Many people kept asking GDPR Faqs. We compiled those frequently asked to help you out.

GDPR FAQs - General

What exactly is the GDPR?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

When does the GDPR comes into effect?

The GDPR was approved on April 2016 with a transition period of two years. On May 25th of 2018, this regulation comes into effect.

Who this regulation aims to protect?

This regulation is for the individuals, the data subjects. It focuses on protecting people’s personal data and on a simpler regulatory environment for businesses. The purpose is to ensure that the data subject is the rightful owner of their personal data and its rights are ensured, whenever it is.

What companies will this regulation affect?

Every company that collects, holds and processes personal data by any means and for any purposes, either it is from its customers, employees or partners. Virtually every company, since even the most simple business, makes use of digital payments and uses data for HR purposes.

Will GDPR affect my company? Do I have to comply?

If you answer YES to at least one of these questions, then you should comply with GDPR.

Do your company collect data from its customers?

Do your company collect data from its employees?

Do your company processes digital payments? (Credit cards)

Do your company reach out to customers, partners or employees by email?

Do your company reach out to customers, partners or employees by mail?

Do your company reach out to customers, partners or employees by telephone?

Do your company send products to customers, vendors or partners by post mail?

Where does the GDPR apply?

The Spatial Scope is regulated in Art. 3 GDPR. It states that the General Data Protection Regulation applies to all 28 EU Member States and to companies and organizations outside the EU, as far as the processing of data concerns EU citizens. It does not matter if the person is in the EU in the short or long term. Citizenship or status as a Union citizen does not matter here. This spatial scope of application can’t be subsequently changed by contract. Also, it does not matter what kind of service or products companies or organizations offer. The only decisive factor is whether personal data is collected and processed by EU citizens.

For whom does the GDPR apply?

The General Data Protection Regulation applies to individuals and entities of all sizes who process personal data of EU residents, regardless of where the processor is located. These rules also apply to data processors and data processors, including third parties such as cloud providers.

Does the GDPR make any difference betwen B2B and B2C?

The GDPR does not differentiate between B2B and B2C, it applies equally to both. The background to this is that the General Data Protection Regulation applies to the protection of individuals rather than legal persons.

The above part was genericGDPR Faqs. We'll dive deeper now into specific questions.

GDPR FAQs - Authorities

How will the regulation be enforced?

After May 25th, 2018, organizations that fail to comply with GDPR can be audited and suffer sanctions due to claims from data subjects that feel their personal data rights were or are being violated - or used for different purposes than the ones consented - by that organization. Moreover, those audits can happen randomly or by complaints, depending on the approach taken by each European Union member, which is responsible for the businesses established on its country and is under the European Commission supervision.

Who is my data protection authority?

Every European Union and the EFTA member assigns a national organization/commission/agency/bureau/authority that is in responsible for GDPR enforcement inside each country’s border by providing information and support, but also auditing and issuing sanctions and fines. Their status was formalized by the Data Protection Directive. Here you find the list of all the websites for each and every National Authority in EU:

Czech: Republic
The Netherlands:
United Kingdom:

Whatever violation happens, the authority from the country where the company involved is established physically or legally is responsible. For example, anyone who sells internationally as an online retailer may already have heard something about the new one-stop shop. This allows EU citizens to always turn to their own data protection authority for complaints - the data protection authority in their country. ATTENTION: This applies regardless of where the privacy violation happened.

The above part was generic GDPR frequently asked questions on authorities. We'll dive deeper now into specific questions for data subject.

GDPR FAQs - Data subject

What are the rights does the GDPR grant for the EU Residents?

Initially, the only way companies can have access and control over any data is by consent. Then, the subject of that data have three main rights granted:

Right to access: Every EU resident has the right to know what personal data any company is holding and/or processing, by request.

Right to erasure: Every EU resident has the right to require the deletion of all the data - which it has granted access - held or processed by any company.

Right to data portability: If a data subject wants to change to a new service provider, it can ask for the former to send all its personal data its data to the new one in a standard, machine-readable format.

What is consent for data processing?

While collecting data, the company has to make it clear the purpose it is doing so. Any activities performed with that data has to be described on the terms of the consent, which has to be accepted by the data subject will be the legal basis for any processing.

The consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4). Consent for children must be given by the child’s parent or custodian, and verifiable.

What is the extent of consent?

Data controllers must be able to prove "consent" (opt-in), and consent may be withdrawn whenever the data subject asks for.

Do I always need consent?

In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate.

You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.

It’s your responsibility to identify a lawful basis for processing under the GDPR

The above part was generic GDPR Faqs on data subjects. We'll dive deeper now into specific questions for GDPR measures.

GDPR FAQs - Measures

What quick measures should my company take?

Initially, look for professional advice. It does not need to be a lawyer, there are plenty of other professionals specialized in the GDPR that can help you comply. Moreover, online solutions for GDPR compliance like Ecomply’s will help you with guidance and can simplify the work very easily.

What is the Records of Processing Activities?

For GDPR compliance, one of the main requirements is that every company shall maintain a detailed description of every activity that somehow processes personal data. These descriptions are called “records” and will provide an overview of all data processing activities within your organization. It enables the company to understand what kind of data categories are being processed, by whom and for which purposes. It is called records of processing activities.

