Q What is Personal Data?

A It is defined under the GDPR as any information relating to an identified or identifiable natural person (‘data subject’). The identifiable person can include someone identified by name, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (article 4(1)). It is therefore very wide ranging.

Q What is the processing of Personal Data?

A This is very widely drafted under the GDPR (article 4(2)). It is defined as any operation or set of operations which is performed on personal data or sets of personal data (automated or not) and can include the following: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieved, consultation, use, disclosure of personal data by transmission, dissemination or otherwise making available (so conceivably could include oral transmission), alignment, combination, restriction, erasure or destruction. This list is not exhaustive.

Q Can you simply explain the difference between a Data Controller and a Data Processor please?

A Quite simply the Data Controller is the person or organisation that either alone or jointly with others determines the purpose and means of the processing of Personal Data while the Data Processor merely processes the Personal Data on behalf of the Data Controller.

Q Who does the GDPR affect?

A It applies to any organisation/company/natural or legal person whether acting jointly or alone who processes and/or controls the Personal Data of subjects located within the EU irrespective of where the data controller/processor is located (therefore they could be outside the EU). The GDPR does not apply to the processing of personal data which concerns legal persons (e.g. companies) such as the name, the form and contact details of the legal person.

Q Does the GDPR apply to countries outside the EU?

A Yes. Pursuant to the Main Agreement on the EEA (article 7(a)), all EEA states are obliged to adopt the GDPR into their domestic national law. The EEA countries are Norway, Liechtenstein and Iceland. These countries are presently going through the domestic adoption process.

Q Do I need a Privacy Statement if I have a website?

A Yes. If your website has the ability to collect personal data on visitors to your site you will need one as required by the GDPR (articles 13 and 14).

Do I need to have a Cookies Policy/Notice if I have a website?

A Yes. If your website uses cookies it is a legal requirement under the ePrivacy Regulations (regulation 5) that you clearly state on your site what the cookies are used for and why and furthermore you must obtain consent from the users of the website.

Q Does our Company need to update all our privacy policies and procedures and where can I get the templates to do this?

A If still relying on pre May 2018 situation then yes you will need to do so. The relevant policies and procedures include: internal company data protection policy, subject access request policy, breach management policy, data retention policy, privacy policy/statement for website and cookies policy and IT policy. Other relevant areas include the employee management handbook and a company’s social media policy. It should be noted that your policies and procedures are specific to your own organisation and so must be customised and adapted so as to accurately represent how your organisation processes personal data. Taking a template approach may not allow you to be compliant with the GDPR.

Q I have been told that our Company needs to appoint a Data Protection Officer (DPO) – We are a small organisation not processing a large volume of data – do we still need to appoint a DPO?

A This depends on the nature of your organisation and what it does but in most cases it is unlikely you will need to appoint a DPO.  The GDPR (article 37(1)) requires a mandatory DPO for data processors and controllers only if the processing is carried out by a public authority or body; the core activities of the controller/processor require regular and systematic monitoring of data subjects on a large scale; or the core activities involve processing on a large scale of ‘special categories’ of data (e.g. health data).

Most private companies will not have as core activities regular and systematic monitoring and as regards processing on a large scale of special categories of data (health, ethnic origin, sexual orientation etc.) it would most likely be incidental/minor to their overall business. Such incidental processing of special categories of data could be medical health records about your employees). It is important however that the Company document the internal review process in coming to a decision to appoint or not to appoint a DPO as recommended by the former Article 29 Working Party (WP29) group.

Q Our Company is very small with only 20 employees. I read somewhere that the GDPR does not apply to companies with less than 250 employees; is this correct?

A Yes and No. Yes in the sense that there is a limited derogation from the requirements of the GDPR if you employ less than 250 employees but No because the derogation only applies to record keeping for the processing activities. However, if the processing would likely result in a risk to the rights and freedoms of your data subjects, is not occasional or includes special categories of data or personal data relating to criminal convictions then No derogation can be applied (article 30(5)).

Q Our company is a B to B seller; we don’t sell any product to or receive any information from the ultimate consumer therefore we don’t collect any personal data on the consumer – do we still need to comply with the GDPR?

A Most likely. If you have any employees in your Company it is likely you have personal data relating to them for example payroll details, CV, home address and personal telephone number etc. This is personal data and therefore the GDPR applies to you. It is most likely you will have on file personal data relating to your suppliers.

