When does an organisation need to appoint a Data Protection Officer (DPO) in Cyprus?
The supervisory authority of Cyprus shall have the statutory authority to determine by ordinance those processing activities for which there is an obligation to order pursuant to Art. 37 (1) GDPR. It is unlikely that a list has yet been published.
When does an organisation need to appoint a Data Protection Officer (DPO) in Spain?
In Spain, the law defines the types of organisations that must appoint a data protection officer, whether they are acting as controllers or processors:
a) professional associations and their general councils
b) educational establishments providing education at one of the levels laid down in the education laws, as well as public and private universities
c) organisations operating networks and providing electronic communications services within the meaning of the law when they routinely and systematically process personal data on a large scale
d) information society service providers who profile users on a large scale
e) financial institutions, pursuant to Article 1 of Law 10/2014 of 26 June
f) financial institutions
g) insurance and reinsurance companies
h) investment service providers subject to financial market legislation
i) energy suppliers and marketers of electrical energy as well as energy suppliers and marketers of natural gas
j) entities processing common data for the purpose of assessing the financial situation or creditworthiness or combating fraud, including those responsible for processing data for the purpose of combating money laundering and terrorist financing under related legislation
k) companies which carry out advertising campaigns or commercial research, including commercial and market research, if they carry out processing operations based on the preferences of the parties concerned or carry out activities involving the creation of their profiles
l) health centres that are legally obliged to keep patient files. Exceptions are health professionals, who are legally obliged to keep patient files, but who carry out their activities as individuals.
m) companies whose object is the publication of annual reports which may relate to natural persons
n) gambling operators operating on electronic, computerised, telematic and interactive channels
o) private security companies
p) sports federations, if these process data of minors
When does an organisation need to appoint a Data Protection Officer (DPO) in Belgium?
Any non-public organisation which processes personal data on behalf of a federal authority or to which personal data have been transferred by a federal authority must appoint a data protection officer, provided that the processing of such data may involve a high risk (see Article 35).
Wann wird in Belgien ein Datenschutzbeauftragter benötigt?
Jede nicht-öffentliche Stelle, die eine Verarbeitung personenbezogener Daten im Auftrag einer Bundesbehörde durchführt bzw. an welche personenbezogene Daten von einer Bundesbehörde übertragen wurden, muss einen Datenschutzbeauftragten einstellen, sofern die Verarbeitung dieser Daten ein hohes Risiko (siehe Artikel 35) mit sich bringen kann.
In what languages is easyGDPR available?
Currently you can use easyGDPR in German and in English. When creating the assessment for your organisation, you can choose the German version or the English version. Here you are able to choose in what language the questions and answers in the questionnaires are going to be. Additionally, you can also choose the language in your assessment. Here you can choose the language for the user interface. Once you have chosen a version, you cannot change the language for the questions and answers again.
Who needs easyGDPR?
Any organization (company, association, authority) that stores, processes or otherwise uses personal data must be able to guarantee the protection of such personal data. Whether this is a huge company or a small one. easyGDPR helps you with the implementation in any case.
Do you assume liability or warranty for customers?
No. We do not assume liability for our customers. We are providing a tool for you whereby you can easily implement the GDPR. There is no guarantee that you won’t have to pay a fine with the use of easyGDPR or any other tool. Because nobody can guarantee you that.
I have less than 50 employees, do I still have to use easyGDPR?
Yes. Whether or not you are affected by the GDPR does not depend on the size of your company or the number of your employees. As soon as your company processes personal data, you need easyGDPR. You can find more information at“Am I affected by the GDPR?“.
How will the software help me at all after May 25?
By May 25, 2018, your company had to be GDPR compliant. However, this is not the end of the story, there may always be requests from customers asking for information about their data and you must always be able to respond to them and answer them correctly. These inquiries in particular can take up a lot of time and also costs for larger companies. easyGDPR can also support you in automating information and deletion requests with the easyGDPR Enterprise version. There may also always be new processors, for which you will then need to create the appropriate contracts so that the processing is GDPR compliant. You can find more information about it at our standard version.
How can I reduce my potential fines with the help of easyGDPR?
You can definitely reduce potential fines with easyGDPR. Just using our software is of course no guarantee that you cannot be penalized, but the supervisory authority sees that you have at least made an effort to comply with the GDPR. It is this effort that can make a big difference in the amount of the sentence. However, if you do not comply with the principles for processing personal data, for example, software alone will not be able to help you.
I am not a DSGVO specialist, how can I use easyGDPR?
With our questionnaires, you can easily define your processing operations and our tool will create the corresponding processing directory for you. All other features follow this pattern as well, whether you want to document a processor contract or your data breaches. All you need to do is fill out our questionnaires and easyGDPR will create the appropriate documents for you, which you can easily print out and present to the data protection authority during inspections.
