GDPR: These obligations apply to companies

The GDPR is the primary source of data protection regulations in the European Union. Since then, uniform rules have been applied in all EU member states on the subject of data protection and data security.

This means more uniformity and clarity regarding global trade lines, but it also poses some challenges for companies. Companies have more obligations to fulfill due to the GDPR, and consumers have more rights. Fines have also been increased, making it even more imperative for companies to implement data protection regulations properly.

But what exactly is the content of the GDPR? Which obligations affect your company? How do you implement them correctly? And what rights do data subjects have? We answer the most critical questions about the GDPR in this article.

The most important facts in brief

• Since May 25, 2018, the GDPR has been applied throughout the EU. This is associated with uniform, strict rules for protecting personal data.
• Companies should deal with the changes in detail to avoid high penalties. Fines can be imposed up to 20 million euros or 4% of the annual turnover achieved in the previous financial year.
• The GDPR has given consumers far-reaching rights, for example, the right to access or delete their data. The right to data portability is also new.
• Personal data, i.e., data that provides information about the identity of natural persons, is exceptionally protected. 

What is the EU’s GDPR?

The General Data Protection Regulation, which came into force in May 2018, affects all countries in the EU. It applies to all companies whose products are sold to consumers in the EU and whose personal data is stored, processed, or transferred for this purpose.

There is no distinction between personal data in public, work-related, or private sectors. For example, the data of employees in a company is also covered by the GDPR, as is data in the B2B sector when business partners exchange personal data with each other. This means that almost all companies operating in the EU must comply with the provisions of the General Data Protection Regulation in principle.

The GDPR aims to protect natural persons when processing personal data. At the same time, a secure, responsible exchange of data is to be ensured. The previously applicable EU Data Protection Directive had not achieved this goal, so the European legislator felt compelled to issue a regulation.

What is personal data?

Personal data refers to all information that allows conclusions to be drawn about a natural person. This includes, in particular

• General data of the natural person (such as names, dates of birth, telephone numbers, addresses)
• Identification numbers (such as social security numbers, tax numbers, identity card numbers)
• Bank data
• Online data (such as IP addresses, locations, passwords)
• Physical characteristics (such as skin color, clothing size, gender)
• Property data (such as land register entries, vehicle license plates)
• Customer data (e.g., orders, account data)
• Documents (e.g., testimonials, deeds, certificates)

Data that is sensitive from the legislator’s point of view is subject to special protection. This includes religion, health, trade union membership, sexuality, ethnic origin, or political beliefs.

Processing in this context means any data processing, e.g., with computers, scanners, digital cameras, or smartphones, as well as analog data collections such as files. However, this affects most areas and data collections in companies and public authorities, so the GDPR is omnipresent.

Obligations from the EU General Data Protection Regulation

Dealing with personal data is always characterized by responsibility towards natural persons. Anyone who wants to work with this data must accept that certain obligations also accompany data processing.

In this context, the obligations can be very diverse. Explaining them all in detail would go beyond the scope of this article. In our knowledge center, you will find extensive articles and information on all the obligations imposed on companies by the GDPR.

Technical and organizational measures

Companies must take technical and organizational measures to best protect the data of the data subject. These vary depending on the industry, data categories, risk factors, and types of processing.

It is a matter of weighing up which measures are necessary and useful to protect the collected data in the best possible way. For this purpose, it is required to maintain a record of processing activities and, if necessary, to carry out impact assessments.

Data protection officer

Many companies are required to hire an internal data protection officer or appoint an external data protection officer.

A data protection officer must be appointed regardless of the number of employees when the company or the processor processes data that require a data protection impact assessment or processes data for transfer (e.g., for research purposes).

Record of processing activities

The basis for all organizational measures, and a functioning data protection concept in general, is the inventory. The GDPR provides a record of processing activities (ROPA) for this purpose.

Companies check their activities and processes with such a record to see whether personal data are collected, stored, or processed. All processes in which this is the case are listed and documented in the ROPA.

The following information must be recorded:

• Description of the process: Which process is meant (e.g., personnel file)?
• Person in charge: Who is responsible for the automated processing, and who is the contact person?
• Purpose of processing: Why is data being processed?
• Categories of data subjects (employees, customers) and categories of personal data.
• Categories of recipients if personal data are disclosed to third parties.
• Transfers to third countries, including the designation of the country and the recipient or organization
• Deletion periods: How long may the data be stored?
• Technical and organizational measures for data protection

Data protection impact assessments

Suppose a processing operation has an increased risk to the rights and freedoms of data subjects due to its technology, form, or manner. In that case, a data protection impact assessment must be carried out.

