacy Regulation in the European Union (EU) for Personal Data Protection.
It is effective since 25th May 2018. The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation took effect after a two-year transition period and is binding on all companies and public authorities who process data of living persons.
The regulation applies to collection and use of Personal Data of any individual (living natural person from EU region. “Personal Information” includes (but not limited to) Name, contact information, Address, Designation, Location etc. “Use” include contacting, storing, analyzing, etc.
The regulation is established by the European Union Council.
The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities.
National bodies are setup for each member states for GDPR and Data protection:
https://edpb.europa.eu/about-edpb/board/members_en
The European Commission has appointed a Data Protection Officer (DPO) who is responsible for monitoring and the application of data protection rules in the European Commission.
The GDPR regulation contains 173 Recitals and 99 Articles.
The articles constitute the legal requirements organizations must follow to demonstrate compliance.
The recitals provide a clear context additional details and insight into the purpose and functions of the Articles.
Depending on the level and seriousness of non-compliance, and privacy infringements, Controller or Processor organizations can face significant administrative fines and other penalties.
The GDPR sets a maximum fine of €20 million or 4% of annual global turnover – whichever is greater – for non-compliance and/or infringements.
However, not all GDPR non-compliances or breacheswill lead to administrative fines. Supervisory authorities in the respective member states can take a range of other actions, including:
- Issuing warnings and reprimands.
- Imposing a temporary or permanent ban on data processing.
- Ordering the rectification, restriction, or erasure of data; and
- Suspending data transfers to third countries.
No. The regulation is established to ensure any collection and processing of EU Personal information only for lawful purposes, in a transparent manner, ensuring the data subjects are given necessary rights on the that processing.
A processing is considered lawful, when at lease one of the specified legal basis is available for every collection and processing of the personal data. Six applicable legal bases listed in Article of GDPR are:
- Consent from data subject
- Performance of contract
- Legitimate Interest
- Vital interest of data subjects or other individuals
- Legal requirement
- Public interest
Storage limitation is one of the Data Protection Principles adopted by GDPR (refer to Article 5). As part of that, GDPR mandates that ‘personal data shall bekept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’. However, the regulation does not specify a duration or specific limit for retention of personal data. (There are some exceptions given for certain archiving activities for scientific or historical research or for statistical purposes).
Effectively, compliance with the ‘storage limitation’ principle would mean that the controllers and Processors delete or return personal data, orretain data only in de-identified or anonymous way, if the purpose and/or legal basis onwhich the data was collected is no longer in effect or valid.
Yes. GDPR applies to all countries (member states) who are part of EU. GDPR also includes European Economic Area (EEA) countries, such as Iceland, Lichtenstein, and Norway.
No. The regulation applies to personal data of any living natural person in EU.
For example, collection and processing of personal information of Indian or American citizen livingin one of the member states of EU, will fall under GDPR compliance requirement.
No. The regulation applies to personal data of any natural person in EU.
Processing of personal information an EU citizen or resident while outside EU region, for example on a travel or visit or residence outside EU, will not be covered by GDPR regulation.
No. The regulation applies to any entity that is processing EU personal data, irrespective of the location.
For example, when a US based organization collects and processes personal information of natural persons located within EU, GDPR applies to that scenario.
Yes. GDPR apply to collection and processing of personal information by government, and Public sector organizations and agencies.
GDPR regulation and its compliance requirement overall is not providing exception based on the size of the Data controller and/or processor. However, some minor derogations are provided for organizations having strength of <250 under Article 30 for maintaining records of processing, with specific conditions.
Yes. If the employee is a person based in EU, then that person will be considered as a Data Subject and the employer as Data controller, with respect to processing of his/her personal data.
Consent represents the Data subject’s wish and/or willingness for processing of his/her personal information in a specific context.
GDPR defines the consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
No. Consent from Data Subject is one of the forms of legal basis of processing.
The other forms of legal basis, that makes collection of processing of personal information lawful are:
- Performance of contract
- Legitimate Interest
- Vital interest of data subjects or other individuals
- Legal requirement
- Public interest
No. Specific consent / opt-in is required from the user under GDPR. Silence or no response will be treated as no consent, by default.
No. However, in case consent taken is the legal basis for processing for a specific purpose, then the same data cannot be processed for a different purpose.For example, if consent is received while collecting the personal data for sending newsletters, the same personal data cannot be used to send information on new products/services – unless specific consent is received from the individual.