Do you also support large companies?
Yes, we also support larger companies with our standard and enterprise versions. You can find more information about the contents at our version comparison.
What if I need more than one user?
If you need more than one user, just contact us.
Are there any other costs after the purchase?
No. When you purchase one of our easyGDPR products, you receive the license for 12 months and do not have to pay any other costs, such as for setup or installation.
I already have a data protection officer, why do I need easyGDPR?
It is very good that you have already appointed a Data Protection Officer (DPO). We are also not at all interested in replacing your DSBA. With easyGDPR, we offer you a tool that supports your DSBA in the completion of its tasks, e.g. the correct handling of data subject inquiries.
Does easyGDPR offer consulting services or documentation review?
Yes. We offer consulting hours at our premises in Stetten, near Vienna and also online consulting with our GDPR experts. For more information on the areas in which we can support you, , please visit our easyGDPR Consulting. Just contact us to make an appointment.
Do I have to use easyGDPR only once?
No. Many think that the implementation of the GDPR is a one-time matter. However, the GDPR states that you must respond to requests from customers about accessing their data, and this is not a one-time thing, but can happen again and again. easyGDPR helps you to respond correctly to requests for information and deletion.
In addition, it may also happen that you employ a new processor and with easyGDPR you can then easily create a contract for the respective processing concerned. You must also regularly check whether the appropriate technical and organizational measures have been put in place, and if there is a risk to data subjects, you must also prepare a data protection impact assessment for this processing and possibly inform the data subjects and the data protection authority about it.
If you are not sure how best to handle data subject inquiries or do not know when to report a data breach and in which cases this is not necessary – with easyGDPR Standard you are prepared for all these occurrences and can respond to them properly.
Are your prices in Euro?
Yes. All our prices are in Euro and exclusive of VAT.
What do I need to keep in mind when managing personnel?
Once you have employees, you will keep a personnel file on them and process the data from the employees in the course of payroll. Through this processing of data, employees also fall under the GDPR.
What else to keep in mind here is that you will probably not only process “normal” personal data from your employees, but also so-called special categories of personal data, such as the religious affiliation of your employees in order to be able to give them time off on the various holidays, or also the trade union affiliation, cf. Article 9.
These special categories of personal data also deserve special protection, as significant risks to fundamental rights and freedoms may arise in connection with their processing, e.g., publication of religious affiliation may lead to discrimination or harassment of a particular employee.
What is the GDPR anyway and which companies does it affect?
The GDPR contains rules on the protection of individuals with regard to the processing of personal data. The GDPR has been in force since May 25, 2018 and is therefore applicable to all companies that are based in Europe or offer products and/or services to customers in Europe.
However, not only companies are affected, but also organizations, authorities, associations and individuals who process personal data outside the family or private sphere.
The core of the GDPR are the principles for the processing of personal data set out in Article 5 , such as the principle of data minimization or storage limitation.
Are there any technical or organizational requirements that I need to meet?
The GDPR requires appropriate measures and also measures that are state of the art. However, this does not prescribe exactly what should be done, cf. Article 25 GDPR.
However, adequate here means that at least an up-to-date firewall, virus scanner and malware protection are required. Encryption of data should also be standard. You should also test your backup system regularly to be able to restore backups in case of an emergency. The introduction of password rules (the length is crucial here!) and also the definition of different users and passwords for different areas are important steps for data protection.
What to do in case of a data breach?
As soon as you notice a personal data breach, you must inform the data protection authority within 72 hours. The exception to this is when the personal data breach is not likely to result in a risk to the rights and freedoms of individuals. You must then be able to demonstrate what technical and organizational measures you have in place to mitigate this incident.
The incidents must be logged in any case.
Attention: The loss of a cell phone or memory stick with addresses is also a data breach and must be reported.
Current example: A lost memory stick has resulted in a fine of 120,000 GBP for Heathrow Airport in London.
What exactly is a Record of Processing Activities (ROPA) and do I need one?
The GDPR requires you to have a record of processing activities, see Article 30 GDPR. On demand of the authority the data controller or the data processor provides the record of processing activities.
In the ROPA you have to list every single processing, the ROPA describes the exact usage of the data, the technical and organisational measures, that you have in place for the protection of the data, it shows you who is affected by a processing and it also shows you the recipient of a processing and possible data processors are also listed there. A fundamental risk analysis should also be included in a ROPA.
If you write a Record of Processing Activities (ROPA) without help, it will takes you many hours. A more easy way is to use easyGDPR. This powerful online-tool reduces the effort to a minimum. You do not need any previous knowledge to achieve a complete ROPA. All functionality is already included in easyGDPR lite version.
Buy your version of easyGDPR right now!
