The GDPR concerns every private and public sector company regardless of industry – whether we are talking about e-commerce, a polling company, an advertising company, or a simple information portal that collects, stores and processes data of natural persons – or we are referring to the data of the company's employees themselves , partners, visitors or ordinary customers. The new regulation includes specific procedures for the collection, organization, storage, transmission and deletion of each type of information, while obliging companies to clearly and unambiguously communicate to users who is involved in the processing of their data, what data is being processed and with what purpose
The EU General Data Protection Regulation aims to extend data protection in today's era, ensuring that data protection is a fundamental basic right, which will be regulated consistently across Europe. Any company that serves European customers and collects their data will have to comply with this directive, even if it is based in a country outside Europe, but its applications manage and process data of citizens of the European Union.
Specifically, every company whose field of activity includes:
- E-service, e-commerce, e-shops, natural persons-customers-recipients of marketing and advertising material
- Collaboration with third-party companies that provide data storage (collaboration with cloud companies) or processing (CRM systems) or analysis (analytics) services
- Processing of personal data through cooperation (and data sharing) with third party service providers such as external Accounting Firms, Certified Public Accountants, etc.
- Processing of personal data through the use of external security systems (e.g. cameras/CCTV) or internal, organizational security (e.g. geolocation system of cars or persons working outside company premises, intra-company e-mail monitoring system, etc.)
In particular, businesses that offer services based on data processing or perform, by nature, large-scale processing or systematically process sensitive data are required to take timely and immediate "broad-spectrum" compliance measures.
These businesses include, but are not limited to, the following:
- Telecommunications Businesses
- Technology companies, which maintain a website and/or provide software that manages or processes, targeted or incidentally, personal data of natural persons
- Technology companies that provide storage and management services of large volumes of data
- Companies engaged in advertising, marketing and measuring or analyzing customer satisfaction and profiling
- Polling companies
- Social, physical and electronic businesses
- Companies active in the Health sector
- Banking Institutions and businesses that manage money transactions
- Insurance companies
- Print and Electronic Media (television, radio, newspapers) and all their electronic platforms (webtv, pay-TV, website, mobile-app).
Any data related to a living person and produced in the field of public, professional and private life is considered personal data. These may reveal the person's identity, gender, age, place of residence, marital status, work relationship and even more personal information such as habits and preferences.
The data is either in paper or electronic form and may include tax or banking information, medical history, social media posts and more. Among the personal, there is also a special category of sensitive data. These include information on racial origin, political opinions, religious beliefs, trade union membership, sexual orientation, medical records, human tissue and organ donor and recipient registries, medical research data, and clinical trial protocols.
3. What rights do users have from 25/5/2018 and according to the GDPR?
With GDPR, users gain a number of rights when it comes to their personal data. With more than 250 million European citizens using the internet on a daily basis and more and more companies basing their operation on the personal data they collect on a daily basis, the European Union wanted to put users themselves in a position of power over businesses.
In any case, the express and specific consent of natural persons is required for the processing of their personal data. In fact, the reason for keeping the data as well as the time of keeping it should be clearly stated. The natural person retains in any case the right to withdraw the above consent. Especially for minors consent is required from the one who
exercises parental responsibility.
4. What measures should businesses subject to GDPR take?
Every company subject to the new data protection regulation must consider changing or adapting its information systems to comply with conditions such as the careful collection and secure storage of users' personal data, the non-processing of personal data without the consent of of users, the coding of personal data to avoid identification, the possibility of deleting or extracting and delivering the data at the request of the user and at any time he wishes, the application of the principle of collecting the data that is necessary, ensuring compliance in the new regulation and from the cooperating companies that manage the personal data on its behalf.
5. How will control and fines be imposed on companies that do not comply with the new regulation?
The new regulation authorizes the respective Personal Data Protection Authorities in Europe to carry out checks and to confirm fines that can reach up to 4% of the annual global turnover of each company, with a ceiling of 20 million euros, depending always on what the higher.
Depending on each company's field of activity and its object as well as the extent to which it processes user data and the frequency with which this is done, a company may even have to designate a specific person or company that will be responsible for GDPR compliance.
Advisable, through the applications and systems it uses, ensures its customers compliance with the new Data Protection Regulation. Schedule your appointment with us so we can explain to you in detail how GDPR works.