Qualitians

GDPR Frequently Asked Questions

by · Published · Updated

GDPR Frequently Asked Questions
GDPR Frequently Asked Questions

Do you have questions about the approached General Data Protection Regulation (GDPR)? Maybe you are not sure about the GDPR requirements, or you are thinking what technical and organizational measures you need to take to ensure your company doesn’t come under the liability of 20 Million Euros. Definitely, the fines are huge but still, you can save your organization from such fines and penalties.

We have answers to all the questions you may have while implementing GDPR in your organization/website/product. You can jump directly to different questions and click to get the detailed overview if you do not want to read all.

GDPR FAQs Qualitians

Here are the top frequently asked questions about the GDPR that everybody must be reading:

General GDPR

  1. What is GDPR?

    GDPR is General Data Protection Regulation set to replace the Data Protection Directive and the UK Data Protection Act 1998. GDPR was approved in the European Parliament on Apr 14′ 2016 and became effective on May 25′ 2018. GDPR involves the protection of personal data and rights of European Union Citizens wherever they are domiciled across the globe. Read More…

  2. When will the GDPR come into effect?

    GDPR has already been come into effect from May 25′ 2018.

  3. What does GDPR apply to?

    Any organization which processes personal data of the data subjects residing in EU or citizens of EU are obliged to abide with the laws set by GDPR. GDPR applies to any organization regardless of whether they are located in EU member states or not.

  4. What are the penalties?

    As per GDPR, the maximum fine an organization/company can face is 4% of the global turnover, or 20 million Euros, whichever is higher.

  5. Who is the Data Controller?

    As per the official definition of Data Controller under GDPR defined in Article 4, ‘controller‘ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Read More…

  6. Who is the Data Processor?

    As per the official definition of the data processor under the GDPR defined in Article , ‘processor‘ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; So in simple words, the data processor is the one that processes the personal data on instructions and under the authority of the data controller.

  7. Who is the Data Importer?

    Any data controller or data processor located in the third country outside EU that receives/imports the data subject’s personal data from the data exporter.

  8. Who is the Data Exporter?

    Data exporter is the data controller that transfers/exports the EU data subject’s personal data to the data importer.

  9. What is ‘legitimate interests’?

    As per Article 6(1)(f) under the GDPR
    “1.Processing shall be lawful only if and to the extent that at least one of the following applies:

    (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

    GDPR provide “legitimate interest” as a legal basis for using the personal data without obtaining containing, and GDPR does not have the list of purposes which are likely to consitute an legitimate interest. However, following activities/purposes may constitute a legitimate interest:
    1. to ensure infomation security;
    2. for fraud prevention; or
    3. indicating possible criminal acts or threats to public security.

    So if you are processing personal data for one of the above purposes then the legitimate interest basis applies.

  10. What kind of information does GDPR apply to?

    GDPR exclusively applies to EU data subject’s personal data. It does not apply to personal data related to data subjects outside EU. As per Article 4(1) under the GDPR:

    ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  11. What responsibilities will companies have under GDPR?

    It depends whether the company is the data controller or the data processor.

    For data controller here are the obligations:
    1. As per Article 24 under the GDPR, data controllers are responsible to ensure that any processing activities follow the GDPR.
    2. It is the responsibility of the data controller to ensure that appropriate technical and organizational security measures are implemented to demonstrate the processing in accordance with the regulation, depending upon the data.
    3. Data controllers are obliged to inform data subject and the data protection authority, in case of any breach in the case breach is likely to affect them.
    4. Also, it is the responsibility of the data controller to ensure that the data processor performs their data processing activities in compliance with the GDPR. For this, Data Protection Addendum/Agreements can get signed between the parties.
    5. Before processing any personal data, it’s data controller’s responsibility to perform data protection impact assessments DPIA to ensure compliance and take necessary steps.

    Data processor:
    1. Data processor is obliged to process the personal data according to the data controller’s instructions specified in the contract/agreement signed by parties.
    2. Data processor is obliged to inform the data controller about addition of any new sub-processor.
    3. Data processor must keep track of all the data processing activities.
    4. After becoming aware of any data breach, data processors are obliged to inform the data controllers about it and assist them to mitigate/remediate that.
    5. Data processor must assist data controller in DPIA Data Protection Impact Assessments

    Apart from these individual responsibilities, both the data processor and the data controller are obliged to appoint a Data Protection officer DPO.

Tags:

You may also like...

Leave a Reply