What is personal data?
Personal data is any information relating directly or indirectly to an identified or identifiable natural person. As soon as data such as names, location data, customer numbers, etc. can be directly or indirectly attributed to a natural person, this data is considered personal data – Article 4 GDPR.
What impact will the GDPR have on my company?
That depends entirely on your company. Many companies will certainly need to take additional security precautions in terms of software and hardware; for others, these security precautions may already be in place and not too much more needs to be done. However, data protection should be taken seriously in any case. Since the entry into force of the GDPR, there are already major consequences for simply ignoring data protection. Apparently, penalties of EUR 500 – 5,000 have already been imposed for rather “minor offenses” by SMEs. More details about the risks of non-compliance with the GDPR can be found here.
The GDPR also requires data protection by default and by design, which means that appropriate technical and organizational measures must be taken to comply with the principles of the GDPR and to protect data subjects.
The GDPR is also an opportunity for many companies to minimize existing risks and position themselves in the market as a reliable partner that takes data protection seriously.
What risk do I run if the GDPR is not complied with?
If the GDPR is not complied with, damages from the following areas may occur:
- Damage due to avoidable data loss,
- Penalties by the authority (reasonable and effective, up to 20 million euros or 4% of annual worldwide turnover),
- Claims for damages by affected parties (including attorney’s fees for enforcement),
- Damage to the company’s reputation if a data protection incident becomes known; and
- Damage caused by incorrect reactions of untrained or poorly trained employees.
In companies we have consulted, there have always been processes that have made data loss likely. In several cases, this data loss would have meant the ruin of the company – completely without GDPR. The implementation of the GDPR is an opportunity to minimize risks and achieve greater operational security with manageable and often cost-effective measures.
Article 83 describes how authorities may punish. Measures taken to comply with the GDPR and minimize potential harm to data subjects reduce potential penalties. However, it is explicitly required that penalties be effective.
There is no “official” information on penalties imposed for Austria (as of November 2018), but it seems that around EUR 500-5,000 in penalties are imposed for “minor offenses” by SMEs. In comparison, in the UK ‘s Heathrow Airport fined 120,000 GBP because an employee lost an unprotected memory stick containing confidential information.
The GDPR gives data subjects the right to compensation. Damages may also arise from legal fees.
The GDPR has also raised public awareness of data protection. Data protection errors are increasingly in the news. The news that a company has slacked on data protection can be devastating for its reputation. A single employee who is not sensitive to data protection can cause great damage as a result.
See 120,000 GBP compensation for lost memory stick.
I am a small business owner and only issue invoices to my customers, I also do not have a customer database, am I affected by the GDPR?
Yes. See“Am I affected by the GDPR“.
Does the GDPR also affect me if I only store names and email addresses?
Yes. See“Am I affected by the GDPR“.
What data do I have to send to the authority?
In principle, no data is sent to the authority. Also, your processing directory is not automatically transferred to the authority.
The supervisory authority only requires that you document the processing operations of personal data and that you can provide this documentation to the authority upon request. The authority does not learn any specific data (such as name or e-mail address).
Only if there is a specific occasion, the authority will ask for concrete data, e.g. if someone complains to the authority, the authority will ask for the data of this person in order to verify the complaint.
What can the supervisory authority require of me?
The authority may request access to all information necessary for the performance of its tasks, may point out alleged violations of the GDPR and may also prohibit a certain type of processing.
The authority may inspect and conduct on-site data protection reviews.
Among other things, this involves checking,
- whether the data are processed in good faith in accordance with the purpose,
- whether the security measures are state of the art,
- whether employees are handling data protection issues correctly,
- Whether there are processes for deleting data that is no longer needed,
- … .
I only have handwritten notes, does the GDPR apply to me?
Yes. Non-automated processed data is also subject to the GDPR. Once you have sorted data in any way, it is subject to the GDPR.
This means that the data subjects have a right to information. Folders must be adequately backed up and data that is no longer needed must be disposed of.
Appropriate means that, for example, personnel files with religious affiliation or union membership should be blocked.
I only have a small business, do I have to implement the GDPR in the same way as a large one?
Yes. Whether or not you are affected by the GDPR does not depend on the size of your company, but solely on whether you process, store or otherwise use personal data (e.g. names of your customers, telephone numbers or email addresses) in any form.
EPUs must also comply with the GDPR.
The risk for small businesses comes primarily from potential claims for damages and penalties resulting from incorrect handling of data subject requests and the documentation requirements of the GDPR.
Am I affected by the GDPR?
Only if you use personal data exclusively in a private or family environment, you are not affected by the GDPR.
