GDPR Frequently Asked Questions (FAQ)

What are the objectives of the GDPR?

The main objectives of the European General Data Protection Regulation (GDPR) are "the protection of natural persons with regard to the processing of personal data", "the free movement of personal data" and the protection of “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data" (Article 1 GDPR).

The protection of personal data is therefore not an end in itself, the actual goal behind the protection of personal data is the protection of the human rights of the persons affected by the processing. The aim is to prevent people from being unknowingly discriminated against or disadvantaged by the incorrect use or even misuse of their personal data.

What are the key principles of the General Data Protection Regulation?

The GDPR sets out seven principles in Article 5, which are based on the OECD's eight principles for the protection of privacy and the international dissemination of personal data.

These seven principles are:

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability (also seen as a reversal of the burden of proof)

Who does the General Data Protection Regulation apply to?

The GDPR automatically applies to all companies with an establishment within the EU.

Companies without an establishment in the EU or the European Economic Area (EEA) are covered by the GDPR if

they offer products or services to people in the EU
they monitor the behaviour of individuals in the EU

Common examples of this are the operation of games, apps and IT services in the EU, the handling of employee or customer data of EU subsidiaries or the behavioural analysis of website visitors and customers.

What are examples of the implementation of the General Data Protection Regulation?

The European General Data Protection Regulation (GDPR) is the EU law on the protection of personal data that applies to companies which process the data of individuals in the EU.

The extend of measures required under the GDPR depends on the business activity and size of the organisation, the amount of data processed, the number of employees and the risk to data subjects. For example, a large global company that monitors and analyses the behaviour of several million people, and creates profiles of individuals, will have to comply with stricter measures than a medium-sized company that does not process any personal data in the EU apart from the names and contact details of its business partners. The latter would therefore have less implementation effort.

Enobyte offers customised approaches that enable companies to take appropriate measures to comply with the GDPR.

We proceed as follows:

Questionnaire to assess the size of your company
GDPR assessment as a gap analysis between the requirements of the GDPR and the current practices in your company
Concrete recommendations for action
Implementation support in regular meetings to effectively drive GDPR compliance forward

We rely on a wealth of experience to help you put together a plan that meets your organisation's requirements.

What are GDPR obligations for companies?

The European General Data Protection Regulation (GDPR) sets out some obligations for controllers (companies that determine the purposes and means of processing, principal) and processors (companies that process personal data as contractors only on behalf of the controller).

The obligations imposed on the controller are generally as follows:

Precise definition of the purpose (abstract purposes such as "for marketing purposes" are not permitted)
Only processing data that is compatible with and necessary to achieve those purposes
Data subjects must be informed of the processing in advance
In principle, the data must be deleted as soon as the purpose has been achieved
Enabling data subjects to exercise their rights in relation to the processing
Ensure that personal data is accurate and up-to-date
Implement appropriate technical and organisational measures (TOM)
Maintaining a Register of Processing Activities (RPA)
Assigning only processors which are GDPR-compliant for the processing of personal data, and signing a data processing agreement (Article 28 GDPR)
Carrying out a risk assessment and taking appropriate measures in advance of any handling that is likely to pose a high risk to individuals in the EU
Notifying data breaches to the competent data protection supervisory authority within 72 hours
Communicating data breaches to individuals if such data breach poses a high risk.

The obligations imposed on the processor are generally as follows

Processing personal data only in accordance with the instructions of the controller (client)
Obtaining prior authorisation from the controller before outsourcing to another processor (subcontractor)
Assuming full responsibility to the controller for any such subcontractor
Maintaining a Record of Processing Activities (RPA)
Implementation of suitable technical and organisational measures (TOM)
Immediate notification of data breaches to the controller
Return or deletion of personal data at the end of the provision of services, at the choice of the controller

The extent of the obligations and requirements imposed on companies in connection with compliance with the GDPR depends on the nature of their business, the size of the company, the amount of data processed, the number of employees, the level of risk to data subjects, etc.

Enobyte assesses what specific measures are required for each organisation and offers comprehensive support in implementing these measures. We help you ensure that your company is prepared for the specific requirements.

When does an organisation need a data protection officer?

The regulations regarding the designation of a data protection officer (DPO) vary between member states. In any case, organisations which monitor data subjects regularly and systematically at a large scale, and organisations which process special categories of data on a large scale will be obliged to designate a data protection officer. As a rule of thumb, a data protection officer should be appointed if a Data Protection Impact Assessment is required.

In Germany, a DPO must be designated if more than 20 emloyees are handling personal data. As data protection officers offer valuable insights to organisations and have extensive experience with different projects, many organisations also opt to voluntarily designate a DPO.
We have further information on our designated data protection officer page.

In which countries does the General Data Protection Regulation apply?

The European General Data Protection Regulation applies in all member states of the EU and the European Economic Area (EEA). However, it has extraterritorial effect even to companies outside the EU and the EEA if they specifically process data from the EU or the EEA.

What is an adequacy decision?

The EU Commission can assess and decide that countries outside the EU (third countries) have an equivalent level of data protection if they have established appropriate laws and supervisory structures (Article 45 GDPR). This is called an adequacy decision. When transferring data from the EU to a country with an adequacy decision, no further measures need to be taken for the transfer. The transfer works in the same way as within the EU.

Currently, the following 14 non-EU countries have received an adequacy decision from the EU Commission:
Angola, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, and the United Kingdom.

It should be noted that four "additional rules" must be observed when transferring data to Japan.

What does "representative in the Union" mean for the purposes of the GDPR?

The representative in the Union is a company or person in the EU who represents organisations without an establishment in the EU as a local point of contact for data subjects or data protection supervisory authorities.

This representative is also referred to as an "EU representative" or "EU rep".

Article 27 of the General Data Protection Regulation (GDPR) stipulates that organisations which are not based in the EU must appoint an EU representative in one of the EU Member States, in which their main market is located. This applies if they offer products or services to individuals in the EU, or monitor the behaviour of individuals in the EU.

For example, if a website is available in European languages (e.g. German, French, Italian, Spanish) and prices are displayed in euros, it would be assumed that it is also targeted at people in the EU. The website operator is therefore obliged to appoint an EU representative.

Furthermore, there is also the so-called "representative in the UK", which companies must appoint in accordance with Article 27 of the UK GDPR if they fall under UK data protection law according to the same rules as above.