When does an organisation need to appoint a Data Protection Officer (DPO) in Cyprus?
The supervisory authority of Cyprus shall have the statutory authority to determine by ordinance those processing activities for which there is an obligation to order pursuant to Art. 37 (1) GDPR. It is unlikely that a list has yet been published.
When does an organisation need to appoint a Data Protection Officer (DPO) in Spain?
In Spain, the law defines the types of organisations that must appoint a data protection officer, whether they are acting as controllers or processors:
a) professional associations and their general councils
b) educational establishments providing education at one of the levels laid down in the education laws, as well as public and private universities
c) organisations operating networks and providing electronic communications services within the meaning of the law when they routinely and systematically process personal data on a large scale
d) information society service providers who profile users on a large scale
e) financial institutions, pursuant to Article 1 of Law 10/2014 of 26 June
f) financial institutions
g) insurance and reinsurance companies
h) investment service providers subject to financial market legislation
i) energy suppliers and marketers of electrical energy as well as energy suppliers and marketers of natural gas
j) entities processing common data for the purpose of assessing the financial situation or creditworthiness or combating fraud, including those responsible for processing data for the purpose of combating money laundering and terrorist financing under related legislation
k) companies which carry out advertising campaigns or commercial research, including commercial and market research, if they carry out processing operations based on the preferences of the parties concerned or carry out activities involving the creation of their profiles
l) health centres that are legally obliged to keep patient files. Exceptions are health professionals, who are legally obliged to keep patient files, but who carry out their activities as individuals.
m) companies whose object is the publication of annual reports which may relate to natural persons
n) gambling operators operating on electronic, computerised, telematic and interactive channels
o) private security companies
p) sports federations, if these process data of minors
When does an organisation need to appoint a Data Protection Officer (DPO) in Belgium?
Any non-public organisation which processes personal data on behalf of a federal authority or to which personal data have been transferred by a federal authority must appoint a data protection officer, provided that the processing of such data may involve a high risk (see Article 35).
Wann wird in Belgien ein Datenschutzbeauftragter benötigt?
Jede nicht-öffentliche Stelle, die eine Verarbeitung personenbezogener Daten im Auftrag einer Bundesbehörde durchführt bzw. an welche personenbezogene Daten von einer Bundesbehörde übertragen wurden, muss einen Datenschutzbeauftragten einstellen, sofern die Verarbeitung dieser Daten ein hohes Risiko (siehe Artikel 35) mit sich bringen kann.
In what languages is easyGDPR available?
Currently you can use easyGDPR in German and in English. When creating the assessment for your organisation, you can choose the German version or the English version. Here you are able to choose in what language the questions and answers in the questionnaires are going to be. Additionally, you can also choose the language in your assessment. Here you can choose the language for the user interface. Once you have chosen a version, you cannot change the language for the questions and answers again.
Who needs easyGDPR?
Every organisation (company, association, authority) that is saving, processing or using personal data in any other way must be able to guarantee the protection of this personal data. Regardless of whether this is about a small or large firm. easyGDPR helps you with the implementation of the GDPR in any case.
Do you assume liability or warranty for customers?
No. We do not assume liability for our customers. We are providing a tool for you whereby you can easily implement the GDPR. There is no guarantee that you won’t have to pay a fine with the use of easyGDPR or any other tool. Because nobody can guarantee you that.
Our organisation has got fewer than 50 employees, do I still have to use easyGDPR?
Yes. If your organisation is affected by the GDPR or not, is not dependent on the size of your organisation. As soon as your organisation is processing personal data, you need easyGDPR. You can find more information at Am I affected by the GDPR?.
How is this software going to help me after May 25th?
Up to May 25th, 2018 your organisation had to be GDPR compliant. However, your work is not done with just that, you can always get requests from data subjects who demand their right of access. You have to answer these requests correctly and also within one month. Especially these requests can take up a lot of time and occasion costs for large firms. easyGDPR is also able to support you with the automation of data subject requests with the Enterprise version. There can also be new data processers for whom you will have to create the appropriate contracts so that the processing is GDPR compliant. You can find more information about this topic at our standard version.
How can I reduce possible fines with easyGDPR?