An impact assessment analyzes whether extensive processing is necessary, the risks to data subjects and whether the purpose and risk are balanced. Only if such a risk assessment is in favor of the processing may it be carried out.

Commissioned processing

If the companies do not perform the data processing themselves but have it carried out by external parties, a processing contract must always be concluded with the third party. This contract must specify how data is processed, which protection mechanisms apply and how data may be stored.

The rules of the GDPR must be included and complied with in this contract.

Emergency plans

If a data leak or data breach occurs, companies should have emergency plans that employees are familiar with. This ensures that the requirements of the General Data Protection Regulation can be met again as quickly as possible in an emergency.

The relevant supervisory authorities must be informed within 72 hours if there is a high risk to data subjects.

GDPR ensures more rights for consumers

Not only have the obligations for companies become more diverse, but data subjects have also gained more rights. This is mainly due to the principle of informational self-determination. It states that every person is free to decide what information they disclose about themselves and what they do not.

The GDPR thus gives consumers, customers, suppliers, and employees more control over their own personal information. The opacity of the companies that use or collect this data is thus reduced, and the procedures become more transparent. Companies that want to work with personal information will then also have to comply with this.

The most important rights of data subjects include the following:

1. Access to data: Every person has the right to access the data stored and to know what data is collected and how it is used. A copy of this information must be provided by companies free of charge and in electronic form if the data subject requests it.
2. Right of withdrawal: if the data subject is no longer a customer or withdraws consent, the company must delete this data without delay (if there is no legal obligation to retain it). Data subjects have a right to order the deletion of data.
3. Data portability: data subjects may request that data be transferred from one service provider to another.
4. Rectification: Customers must be able to have data corrected at any time if it is incomplete, outdated, or incorrect.
5. Restriction of data use: private individuals have the right to restrict the use of data. In this case, the data will not be processed further but will not be deleted.
6. File an objection: Data subjects can prohibit companies from using their data for direct marketing. Consumers must be informed of this right in advance.
7. Notification of data breach: if a data breach incident occurs, such as a data leak or similar, data subjects have a right to be informed about the data leak if the risk is high.

Where does the GDPR apply?

The GDPR applies in the EU member states and beyond. In the countries concerned, the GDPR takes precedence. However, precedence does not necessarily mean that the GDPR supersedes national laws.

As in many regulations, there are also clauses in the GDPR that allow states to make their own regulations or specify existing regulations. Thus, despite the uniform legal basis, they can further regulate individual areas and independently specify the GDPR.

It is also important to note that the GDPR is not only relevant for companies based in the EU. The so-called marketplace principle provides information about the scope of the GDPR: All personal data related to sales and services within the European Union may only be processed by the processing entity within the rules of the GDPR.

Platforms such as Google, Facebook, or other social media channels must also comply with the GDPR if they wish to monitor the behavior of EU citizens, for example, to use this data for advertising purposes.

Who is affected by the GDPR?

In principle, all companies that store, process, or transfer personal data within the EU must comply with the rules of the GDPR. This means that basically every public authority and every company is affected by the regulations of the GDPR.

The GDPR does not affect personal or family activities (so-called household exemption). Private conversations, email contacts, or chats are not subject to GDPR obligations. On the other hand, you should be careful when sharing private photos on public platforms. Here, the GDPR again applies, with the consequence that all data subjects must consent to the publication.

Activities that are not covered by EU law in the first place may also be excluded. This applies, for example, to activities that arise in the area of common foreign and security policy, such as law enforcement. There are also separate rules for EU institutions.

Conclusion

The GDPR provides many measures and rules to protect personal data in the best possible way. For companies, this means much work that is best handled with a system like the Priverion Data Protection Platform. The GDPR requires that a record of processing activities is created at the outset, i.e., a kind of inventory is first taken from existing processes. 

In addition to the many efforts involved, the GDPR also offers the opportunity to review existing structures in the company and make them more efficient and data-friendly. This not only reduces the risk of a data breach and, thus, of damage to the company’s image and fines but also ensures better and simpler workflows that can even increase sales. Companies should therefore also see the GDPR as an opportunity to reform and improve their business.