What is a Data Protection Officer(DPO)?

Data Protection Officer is the professional responsible for the data protection activities and measures inside the company. He/she holds the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. Here is our complete guide on how to hire a data protection officer.

What is a virtual DPO?

It is an external Data Protection Officer that provide online assistance to a company. It can be one or a group of people with different specialties offering the service as a unit. In this approach, a specific person should be nominated as the lead of the DPO function.

What is a Data Processing Agreement? When is it needed?

When the processing activities are outsourced, which means it is performed by other than the controller’s company -, there must be set a contract between the parties called the Data Processing Agreement. The agreement must set out the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data to be processed, the categories of data subjects and the obligations and rights of the controller.

What does it mean by ”Secure by Design”?

A process inside the company or a software developed or purchased by the company will be “secure by design” when, in the process of its development, data protection was taken as a key aspect and requisite, and all the data that goes through it can be tracked, the processing is understandable and under control and has tools that grant the rights of access, deletion and portability for data subjects.

How are CCTV Security System affected by the GDPR?

Recordings of videos are under GDPR regulations because it can be used to track and identify persons. It is important to have a clear purpose for that matter, as well as consent from the persons being recorded.

How will Employee E-MAIL Inbox be affected?

Each email account of each employee is private and contains personal data. For the company to have deliberate access to it, the employee must give explicit consent. When an employee leaves the company, the company can either forward incoming messages to a particular address appointed by that user or ask for permission (consent) to access that those new messages.

The above part was generic GDPR Faqs on measures. We'll dive deeper now into specific questions of data classification.

GDPR FAQs - Classifications

What is the difference between Personal and Sensitive Data?

Personal data is referred to any information related to the data subject, that can be used to directly or indirectly reveal his/her identity.

Sensitive data is referred to the information related to the data subject’s fundamental rights, intimacy, and free will. Examples of these are health records, religious beliefs, political opinion, biometric data or genetic data.  

GDPR FAQs - Penalties

What are the Penalties?

Under Article 83 (5) GDPR, the maximum penalty for companies and organizations for failure to comply with the General Data Protection Regulation can amount to up to € 20 million or 4% of the annual worldwide turnover, whichever is greater. According to Art. 83 (4) GDPR, there is a graduated approach to fines, for example, a company can be convicted with 2% because it does not keep its records in the correct order (Article 28).

GDPR FAQs - Germany

Who is the "Responsible Person" and which duties does he/she have?

A controller is a "natural or legal person, agency, institution or another body" that processes personally identifiable information for its own purposes. It decides "on the purposes and means of personal processing data" (Article 4 (7) DS-BER).
However, the decision on the purposes and the protective measures must be within the framework of the provisions of the DS-BER. In general, the data processing purposes are based on the business case, e.g. For example, in the context of accounts payable and accounts receivable.
The protective measures for the personal data must be selected according to the respective protection needs. The controller must ensure the lawfulness and purposefulness of the data processing as well as the rights of data subjects whose data is processed. He must also demonstrate compliance with the GDPR.

What does it mean by "Processor"?

A processor is a 'natural or legal person, public authority, body or organization other body processing personal data on behalf of the controller "(Article 4 (8) DS-GMO). The processor processes the personal data only in the context of instructions of the person responsible. He takes appropriate technical and organizational measures to protect the data.

Comparing to the previous regulations, What are the key changes for those responsible?

A processor is a 'natural or legal person, public authority, body or organization other body processing personal data on behalf of the controller "(Article 4 (8) DS-GMO). The processor processes the personal data only in the context of Instructions of the person responsible. He takes appropriate technical and organizational Measures to protect the data.

What has remained the same for the most part?

Already existing data protection principles such as earmarking, data minimization and Transparency is preserved. From 2018 on, data processing will continue to have a legal basis, eg. "Contract fulfillment" or "consent of the person concerned" necessary.  The essential legal bases for data processing remain: One today permissible data processing is also expected from 2018.

Does the provisions of the GDPR only apply to the newly acquired data and applications?

No, the new regulation includes all existing and new data and applications. That means the GDPR also uses data stored in advance. Compliance with the regulations must, therefore, be checked for all - old as well as new - processing. The following issues should be considered, for example:

- Does the existing documentation of the data processing processes correspond to the new data protection requirements?

- Will the extended information requirements be provided within the existing privacy policy fulfilled?

- Are the formal requirements for informed consent complied with?

- Does the existing risk management process take into account the demands to determine suitable technical-organizational protective measures?

Do I still need a Data Protection Officer?

According to the current status, a data protection officer will continue to be needed in Germany if at least ten people in the company are engaged in automated data processing.

Who is responsible for the GDPR Compliance in the company?

Even if a data protection officer is appointed, the responsibility for compliance lies with the GDPR exclusively. The data protection officer (DPO) advises and supports only in the implementation.

ECOMPLY is a GDPR compliance management software that assists in building and maintaining compliance documentation. Check out our website or contact us for more information.

Hauke Holtkamp, CEO ECOMPLY GmbH