GDPR Summary with information for companies about the EU regulation
Below you can read a GDPR Summary with information about the EU regulation for companies and entrepreneurs. GDPR is an important area for companies to follow. And there are many important things to keep in mind. That is why we publish this GDPR Summary with information about the EU regulation for companies and entrepreneurs. In addition, you can do the GDPR QUIZES for free, to test your knowledge in the subject. Also, you can download GDPR guides for free.
GDPR Summary with information for companies about the EU regulation
GDPR, also called the General Data Protection Regulation, applies within the EU / EEA countries. It entered into force on 25 May 2018. Many people are wondering who must comply with the GDPR. Companies, authorities and organizations must comply with the GDPR in all processing of personal data.
Examples of personal information are names, telephone numbers, pictures and other things that can be linked to an individual. There are several things to think about and do, in order to comply with the GDPR. For instance, having the right agreements and documents and following the data protection principles. But also to have a legal basis when processing personal data and to protect the personal data.
99 Articles and 173 Consideration Rates
The GDPR consists of a total of 99 articles and 173 reasons (including so-called “consideration rates”). However, this is only a brief summary of what the GDPR means for companies and entrepreneurs.
There are provisions on what rights the data subject has. As well as regulations that regulate the processing of personal data. Anyone who wants to delve into the GDPR should therefore read the entire EU General Data Protection Regulation.
What is Personal Data
The definition of a personal data is stated in Article 4, paragraph 1 of the GDPR. In short, a personal data is data that can be linked to a living natural person. The connection can be made both directly. But also indirectly. In other words, it is a broad concept as it covers many different types of data. Also, the GDPR distinguishes between ordinary personal data, sensitive personal data and privacy-sensitive personal data. In this GDPR Summary with information for companies, we have summarized the key elements of GDPR and describe the definition of personal data below.
In some cases, it is possible to identify a person through indirect identification. It is then also a personal data, even though it is not clear. An example of a reverse path identification is if there is a location number on a card, and it is stated elsewhere who the person behind this number is. This means that you can identify the person behind the number, if you combine information from different places.
In addition, an audio recording or image can be a personal task if it is possible to identify a physically living person through the data. And in some cases, it can also be a sensitive personal data. The definition of a personal data is, that the data directly or indirectly, alone or in combination with other data, can identify a living person.
Sensitive and Privacy-sensitive Personal Data
GDPR distinguishes between personal data that is sensitive and privacy-sensitive. Personal data that regards the finances of the individual is not sensitive personal data, for instance. However, it may be privacy-sensitive personal data. An example is credit card information.
Social security numbers are one of the privacy-sensitive personal data. But they are not part of the sensitive ones. Sensitive personal information is instead information about health. Such as for example sick leave from the workplace. And it can also be political opinions and religious beliefs. In some cases, companies may need to process sensitive personal data even though it is prohibited under the main rule of the GDPR. Such treatment may be subject to certain specific exceptions.
Privacy-sensitive personal data can be divided into four categories. The first of which is sensitive personal data. For example, it is personal data that can reveal information about a natural person’s religious beliefs, ethnic origin or health information. In addition, social security numbers are sensitive for privacy, but not sensitive personal data. A company should keep in mind that salary specifications often contain sensitive personal data, such as sick leave (health information). Therefore, the company should not send salary specifications through unencrypted email.
Anonymised Personal Data according to GDPR
Anonymised personal data is such data that can no longer be used to identify a person. According to the GDPR, personal data must be readable in order to be covered by the rules. However, as anonymised personal data cannot be used to identify any natural person, they are not covered by the GDPR. In such cases, it is no longer personal data, but only data.
There is more information on this website regarding this topic, besides what is stated in this GDPR summary with information for companies about the EU regulation.
Summary of the seven Data Protection Principles
There are seven key data protection principles under the GDPR and these are briefly described below.
7 Principles for Data Protection of the GDPR
The GDPR contains seven basic data protection principles that companies must follow. The data protection principles are as follows:
- Lawfulness, Fairness & Transparency,
- Purpose limitation,
- Data minimisation,
- Accuracy,
- Storage limitation,
- Integrity and confidentiality,
- Accountability principle.
The first thing a company should do, is to determine the purpose of the processing as it is a requirement under the GDPR. And this should be done before the collection of personal data. A more detailed description of the seven principles can be read under the tab “Principles” on this website.