- The consent should be:
- Informed, freely given
- Specific and unambiguous
- Data subject should have an option to withdraw the consent at any point
- Data controller should be able to demonstrate the consent been provided.
In outbound reach to data subject to seek consent, it should be ensure the person’s contact is not listed in any specific do-not-contact Registries of respective countries/regions – before making first contact with them for seeking consent.
No such timeframe is defined by GDPR.
The data controller is the organization that decideswhat personal data is to be collected, how and for what purpose it is going to be used by the organization. A data controller may process the data using its own systems and resources. In many instances, however, a data controller may needs to work with third-party and external service providers.
GDPR defines the Controller as: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Yes. Any organization that deals with EU personal data in a way that fits the definition of Controller, they will be treated as Data Controller under GDPR.
For example, companies that are registered in countries outside the EU but having a target marketspace in the EU or that deals with information of natural persons might become a Data controller.
A data controller is primarily accountable to protect the rights of data subjects and comply with articles of GDPR. While a controller can engage a processor for any of the responsibilities related to collection and or process personal information on behalf of them, the controller cannot transfer the compliance obligations through such an arrangement.
While both Data controller organizations and Data processor organizations have independent compliance obligations under GDPR, the Data controller will be accountable to ensure the compliance of all the Data processor engaged by them, for the specific context of Personal Data processing for which they are the Data controller.
A Data Processing Agreement (DPA) is a legally binding contract to be entered into between the Data Controller and the Data Processor in writing or in electronic form. It details the particularities of data processing – such as scope, purpose, technical details of transfer, security, audit rights, governing law and liabilities that may affect the controller and the processor.
No such timeframe is defined by GDPR.
Wherever the controller is engaging and using a Data Processor, it is mandatory to have a DPA signed by both parties, the Data Controller and the Data Processor.
The data processor is the organization or party that processes personal data on behalf of a Data controller. This means this organization or party is not deciding the purpose or modes of the collection and processing of the personal data.
GDPR defines Data Processor as:a natural or legal person, public authority, agency or other body which processes personal data on behalf of data controller.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data. The processor is an entity which processes personal data on behalf of the controller.
Yes. Under GDPR, any organization that is processing EU personal data is directly required to comply with the regulation, whether in their role as Data Controller or Data Processor.
Yes. Organization providing technology solutions like SaaS, Cloud, Hosting etc. will be treated as a Data Processor under GDPR, if the EU personal data is being stored/processed withintheir systems/infrastructure.
Yes. Data processors will carry accountability for any breaches that mayoccur during processing through sub-processors. Hence it is necessary to have comprehensive contractual agreements and periodic audits.
Yes. Transfer of personal data from EU to other regions is allowed only under specific conditions.
Refer Article 44 & Recitals 101, 102 for details.
The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.
The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.
In other words, transfers to such a country will be considered equivalent to intra-EU transmissions of data, and hence compliant under the regulation.
In the absence of adequacy decision, the data transfer outside EU can happen in a compliant manner only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
These safeguards are specified in the Article 46 of GDPR and include:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules in accordance with Article 47;
- standard data protection clauses adopted by the Commission
- standard data protection clauses adopted by a supervisory authority and approved by the Commission
and so on…
Yes. GDPR allows the data transfer to another country, if the data subject understands that you are transferring his/ her data outside EU, the risks and consequences of such a transfer, and unambiguously indicates his or her agreement for such a transfer. So, the process of consent taking in such cases will need to include specific notification of the risks and consequences to the data subject.
There are 8 fundamental rights of individuals under GDPR. These are:
- The right to be informed – Organizations’ must be completely transparent in how they are using personal data.
- The right of access – Individuals will have the right to know exactly what information is held about them and how it is processed.
- The right of rectification – Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
- The right to restrict processing – Refers to an individual’s right to block or suppress processing of their personal data.
- The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
- The rights to object – In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
- Rights of automated decision making and profiling –The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
Under GDPR, Data controller has to provide an effective and adequate mechanism through with the Data subjects can request and/or exercise their rights within the timeframes and other compliance requirements of the regulation.
Yes. The right means that. However, unless other rights, the Right for erasure is NOT a fundamental right under GDPR.
The Data controller has obligation to delete the data ONLY if any specific conditions specified in Article 17 applies. That include:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
- the personal data have been unlawfully processed;
and so on.