The GDPR applies to the wholly or partly automated processing of personal data as well as to the non-automated processing of personal data which are stored or are intended to be stored in a sorted manner.(Article 2)
The GDPR applies to all companies, organizations, public authorities, associations and individuals who process personal data (outside the personal and family sphere). These companies, organizations, etc. are called responsible parties.
The GDPR applies to controllers in the EU and to all personal data that is processed – including for individuals living outside the EU.
For controllers outside the EU, the GDPR applies only if they offer goods or services to data subjects in the European Union, regardless of whether a payment is to be made by those data subjects or whether they monitor the conduct of data subjects, to the extent that such conduct takes place in the Union.
Goods or services are offered to persons in the EU, for example, if it is recognizable that persons in the EU are to be reached. This can be done by prices in EUR, a web presence in a language spoken mainly in the EU (German, Czech) or by articles referring to an EU country.
Example: A US company that sells online courses in English but has no visible connection to the EU is not subject to the GDPR – even if the courses can be purchased online from the EU. If the company also prices in EUR, it is subject to the GDPR.
Can I wish my customers a happy birthday?
Yes, but …
To congratulate on the birthday, you need the date of birth.
When you ask for the date of birth from new contacts, you must specify that you want to use the date of birth for birthday wishes. In addition, the date of birth may not be mandatory, for example, for orders (unless you have other legal grounds for processing, such as the requirement to store the date of birth in the event of an overnight stay).
This will give you correct consent for new data to be processed.
You can also use the existing data for processing that the data subject expects. If you have wished them a happy birthday in the past, it is legitimate to assume that they expect this processing and you can continue to do so.
Make it easy for data subjects to revoke processing/withdraw consent given.
If you have the date of birth from a third party source and there is no connection to the data subject, sending birthday wishes is questionable from a privacy perspective.
Birthdays that you learn about social networks, you can use within the network for congratulations.
However, a birthday published on Facebook is not automatically usable for company advertising. Where exactly the boundary lies has not yet been decided. One could argue that the data on Facebook is public.
May I continue to maintain my acquisition database?
Yes, but …
You may continue to store data from potential customers/prospects. But you must document this processing in your processing directory (and, if applicable, in your privacy statement).
However, under Article 14, you must inform data subjects within 30 days that you are processing the data and where you got it. This also applies to data you have from public sources, but only if the processing is not yet known to the data subject.
The most effective way to comply with these information requirements is to contact new contacts within 30 days, including sending an individual email. The email can then refer to the privacy policy and the source of the data.
In addition, when contacting “not yet customers”, you must follow the rules of the Telecommunications Act.
It must also be easy for the data subject to object to this processing.
When is a data protection officer required in Austria?
According to the GDPR, a data protection officer is required if
- authorities or public bodies process data, with the exception of courts,
- the core activity of the controller or processor involves extensive, regular and systematic monitoring of data subjects, or
- the core activity of the controller or processor involves substantial processing of special categories of data or of personal data relating to criminal convictions and offences (see Article 9 and 10 of the GDPR).
This means that a data protection officer is rarely needed in Austria.
Physicians do not need a data protection officer because the core activity is not working with medical data. Medical associations or hospitals definitely need a data protection officer. Also see our article on May patients be called by name?
Is WhatsApp GDPR Compliant
No and that is why WhatsApp should not be used in an organisation.
WhatsApp is a product of Facebook and Facebook is certified under the US-EU Privacy Shield. So theoretically transferring data to Facebook resp. WhatsApp would be permitted.
In their licensing conditions WhatsApp asks for permission to upload all saved telephone numbers and contacts from the mobile phone to Facebook/WhatsApp. Without this permission WhatsApp is not useable. The data is being used to identify familiar persons.
The problem here is that thereby the data from third parties is also transferred to Facebook, even though the third parties may disapprove of that. That can directly affect these persons because of the established connection from your and other address books, which is undesirable.
Another problem with WhatsApp is that the usage is almost inevitable in the private sphere (especially for groups in clubs, classes, …). Once you are using WhatsApp in private your business contacts will be transferred to Facebook as well.
Please notice, using WhatsApp is data processing according to GDPR. Therefore, you have to document this in the records of processing activities (ROPA). The simplest way to create your record is easyGDPR. Without a complete ROPA, you are risking high fines. Use easyGDPR Lite to create the Record of processing activites in a fast and easy way.
Buy your licence of easyGDPR right now!
When is a data protection officer required in Germany?
According to the GDPR, a data protection officer is required if
- authorities or public bodies process data, with the exception of courts,
- the core activity of the controller or processor involves extensive regular and systematic monitoring of data subjects, or
- the core activity of the controller or processor involves substantial processing of special categories of data or of personal data relating to criminal convictions and offences (see Articles 9 and 10 of the GDPR).
In addition, the German Federal Data Protection Act requires that a data protection officer be appointed if at least 10 employees work with data.