The six legal bases under the GDPR
There are six legal bases under the GDPR and these are briefly described below.
A company may process personal data on the basis of the legal basis Agreement. For example, if the company has entered into an agreement with the registered person to whom the personal data relates. The company may then process the personal data in order to be able to provide its services. In other words, in order to fulfill the obligations under the agreement. This is the primarily recommended legal basis to use in the processing of personal data.
A company can process personal data if there is a legal obligation to do so. For example, a company must process personal data in accordance with the accounting act.
This must be done in order to fulfill the conditions in the law, and to not contravene the applicable law.
In such cases, there is a legal obligation to the processing.
If the data subject has given the company its active consent to a certain processing of personal data, the company may process the data. For example, this can be done by a person signing up for a newsletter and actively agreeing to the treatment. In such cases, the company must be able to prove that the company has obtained consent. It is important to know that it is possible to revoke a given consent. If that occurs, the processing of personal data must cease as far as possible.
Balancing of interests means that the company is given the right to process personal data without prior consent. This may be the case, if the company’s interests outweigh those of the data subject, Also, the processing must be necessary for the specific processing purpose in question. For example, the company may use a customer’s e-mail address to send advertising based on this legal basis. However, if the data subject opposes this, the company must respect it and stop the processing.
Exercise of authority and task of public interest is a legal basis.
This basis means that the processing of personal data must take place, in order to perform official tasks or a task of public interest.
This legal basis is used mainly by authorities in the exercise of authority. Thus, not normally by companies.
If a company has to process personal data in order to save lives, this can be done through the legal basis of Vital interest. This also applies if a company has to protect a certain person who cannot give his consent to the processing.
However, it is mainly in healthcare that this legal basis will be used. Also, there may be a few other activities that will refer to this basis.
Those who are responsible under the GDPR
According to GDPR, a company can act as a Personal Data Controller, Personal Data Processor or as Joint Controller.
Personal Data Controller according to GDPR
An entity who processes personal data can act in the capacity as personal data controller or personal data processor. It is the entity who decides the purpose of the processing of personal data and how the processing shall be made, that is the controller. For example, the person responsible for personal data may be a company, an organization or an authority. It is thus not normally a natural person who is the controller for personal data. For example, a manager or an employee of a company. However, this only applies unless it is not the owner of a sole proprietorship who processes the personal data. In such cases, the owner of the individual company is the person responsible for personal data.
The personal data controller is also responsible for the processing of personal data, that is carried out by the personal data processor.
Personal Data Processor according to GDPR
The Personal Data Controller who is responsible for personal data may hire a Personal Data Processor. For example, in order to process personal data on behalf of the Personal Data Controller.
In such cases, the Personal Data Processor may only process the personal data in accordance with the Personal Data Controller’s instructions. Also, the purposes for the processing is determined by the Controller. Moreover, the processing must only take place in the manner permitted by the Controller.
For example, it is common for companies to hire an accounting consultant to handle the company’s accounting. On certain invoices, there may be personal data. And it is the company that is responsible for it, as a Personal Data Controller. If the accounting consultant has access to such personal data, the parties must enter into a so-called Data Processing Agreement. This shall be done before the personal data is shared to the consultant.
Storage of Personal Data outside of EU/EEA
In some cases, it is necessary to enter into Standard Contractual Clauses (SCC) for the transfer of personal data to third countries pursuant to the GDPR. In this GDPR Summary with information about the EU regulation, you can read more about storage and transfer of Personal Data outside of EU/EEA.
Transfer of Personal Data outside of EU/EEA
For companies that store personal data outside the EU / EEA countries, there are several things to keep in mind. And the rules are strict. However, it is allowed, to store personal data outside of the EU/EEA, but only under certain conditions.
When personal data is transferred to a country outside the EU / EEA countries, the countries are called third countries. A common occasion where personal data is transferred to a third country is in e-mail communication. For example, a company located in the EU can send an e-mail to another company located in the USA. If the email contains personal information, the GDPR applies. However, the transfer of personal data to the United States with the support of the Privacy Shield is no longer permitted. Instead, SCC, standard contract clauses may apply.
New SCC since 4 july 2021
The European Commission has published new modernized Standard Contractual Clauses (SCCs). These new SCC are in line with the GDPR. These SCCs can be used as a basis for the transfer of personal data to third countries (countries outside the EU / EEA).