Article 17 also specifies additional conditions under which the erasure will not be mandated, such as:
- for exercising the right of freedom of expression and information
- for compliance with a legal obligation which requires processing
- for the establishment, exercise or defence of legal claims
and so on.
Processing of personal information for any person at lease 16 years of age is permitted by default under the regulation.
Parental consent orauthorization is required to process the personal data of children under the age of 16. EU member states are given the option to legislate for a lower age of consent but not below the age of 13.
Personal information of sensitive nature is classified as “special category data” in GDPR.
Article 9 of the regulation prescribes that “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited”.
The processing of special category may be performed under specific conditions only.
By default, Sensitive or Special category data should not be processed. However, there are specific conditions that allow processing of data in this category, such as:
a)Data subject gives explicit consent
b)to protect vital interests of the data subject or another natural person
c)personal data which are manifestly made public by the data subject (for example on a Blog or social media site)
d)processing is necessary for legal claims
e)processing is necessary for reasons of public interest in the area of public health (for example in case of a pandemic or national emergency)
f)processing is necessary for the assessment of the working capacity of the employee (for example, where clear eye-sight, allergies etc. are necessary to be monitored in specific work environment)
The Data Protection Officer (DPO) is NOT a mandatory role in all cases under GDPR.
However, under certain conditions it is required or recommended to appoint a DPO for assessing and ensuring compliance to data protections laws.
Refer Article 37 for more details.
It is required to appoint a DPO in case personal data processing is carried out in any of the following conditions:
- by a public authority
- monitoring or processing on a large scale
- large scale of special categories of personal data
- data relating to criminal convictions and offences
Yes. DPO role may be assigned to a member of staff within the organization and reporting independently to the higher management or someone from an outside organization.
No. DPO role can be assigned to a person carrying other roles in/for the organization, or a person can act as DPO of more than one organization, as long as the other role and responsibilities doesn’t infringe into his performing the role of the DPO effectively and there are n no conflicts of interests.
Profiling refers to any form of automated processing involving the use of personal data to evaluate certain personal aspects relating to a natural living person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Yes. Automated processing of personal data (including profiling) is permitted in GDPR with certain checks and conditions to be met. Refer Article 4 and Recital 71 for details.
No. Unless under specified conditions of Prior consulting requirement (Refer to Article 36), there is no requirement under GDPR for the Controller or Processor to register with or notify the Authority prior to data processing.
No. GDPR doesn’t mandate any periodic reporting of processing or compliance by the Controllers or Processors.
No. Unless required in specific cases, there is no requirement or process of audit by the Supervising authority for compliance.
No. There is no mandatory third-party verification of compliance mandated by GDPR for Controllers and Processors.
No. As of now, there is no designated and accepted certification that demonstrates of compliance to GDPR. However, the EU commission is planning to establish data protection certification mechanisms and approves of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation in the future.
Currently, the European Data Protection Board (EDPB) does not recognize a specific Certification or Code of conduct towards compliance with GDPR or any articles within.
However, companies who have Information Security Management Systems (ISMS) controls implemented and certified for Standards such as ISO/IEC 27001 will find it easier to comply with Risk Assessment and Security controls mandated by Article 32 of GDPR.
No. Recital 47 of the regulation states that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. However this is subject to the Right to Object for the Data Subject. If an individual objects to use of personal information for direct marketing, then the rights and freedom of a data subject overrides this legitimate interest basis for processing.
Please refer to Recital 47 and Articles 21 and 70 for further details.
Yes. However, the freedom and right of data subjects overrides the company’s legitimate interest to do business. Hence, it is also recommended to check any the “Do-Not-Disturb” registry status of the data subject’s contact before making any cold contact, and also to try and obtain consent of the data subject as early as possible. Data Subject should be given a clear right to object to such processing.
Anonymization is the process of removing any attribute(s) that uniquely links a set of data to living natural person.
Pseudonymization’ is defined as:the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
In Anonymization the linkage of the personal data to a living natural person is permanently removed. So such data is no more a personally identifiable information, and hence will not come under the definition of Personal Data under GDPR.
In Pseudonymization, the linkage to unique identification of the natural person is only temporarily masked/hidden. Hence though this is an effective mechanism for protecting personal data, such data will be still considered as Personal Data under GDPR, and hence the compliance requirements apply.
No. All necessary Information security controls are to be established by the controller and/or processor based on an effective Privacy Impact assessment and Risk assessment on the specific set of Personal information and its context of processing.
Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.