You can absolutely reduce possible fines with easyGDPR. Of course, just using our software is not a guarantee that you will never be fined, but the regulatory authority will see that you at least attempted to fulfil the GDPR. You trying to fulfil the GDPR can make a huge difference if you will face mild or severe penalty. If you do not conform to the principles relating to personal data processing, a software alone is not going to help you avoid being fined.
I’m not a GDPR expert, how can I still use easyGDPR?
You can easily define your processing activities with our questionnaires and our tool creates the appropriate Record of Processing Activities (ROPA) for you. All other features of easyGDPR are built like this, regardless of whether you want to create contracts concerning data processors for your data processors or if you simply want to document your data breaches. You just have to fill out our questionnaires and easyGDPR generates the appropriate documents which you can easily print and present to the ICO if requested.
Do you also support large firms?
Yes, we also support large firms with our Standard and Enterprise versions. You can find more information of the contents of the products here.
What if I need more than one user?
If you should need more than one user, just contact us.
Is there any other expense after buying one of these products?
No. You are getting a licence for using easyGDPR for 12 months after buying one of our products. You do not have to pay for the installation or maintenance.
What do I have to consider regarding personnel management?
As soon as you have one employee you will have a personal file about them and you will process the data of your employee as part of the personnel accounting. Due to this processing of data also your employees come under the GDPR.
What you should also keep in mind is that you are not only going to process normal personal data of your employees but also so-called special categories of personal data, like e.g. the religious affiliation of your staff to give your employees days off because of holidays or the trade union membership of your employees, cf. Article 9.
Besides, these special categories of personal data merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms, e.g. the publication of the religious affiliation could lead to disadvantages or bullying of one employee.
What exactly does GDPR mean and what types of organisations are affected by it?
The GDPR contains regulations for the protection of natural persons when processing personal data. The GDPR is in force since May 25th, 2018 and applies therefore to all organisations that are based in Europe or that are offering products and/or services to customers in Europe.
However, it does not only apply to organisations but also to businesses, authorities, clubs and individuals that are processing personal data outside of the private or domestic sphere.
The heart of the GDPR are the principles relating to personal data processing mentioned in Article 5, e.g. data minimisation or storage limitation.
Are there any technical or organisational measures that I have to fulfil?
The GDPR demands appropriate measures and also measures, that are state of the art. At the same time it is not prescribed what exactly has to be done, cf. Article 25 GDPR.
Appropriate here means that you need an up-to-date firewall, an up-to-date virus scanner and malware protection. You should also encrypt your data by default and test your fallback system on a regular basis to be able to recover backups in an emergency. Introducing a password policy (crucial here is the length!) and the establishment of different users and passwords for different areas are important contributions for data protection.
What do I have to do in case of a data breach?
Immediately after noticing a personal data breach, you have to inform the data protection authority within 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. You then have to demonstrate the technical and organisational measures that are in place to reduce this incident.
The incidents have to be minuted in any case.
Take note: Even the loss of a mobile phone or an USB memory stick with addresses on it is a data breach and has to be reported.
Latest example: A lost USB memory stick has caused the Heathrow Airport in London a financial penalty of 120.000 GBP.
What exactly is a Record of Processing Activities (ROPA) and do I need one?
The GDPR requires you to have a record of processing activities, see Article 30 GDPR. On demand of the authority the data controller or the data processor provides the record of processing activities.
In the ROPA you have to list every single processing, the ROPA describes the exact usage of the data, the technical and organisational measures, that you have in place for the protection of the data, it shows you who is affected by a processing and it also shows you the recipient of a processing and possible data processors are also listed there. A fundamental risk analysis should also be included in a ROPA.
If you write a Record of Processing Activities (ROPA) without help, it will takes you many hours. A more easy way is to use easyGDPR. This powerful online-tool reduces the effort to a minimum. You do not need any previous knowledge to achieve a complete ROPA. All functionality is already included in easyGDPR lite version.
Buy your version of easyGDPR right now!
What does personal data mean?
Personal data means any information relating to an identified or identifiable natural person. As soon as you can directly or indirectly identify a natural person based on data like e.g. names, location data, customer IDs etc., this data is considered as personal data – Article 4 GDPR.
What repercussions does the GDPR have on my organisation?