Q I am a sole trader with no employees; does the GDPR still apply to me?

A Yes, if you sell a product or service it is likely you have on record data relating to those persons or those companies where such data can identify a natural person. You probably have a website as well which collects personal data.

Q Our Company collects personal information on our customers and stores it on our marketing database (CRM) for emailing purposes. Can we still use this database to contact existing and future customers?

A You will need to first establish the lawful grounds for processing the customers’ data. Consent is one method. Under the GDPR fully informed consent by way of affirmative action from the customer must be given to your company in order for your customers (pre and post GDPR) to legally receive marketing emails. Therefore for customers to receive marketing material they must clearly ‘opt in’ to receive these emails. It is not sufficient to rely on the old system of the pre-ticked box where there was the presumption that the customer wanted to receive the material. You will need to review your marketing database to determine the nature of the consents given. In order to legitimately send out a marketing email (to old and new customers) you will need to ensure every person listed on the database has given explicit opt in consent to be contacted and that those who opted out have been deleted from the database. Deploying a re-permission campaign for old customers (pre-GDPR) is a good way of being compliant. Any non-response to such a campaign is deemed opting out of receiving any emails and your database should be updated to reflect this.

Q Our Company stores our customer’s data with a cloud provider (a third party data processor) – as a consequence do they have all the responsibility as regards data compliance?

A No.  You must have a contract in place between you the controller and the processor which accurately reflects both the controller and processors responsibilities as set out by the GDPR. It is important therefore for you to review your third party vendor agreements to ensure compliance with the specific requirements of the regulation. The GDPR is specific on what should be in the contract. Such matters include: subject matter and duration of the processing, the nature and purpose of the processing, type of personal data, categories of data subjects and the rights and obligations of the controller, processing by the processor can only be done on the documented instructions of the controller, the controller must satisfy itself that the processor shall be able to provide sufficient guarantees to implement technical and organisational measures to ensure compliance with the GDPR. These are significant issues and will have to be carefully stitched into any new agreements going forward as well as amending existing service agreements.

Q I have an old website which I have not updated for ages, it has an old privacy statement (pre May 2018). Do I need to do anything?

A Yes, you will need to review it against the new requirements of the GDPR (articles 13 and 14) to ensure it is compliant.

Q I am a US resident but pass through Europe on many occasions for business and pleasure. My mobile service provider is a US based company; do I get the privacy protections for my personal data under the GDPR when I am in the EU?

A Yes, it is where the Data Subject is located when using the service that matters.

Q I have a number of business cards I collected at a recent networking event, can I contact the individuals involved about our latest promotions?

A In order to contact the individuals you need to demonstrate specific and unambiguous consent. It would appear that you have consent but for a very limited purpose as it would seem unlikely that when you received those business cards the person did so in expectation of receiving marketing material. If however at the time of receiving the business card you asked if it was okay for them to be added to your database and they agreed to this, it would seem that this would pass the test of specific and unambiguous/clear consent under the GDPR. To determine the nature of consent this must be done on a case by case basis

Q Our Company has received a Subject Access Request (SAR) and have asked for confirmation of the identity of the requestor. When does the one month time limit run from for us to comply with the request?

A The one month time limit runs from when you have confirmation of the identity of the requestor. Note: under the GDPR you cannot now charge a fee for the request in most circumstances (this is different to the previous regime).

Q We use CCTV cameras that point out onto the public footpath to protect our commercial premises. We capture this data on a 24 hour cycle. Is this footage deemed personal data and therefore caught by the GDPR obligations and if requested do we have to give a copy of the requested images?

A Yes to both. If the CCTV captures identifiable data subjects this is personal data (if pixelated so that it is impossible to identify the subjects this would not be subject to the GDPR or subject request). You must provide the relevant CCTV images but only that relating to the data subject; other images must be redacted. Most CCTV images are deleted after 30 days (best practice) so you are not required to hold it for any longer than that period. Again CCTV images should only be held for a specific purpose and for a period reflecting that specific purpose. The sooner you delete your CCTV images the better as it is very expensive to provide images and to redact non relevant subject matter.

This website does not purport, suggest or give any legal advice on data privacy, and therefore should not be construed as such. Any information provided on this website is of a general nature only and does not relate to any specific individual case. We have endeavoured as reasonably practicable to ensure and verify the accuracy of the information provided by this website and its contents, we therefore cannot and do not accept any legal responsibility for the contents therein.