Privacy Shield is not valid for the transfer of personal data outside of EU/EEA
On 16 July 2020, the EU-US Privacy Shield Agreement was annulled. However, SCC is instead a tool that can be used for the transfer of personal data to the US. More info about this can be read in the so-called Shrems II judgment.
New modernized SCCs
As there are now new modernized SCCs, companies need to update any references to previous versions of SCCs that may appear in agreements. For example, the company’s privacy policy (data protection policy), internal GDPR routines, other agreements, etc. Companies that have entered into previous versions of the SCC should also update the agreements to these new SCCs that are adapted to the GDPR.
SCC is available for free download and there are many different language versions. You can download them through the following link on the E-Commission’s website.
New correct reference and reference to new SCCs are as follows: Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
Privacy Impact Assessment (PIA) when Processing Personal Data
Companies must make an impact assessment when handling personal data. In some cases, the company even has to consult the Supervisory Authority beforehand. This applies if the storage, for example, involves major privacy risks. In short, an impact assessment involves analyzing possible consequences, how the company should remedy crises, what protective measures the company should take, etc.
Important to keep in mind for those who run digital platforms with young users
There are several things to keep in mind for companies that provide digital platforms with young or underage users. It is important to have the child’s best interests in focus. In addition, children have special protection under the GDPR. It is also forbidden to do direct marketing to people under 16 years of age. This is good to keep in mind, as it is a common way to market your business. In some EU countries, it is permitted to store personal data belonging to persons over 13 years of age, if the company has obtained consent. Also, the company need to follow the other rules that apply to the processing of personal data belonging to young people.
Personal Data Breach and Consequences of violating the GDPR
In this GDPR Summary with information for companies, you can read more about some common personal data breaches. Also, about the consequences of violating the GDPR.
Personal Data Breach
Examples of what constitutes Personal Data Breaches
If a security incident can pose a risk to human rights and freedoms, it is a personal data incident according to the GDPR. The most common personal data incident in the first two years since the GDPR came into force was incorrect emails. A good starting point to avoid such an incident, is to always check that the recipient of the message is correct. When a company detects a personal data incident, it must be reported to the Supervisory Authority within 72 hours of its discovery. But this applies only when it is required by the GDPR. In addition, in some cases the company must take action and contact people covered by the incident.
Consequence of violating the GDPR
If companies, authorities or organizations violate the GDPR, the consequence can be penalty fees. For companies, the amount can amount to EUR 20 million or 4% of annual turnover if the breach of the GDPR is serious. However, the penalty fee for less serious offenses can also be high: a maximum of EUR 10 million or 2% of annual turnover. The amount depends, among other things, on how big the company is and how the company has violated the GDPR. On the other hand, the maximum amount of sanction fees is significantly lower for authorities, of which the highest possible amount is SEK 10 million. In some cases, the IMY may also issue a reprimand.
Documents and Agreements that companies need to have according to the GDPR
Agreements for GDPR
In addition to what is stated above in this GDPR Summary with information for companies and entrepreneurs, companies that process personal data need to have certain agreements and documents. These are necessary to comply with the provisions of the GDPR and to be able to prove that the company complies with the GDPR in practice.
Companies need, among other things, the following agreements and documents:
- Data Protection Policy (also called Privacy Policy),
- Internal routines,
- Records of Processing Activities,
- Logbooks,
- Data Processing Agreement.
In addition, the company must comply with the other parts of the GDPR. For example, to report a personal data breach within 72 hours of it being discovered when the GDPR requires it.
News about GDPR and reviews from supervisory authorities
In addition to this GDPR Summary with information for companies, you can also read about various news about the GDPR on this website. For example, audits carried out by Supervisory Authorities and sanction fees that they distribute. By learning from mistakes from others, it is possible to avoid making similar mistakes yourself. In addition, you can find information that is important and good to know as an entrepreneur as well as guides.
Summary of the GDPR for Companies, Entrepreneurs and Businesses
There is a lot of information about the GDPR that is important for companies, entrepreneurs and businesses to know about. We have therefore written a GDPR Summary and mention various key elements. Therefore, we are able to provide an overview of the GDPR, what it means and what companies must do to comply with the EU regulation.