That depends completely on your company. Many organisations surely have to make additional safety arrangements regarding the software and hardware, in other organisations these safety arrangements are possibly already in place and there is only little left to do. However, data protection should definitely be taken seriously. Since the GDPR has come into force there have been bigger repercussions if you are simply ignoring data protection. It seems that penalties imposed for SME were already up to 500 – 5.000 EUR. You can find more information about the risks for noncompliance of the GDPR here.
The GDPR demands also a data protection by default and by design, that means that suitable technical and organisational measures have to be taken to fulfil the GDPR principles and to protect data subjects.
The GDPR is also an opportunity for many organisations to minimise existing risks and to position yourself as a reliable partner on the market who takes data protection seriously.
What kind of risk am I taking, if I don’t adhere to the GDPR?
If you do not adhere to the GDPR, damage from the following areas can occur:
- Damage from evitable data loss,
- Penalties from the authority (appropriate and effective, up to €20m or 4% of your organisation’s annual global turnover),
- Indemnity claims from data subjects (also the lawyer’s fee for the enforcement),
- Reputational damage for the organisation if a data breach becomes apparent and
- Damage from the wrong response of not or badly trained staff.
In the organisations that we have been advising, there have been consistently procedures that made a data loss likely. In many cases this data loss would have caused this organisation’s ruin – completely without GDPR. The implementation of the GDPR is an opportunity to minimise risks and to achieve a better employee safety with manageable and often affordable measures.
Article 83 describes the general conditions for imposing administrative fines for the authorities. Taken measures to be GDPR compliant and minimising possible damages for the data subjects, will reduce possible penalties from the authority. It is explicitly demanded that penalties have to be operative.
There is no official information about vocalised penalties in Austria yet (November 2018) but it seems that the penalties imposed for SME were up to 500-5.000 EUR. Compared to that, the Heathrow Airport in the UK was penalised with 120.000 GBP because one employee has lost an USB memory stick with confidential information on it.
Under the GDPR the data subjects have a right to damages. Damages can also arise from a lawyer’s fee.
The awareness of the public for data protection has risen under the GDPR. Lacks in proper data protection have been reported in the media more often recently. The news about an organisation being sloppy with their data protection can be devastating for the reputation of the organisation. Just one employee that is not sensitised to data protection can cause extensive damage.
See 120.000 GBP damages for lost USB memory stick.
I am a small business owner and I am only issuing invoices, I don’t have a customer database, am I affected by the GDPR?
Yes, see “Am I affected by the GDPR?“.
Am I still affected by the GDPR if I am only saving names and email addresses?
Yes, see “Am I affected by the GDPR?”.
What kind of data do I have to send to the authority?
Basically, there is no need to send data to the authority. Not even your record of processing activities (ROPA) is automatically being transferred to the authority.
The regulating authority only demands that you document the processings of personal data and that you can provide that documentation for the authority on demand. The authority doesn’t find out any specific data (e.g. names or email addresses) thereby.
Only in certain cases the authority is going to ask for specific data, e.g. if somebody files a complaint, the authority is going to ask for data of that person so that the authority can verify the complaint.
What can the regulating authority demand of me?
The authority can demand access to all information that is necessary for the fulfilment of their tasks, can point out putatively offences against the GDPR and can also prohibit a certain kind of processing.
The authority can ask for access to your records and can perform data protection audits on site.
In doing so, the authority also checks if
- the data is being processed accordingly to its purpose and fairly,
- the safety measures are state of the art,
- the staff handles data protection questions correctly,
- there are processes for the deletion of no longer needed data,
- … .
I only have handwritten notes, does the GDPR still apply to me?
Yes. Even not automated, processed data is subject to the GDPR. Once you have sorted the data in one way or another, they are subject to the GDPR.
That means that the data subjects have the right of access. The files have to be secured appropriately and the data that is no longer needed has to be disposed of.
Appropriately means here that e.g. personnel files with the religious affiliation or the union membership should be locked.
I’ve only got a small-scale operation, do I have to implement the GDPR like a big one?
Yes. If the GDPR applies to you or not does not depend on the size of your organisation but rather if you are processing, saving or using personal data (e.g. names of your customers, telephone numbers or email addresses) in any way.
One-person-enterprises also have to adhere to the GDPR.
The risk for small-scale operations results from possible indemnity claims and penalties which arise from the wrong dealing with data subject requests and the documentation obligations from the GDPR.
Am I affected by the GDPR?
