What is GDPR and what do I need to know?
Are you ready to meet the requirements of the new General Data Protection Regulation (GDPR)?
The article we have prepared today gives the answers to the most frequently asked questions about the GDPR. Maybe you own a company, maybe you are just an end-user. Whatever the case, don’t stop reading, because the answers you are looking for might be given below.
What is GDPR?
GDPR is the new General Data Protection Regulation. It was adopted on April 27, 2016, by the European Union to control the processing, storage, and usage of individual personal data by other individuals, companies, and organizations.
When does GDPR come into force?
The new Regulation comes into force on May 25, 2018. Anyone who processes personal data is required to comply with the applicable laws. If not, the penalties may reach up to 20 million euro or 4% of the annual company turnover for the previous year (the bigger amount of both should be paid).
How much is the minimum fine in Bulgaria regarding GDPR?
It is not yet 100% sure, but the Bulgarian legislation foresees a minimum fine of 10,000 BGN if you do not cover the new GDPR regulations. This is disputed in a public discussion.
Whom does the new General Data Protection Regulation apply to?
The new General Data Protection Regulation applies to any company/organization that is registered in the European Union and processes personal data. Or monitors individuals, regardless of where exactly the data is being processed and whether or not this is the main business activity of the company or of any of its branches.
Does GDPR apply to non-EU companies?
Yes! Every company that offers products and services to EU citizens and processes their personal data, irrespective of its location, is obliged to follow the rules and regulations laid down in the new General Data Protection Regulation.
What does personal data mean?
According to the Regulation personal data means any type of information about an individual, which is identified or could be identified, for example:
- first name;
- family name;
- ID number;
- national identification numbers;
- telephone number
- personal address;
- IP address;
- and more;
More information can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
What is meant by personal data processing under GDPR?
The definition of personal data processing is quite broad. It includes many activities such as collecting, storing, changing, sharing, exchanging, etc.
What are my rights as an individual under GDPR?
The General Data Protection Regulation gives the following rights to subjects, whose personal data is being processed:
- The right to be informed in a completely transparent manner about the ways in which companies and organizations are processing personal data.
- The right of access to their personal data at any given moment
- The right to rectify, update, change personal data when it is incomplete or incorrect
- The right to erase their personal data, widely known as “the right to be forgotten”
- The right to restrict the processing of personal data
- The right to data portability, which means that every individual is entitled to use their own personal data in a way they deem suitable as well as to share it with other data processors and controllers.
- The right to object to the ways in which their personal data is being processed and used. This is also valid in the case where personal data is being used for marketing and advertising purposes, research, etc.
- Right not to become the subject of an automated decision making and profiling stemming from the processing of personal data. This way subjects are protected against bearing the consequences and responsibilities of an automated decision made without the involvement of another human being.
What are my legal obligations as a company/organization/personal data processor under GDPR?
The new General Data Protection Regulation introduces new rules and obligation for everybody who processes and stores personal data. Here are some of them:
- GAP analysis – an analysis that aims to determine does a specific company/organization (which is a personal data administrator/processor) meets the GDPR requirements. The analysis can be done internally – in the company or externally – with the assistance of a consultant or a consulting company;
- Processing and reporting – All personal data must be processed according to the principles laid down in GDPR and this must be proved at all times.
- Protection – Individual personal data must be protected against violation at every stage of its processing and use.
- Data Protection Officer (DPO) – Each company/organization/personal data processor must appoint a Data Protection Officer if:
– its main business activities are related to the processing of personal data on a large scale or to the regular and large-scale monitoring of individuals. This includes tracking and profiling of individuals on the Internet (even for advertising purposes). Including banks and financial institutions, telecommunication operators, GPS service providers, video surveillance (CCTV services), behavioral ads;
– if the administrator has more than 250 recruited employees.
– if the administrator processes personal data of more than 10 000 individuals
– if the administrator processes special or so-called “Sensitive” personal data on a large scale – such as all hospitals, health establishments, pension and insurance companies
– when it comes to public authorities except courts in performing of their judicial functions. The official data protection officer (DPO) should have had the relevant training and the organization itself will tell how much he/she meets the new regulations. It is advisable to have a good knowledge in the field in which he/she works. As well as good practices for the protection of personal data.
-This obligation can be “outsourced” and an external DPO appointed;
- Impact assessment – An impact assessment on the protection of personal data and consumers has to be done once every two years;
- Risk assessment – an assessment is made to show the potential risk of loss of personal data or breakthrough/hacking in the protection of the organization and the potential damage;
- Notification – Data processors are required to notify Data Protection Authorities if any breach to the processing of personal data has been identified.
- Assessment – An assessment of the impact on personal data protection is mandatory.
- Consultation – If the assessment shows that the risk is high and the data processor does not take the necessary precautions to reduce it, the data processor is obliged to have a consultation with the Data Protection Authority before processing any personal data.
- Security – Personal data security must be ensured at all times and, if necessary, the appropriate technical and organizational measures should be implemented. For this purpose, each company must have updated internal rules and policies compatible with GDPR;
- Documentation – Each company must keep strict documentation (or register) and document the listed obligations above. This task is a responsibility of the Data Protection Officer (DPO). Also, logs about what’s happening on a particular website need to be kept.
- And more.
What information must I provide to the subjects whose personal data is being processed?
No matter what business activity you do, be it online or offline, you must inform the subject whose personal data is being processed about the following:
- Who are you and does your company/organization do
- Contact details of your company, as well as the contact details of your Data Protection Officer (if you have appointed one)
- Why you collect and process personal data and what exactly it will be used for
- What categories of personal data you collect
- On what legal grounds you process personal data
- For how long their personal data will be stored
- Are you going to share their data with third parties
- Will their data be transmitted outside the EU
- Explicitly state their rights with regard to personal data processing (right of access, information, etc. mentioned above in our article)
- And more
How will GDPR affect your online business?
The new General Data Protection Regulation was enacted for the purpose of protecting the rights of the sides participating in the exchange of personal data online. In other words, under GDPR the interactions and relationships between any business and its customers are facilitated and the flow of information between the parties is secured.
Thus, personal data protection is guaranteed, data abuse and Spam (unsolicited or undesired electronic messages) are reduced considerably.
What changes should I make if I have a website that collects personal data?
After doing a GAP analysis to determine the extent to which you meet the new requirements (mentioned above in the article), they should also be included on your website. Every website user/visitor must explicitly agree to have their personal data processed.
You must also:
- Update your “Terms of Service“. * We advise you to consult a lawyer regarding this topic!
- Enable users to disable cookies, tools and other technology which collect their personal data
- Ensure that users are able to have their personal data deleted from the database of your online store or another type of website. As already mentioned, provide them “the Right to be forgotten”.
Who will monitor the compliance with GDPR?
The full list of Data Protection Authorities per country can be found here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
Where can I get more detailed information?
You can find more information about the new General Data Protection Regulation (GDPR) here: https://ec.europa.eu/info/law/law-topic/data-protection_en
You can download the entire regulation here:
Speedflow Bulgaria advise you to consult with a lawyer about creating your new company texts, rules, and policies. As for the technical implementation on your website, we are at your services.
Do not hesitate to contact our team if you have any questions. We guarantee that our customers’ personal data is fully protected and processed in compliance with the new General Data Protection Regulation (GDPR).
November 23, 2018
November 16, 2018