The evolution of technology and the way in which personal data is collected and processed affects everyone’s lives every day. Companies also process personal data. They collect the personal data of their own staff, maintain a customer database or are involved in direct marketing. It is very important that the processing of personal data complies with the obligations of the European legislation on the protection of personal data (“Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data”, or “GDPR”).
A company that is not in line with the GDPR risks a fine of up to 4% of its annual turnover and up to a maximum of EUR 20 million. In addition, a fine for a company also means a lot of media attention that undoubtedly leads to reputational and image damage. The message for any business is therefore to be GDPR compliant.
A quick refresher: what is the GDPR?
The General Data Protection Regulation or GDPR has been in force since 25 May 2018. It applies to all companies that process personal data of individuals in the European Union, regardless of whether the company is based in the European Union. The GDPR comprises obligations for companies regarding the collection, storage and protection of personal data.
Personal data refers to all information about a person by means of which their identity can be ascertained. This includes: a name, address, email address, IP address, preferences, CV, health data, etc.
The most important obligations in the GDPR
The GDPR sets out some important principles that a company must take into account when processing personal data. Adherence to the following basic principles is a fundamental building block for good data protection practice:
- Personal data must be processed in a lawful, fair and transparent manner. In short, this means that individuals must be informed about the processing of personal data and that the company must have a valid legal basis for the processing of personal data;
- The company may only collect personal data for specific, explicit and justified purposes;
- The company may only collect personal data that is necessary for the purposes for which it is processed. This concerns personal data that is the minimum necessary for a specific purpose.
- The personal data must be correct. All personal data that is incorrect must be deleted.
- Personal data may not be kept longer than necessary for the purposes;
- When processing personal data, appropriate technical and organisational measures must be taken to ensure adequate security of the personal data.
The company as the data controller is responsible for compliance with this. Failure to comply with the principles can result in significant fines.
Our Bofidi Legal experts will be happy to help you
BOFIDI Legal can now assist you with the GDPR compliance aspects:
- GDPR assessment of a company with concrete action points;
- Assistance with registers of processing activities and an overview of processors;
- Privacy and cookie statement;
- Processor agreements;
- Privacy Impact assessments;
- Advice on international transfer of personal data;
- Internal GDPR-compliance documents and training for employees/staff.
Do you have any questions about this or would you like GDPR compliance tailored to your company? Do not hesitate to contact us via info@bofidilegal.com.
The Bofidi Legal expert team will be happy to help you.