Only if you are using personal data exclusively in the private or domestic sphere, you are not affected by the GDPR.
The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. (Article 2)
The GDPR applies to all businesses, organisations, authorities, clubs and individuals that are processing personal data (out of the private or domestic sphere). These businesses, organisations etc. are called data controllers.
The GDPR applies to data controllers in the EU and for all personal data that is being processed – this also includes persons that live outside of the EU.
The GDPR only applies to data controllers outside of the EU if these are offering goods or services to data subjects inside of the EU whether the data subjects have to make a payment, or they are observing the behaviour of data subjects so far as this behaviour happens inside of the EU.
Goods or services are being offered to persons inside of the EU if it is recognisable that persons inside of the EU ought to be reached. That can be done by prices in EUR, a website in a language especially spoken in the EU (like German or Czech) or by items which refer to an EU country.
An example: An US organisation that is selling online classes with no visible relation to the EU, is not subject to the GDPR – even if the online classes can be bought from inside the EU. If the organisation prices the classes also in EUR, then it is also subject to the GDPR.
Am I still allowed to send my customers birthday wishes?
Yes, but …
For sending out birthday wishes you need the date of birth of your customers.
If you are asking a new customer for their date of birth, you have to state that you want to use the date of birth for sending out birthday wishes. Additionally, asking for the date of birth at the time of order must not be absolutely necessary (if you don’t have other legal basis for the processing e.g. the regulation to save the date of birth for overnight stays).
Therewith you are getting a proper approval for the processing of new data.
You can also use the existing data for processings that can be expected by the data subject. If you sent out birthday wishes in the past it is legitimate to assume that the data subjects are expecting this kind of processing and you can continue to do so.
Make it easy for the data subjects to revoke the processing or to withdraw their consent.
If you have obtained the date of birth from a third source and there is no link to the data subject, the sending of birthday wishes is questionable from a data protection point of view.
If you have gotten the birthdays via social networks, you can use this information to send out birthday wishes within this social network.
A birthday that has been published to Facebook cannot automatically be used for institutional advertising. Where exactly you can draw the line is not yet brought to the supreme court. One could argue that the data on Facebook is public.
Am I still allowed to keep my acquisition data base?
Yes, but …
You can save data of potential customers/interested parties. But you have to document these processings in your Record of Processing Activities (and also in your privacy policy).
But under Article 14 you have to inform the data subject within 30 days, that you are processing their data and where you got that data from. This also includes data that you have gathered from public sources if that processing is not yet known to the data subjects.
The most effective way to attend to the information obligations is to contact new contacts within 30 days and to send individual emails. In this email you can refer to your privacy policy and the source of the data.
Additionally, you have to obey to the rules of the Telecommunications Act when contacting potential customers.
Furthermore, it has to be easy for the data subjects to object to this kind of processing.
When does an organisation need to appoint a Data Protection Officer (DPO)?
A DPO has to be appointed in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity,
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
So, the appointment of a DPO is rarely mandatory in the UK, although you can always voluntarily appoint a DPO, even if you don’t need one.
Physicians don’t need a DPO because the work with medical data is not their core activity. Physicians communities and hospitals absolutely need a DPO.
Is WhatsApp GDPR Compliant
No and that is why WhatsApp should not be used in an organisation.
WhatsApp is a product of Facebook and Facebook is certified under the US-EU Privacy Shield. So theoretically transferring data to Facebook resp. WhatsApp would be permitted.
In their licensing conditions WhatsApp asks for permission to upload all saved telephone numbers and contacts from the mobile phone to Facebook/WhatsApp. Without this permission WhatsApp is not useable. The data is being used to identify familiar persons.
The problem here is that thereby the data from third parties is also transferred to Facebook, even though the third parties may disapprove of that. That can directly affect these persons because of the established connection from your and other address books, which is undesirable.
Another problem with WhatsApp is that the usage is almost inevitable in the private sphere (especially for groups in clubs, classes, …). Once you are using WhatsApp in private your business contacts will be transferred to Facebook as well.
Please notice, using WhatsApp is data processing according to GDPR. Therefore, you have to document this in the records of processing activities (ROPA). The simplest way to create your record is easyGDPR. Without a complete ROPA, you are risking high fines. Use easyGDPR Lite to create the Record of processing activites in a fast and easy way.