Frequently Asked Questions

What is the GDPR ?

The General Data Protection Regulation (GDPR) is a new landmark EU privacy regulation that appies since 25 May 2018. Given that it’s a Regulation, it’s directly applicable in all of the EU Member States without the need to implement it in national legislation.

The GDPR is being called the world’s strictest data privacy law. It aims to expand and unify data protection rights of individuals in the EU and it has unprecedented extraterritorial reach.

What is personal data ?

Personal data under the GDPR has a very broad interpretation and includes any information that relates to an identified or identifiable natural person: name, pictures, addresses, phone numbers, e-mail addresses, IP addresses (even dynamic), identification numbers, location data, age, origins, pseudo, etc.

What is sensitive data ?

Sensitive data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.

What are the sanctions for non-compliance with the GDPR ?

Infringements to the GDPR (even for non-EU companies) may lead to fines of up to the greater of €20 million or 4% of worldwide turnover, without prejudice to individual and collective claims for damages that can be brought before the courts. The data protection authorities also have the power to impose temporary or indefinite bans on processing and to suspend data flows to recipients in third countries.

How does the GDPR representative in the EU assist non-EU companies ?

The main task of the GDPR representative in the EU is to act as a point of contact for the data protection authorities and individuals in the EU whose personal data is being processed by the non-EU companies. The representative acts on behalf of the non-EU companies, performing its tasks according to the mandate received from them, including cooperating with the EU data protection authorities with regard to any action taken to ensure compliance with the GDPR.

The GDPR representative in the EU also has to maintain records of the processing activities of the non-EU companies.

Where does the EU representative have to be located ?

The GDPR representative must be located in a (single) country in the EU where the individuals whose data are being processed are located. If your company generally targets the entire EU, then it can choose the country where it wants to base its representative. As Brussels is the capital of the EU, it is a preferred location for non-EU companies to designate their GDPR representatives.

How can a GDPR representative in the EU be designated ?

The GDPR representative in the EU must be designated in writing. A proper written contract must therefore be in place to provide a clear mandate and specific instructions.

Designate EDPO and get the EDPO compliance certificate.

Does designating a GDPR representative in the EU release the non-EU companies from liability and responsability

NO. The GDPR clearly states that the designation of a GDPR representative in the EU does not affect the responsibility and liability of the non-EU companies who fall within the scope of the GDPR. The designation is without prejudice to legal actions which could be initiated against the non-EU companies.

Are there any exceptions to the application of Article 27 of the GDPR to non-EU companies ?

The GDPR does not apply to non-EU companies if they are a public authority or body  or if the following cumulative conditions are met:

(i) the company only  occasionally processes  the personal data of persons in the EU

and

(ii) the processing does not include the processing on a large scale  of special categories of personal data or the processing of personal data relating to criminal convictions and offenses

and

(iii) the nature, context, scope and purpose of the processing is  unlikely to result in a risk to the rights and freedoms.

What does it mean to “occasionally process” the personal data of persons in the EU ?

The terms “occasionally process” are not defined in the GDPR but the most recent guidelines on the GDPR state that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor. Examples of “regular” processing include payroll, accounting, customer data management, e-mail loggings, school grades, etc.

What is considered to be processing “on a large scale"?

The GDPR does not define what constitutes “large scale” processing but guidelines on the the GDPR recommend that the following factors be considered when determining whether the processing is carried out on a large scale:
  • The number of individuals concerned – either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity
Examples of large-scale processing include:
  • processing of patient data in the regular course of business by a hospital
  • processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
  • processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
  • processing of customer data in the regular course of business by an insurance company or a bank
  • processing of personal data for behavioural advertising by a search engine
  • processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
 
  • processing of patient data by an individual doctor
  • processing of personal data relating to criminal convictions and offences by an individual lawyer

How can a non-EU company assess whether processing is “unlikely to result in a risk to the rights and freedoms of individuals” ?

The GDPR does not define the notion of “risk to the rights and freedoms of individuals” but the recitals include examples of the types of risks which should be considered:

  • physical, material or non-material damage, in particular where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage
  • where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data
  • where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures
  • where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles
  • where personal data of vulnerable natural persons, in particular of children, are processed
  • where processing involves a large amount of personal data and affects a large number of data subjects.

What does the GDPR consider as a “public authority or body"?

The GDPR does not define what constitutes a “public authority or body” but the GDPR interpretation guidelines consider that such a notion is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law.

 

What is the delay to respond to information requests ?

Requests for information from individuals in the EU must be replied to within one month. Extensions of an additional 2 months are possible depending on the complexity and the number of requests.

How must information be communicated to individuals ?

Information must be provided in a concise, transparent, intelligible and easily accessible form. Particular attention must be given to information which is addressed to children. The information must be provided in writing or by electronic means and it can also be provided orally if the identity of the person making the request is proven.

European Data Protection Office

EDPO • Avenue Huart Hamoir 71, 1030 Brussels • Belgium

  VAT : BE0689.629.220 • E-mail : info@edpo.com

What does the GDPR consider as a “public authority or body”?

The GDPR does not define what constitutes a “public authority or body” but the GDPR interpretation guidelines consider that such a notion is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law.

What does it mean to “occasionally process” the personal data of persons in the EU?

The terms “occasionally process” are not defined in the GDPR but guidelines on the GDPR interpret the notion of “regular” as meaning one or more of the following:

-ongoing or occurring at particular intervals for a particular period of time or
-recurring or repeated at fixed times or
-constantly or periodically taking place.

Examples of regular processing include payroll, accounting, customer data management, e-mail loggings, school grades, etc.

What is considered to be processing “on a large scale”?

The GDPR does not define what constitutes “large scale” processing but guidelines on the interpretation of the GDPR recommend that the following factors be considered when determining whether the processing is carried out on a large scale :

-the number of individuals concerned – either as a specific number or as a proportion of the relevant population
-the volume of data and/or the range of different data items being processed
-the duration, or permanence, of the data processing activity
-the geographical extent of the processing activity

Examples of large-scale processing include :

-processing of patient data in the regular course of business by a hospital
-processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
-processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
-processing of customer data in the regular course of business by an insurance company or a bank
-processing of personal data for behavioural advertising by a search engine
-processing of data (content, traffic, location) by telephone or internet service providers

Examples that do not constitute large-scale processing include :

-processing of patient data by an individual doctor
-processing of personal data relating to criminal convictions and offences by an individual lawyer

How can a non-EU company assess whether processing is “unlikely to result in a risk to the rights and freedoms of individuals”?

The GDPR does not define the notion of “risk to the rights and freedoms of individuals” but the recitals include examples of the types of risks which should be considered:

-physical, material or non-material damage, in particular where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.

-where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data

-where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures

-where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles

-where personal data of vulnerable natural persons, in particular of children, are processed

-where processing involves a large amount of personal data and affects a large number of data subjects.