Navigation path

Last checked 30/05/2018

Data protection and online privacy

As of 30 March 2019, all EU law will cease to apply to the UK, unless a ratified withdrawal agreement establishes another date, or the European Council and the UK decide unanimously to extend the two-year negotiation period. For more information about the legal repercussions for businesses:

The GDPR sets out detailed requirements for companies and organisations on collecting, storing and managing personal data. It applies both to European organisations that process personal data of individuals in the EU, and to organisations outside the EU that target people living in the EU.

When does the General Data Protection Regulation (GDPR) apply?

The GDPR applies if:

  • your company processes personal data and is based in the EU, regardless of where the actual data processing takes place
  • your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU

Non-EU based businesses processing EU citizen's data have to appoint a representative in the EU.

When does the General Data Protection Regulation (GDPR) not apply?

The GDPR does not apply if:

  • the data subject is dead
  • the data subject is a legal person
  • the processing is done by a person acting for purposes which are outside his trade, business, or profession

What is personal data?

Personal data is any information about an identified or identifiable person, also known as the data subject. Personal data includes information such as their:

  • name
  • address
  • ID  card/passport number
  • income
  • cultural profile
  • Internet Protocol (IP) address
  • data held by a hospital or doctor (which uniquely identifies a person for health purposes).

Special categories of data

You may not process personal data about someone's:

  • racial or ethnic origin
  • sexual orientation
  • political opinions
  • religious or philosophical beliefs
  • trade-union membership
  • genetic, biometric or health data except in specific cases (e.g. when you've been given explicit consent or when processing is needed for reasons of substantial public interest, on the basis of EU or national law)
  • personal data related to criminal convictions and offences unless this is authorised by EU or national law

Who processes the personal data?

During processing, personal data can pass through various different companies or organisations. Within this cycle there are two main profiles that deal with processing personal data:

  • The data controller - decides the purpose and way in which personal data is processed.
  • The data processor - holds and processes data on behalf of a data controller.

Who monitors how personal data is processed within a company?

The Data Protection Officer (DPO), who may have been designated by the company, is responsible for monitoring how personal data is processed and to inform and advise employees who process personal data about their obligations. The DPO also cooperates with the Data Protection Authority (DPA), serving as a contact point towards the DPA and individuals.

When should you appoint a Data Protection Officer?

Your company is required to appoint a DPO when:

  • you regularly or systematically monitor individuals or process special categories of data
  • this processing is a core business activity
  • you process data on a large scale.

For example, if you process personal data to target advertising through search engines based on people's online behaviour, you are required to have a DPO. If, however, you only send your clients promotional material once a year, then you will not need a DPO. Likewise, if you are a doctor who collects data on patients' health, a DPO is probably not needed. But if you process personal data on genetics and health for a hospital, then a DPO will be required.

The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or part of an organisation.

Processing data for another company

A data controller can only use a data processor who offers sufficient guarantees, these should be included in a written contract between the parties involved. The contract must also contain a number of mandatory clauses, e.g. that the data processor will only process personal data when instructed to do so by the data controller.

Data transfer outside the EU

Once the integration of the GDPR into the EEA agreement is in force, the GDPR will apply to the European Economic Area (EEA),  which includes all EU countries plus Iceland, Liechtenstein and Norway. When personal data is transferred outside the EEA, the protection offered by the GDPR should travel with the data. This means that if you export data abroad, your company must ensure one of the following measures are adhered to:

  • The non-EU country's protections are deemed adequate by the EU.
  • Your company takes the necessary measures to provide appropriate safeguards, such as including specific clauses in the agreed contract with the non-European importer of the personal data.
  • Your company relies on specific grounds for the transfer (derogations) such as the consent of the individual.

When is data processing allowed?

EU data protection rules mean you should process data in a fair and lawful manner, for a specified and legitimate purpose and only process the data necessary to fulfil this purpose. You must ensure that you fulfil one of the following conditions to process the personal data; you:

  • have been given the consent of the individual concerned
  • need the personal data to fulfil a contractual obligation with the individual
  • need the personal data to satisfy a legal obligation
  • need the personal data to protect the vital interests of the individual
  • process personal data to carry out the task in the interest of the public
  • are acting in your company's legitimate interests, as long as the fundamental rights and freedoms of the individual whose data are processed are not seriously impacted. If the person's rights override your company's interests, then you cannot process the personal data.

Agreeing to data processing - consent

The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to. This means that consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Consent should be given by an affirmative act, such as checking a box online or signing a form.

When someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given. You must also give them the opportunity to withdraw their consent.

Providing transparent information

You must clearly provide individuals with information on who is processing the personal data about them and why. The following should be included as a minimum:

  • who you are
  • why you are processing the personal data
  • what the legal basis is
  • who will receive the data (if applicable)

In some cases, the information you provide must also state:

  • the contact information of the Data protection officer (DPO) when applicable
  • what is the legitimate interest pursued by the company when you rely on this legal ground for processing
  • the measures applied for transferring the data to a country outside the EU
  • how long the data will be stored for
  • the individual's data protection rights (i.e. right to access, correction, erasure, restriction, objection, portability, etc.)
  • how consent can be withdrawn (when consent is the legal ground for processing)
  • whether there is a statutory or contractual obligation to provide the data
  • in the case of automated decision-making, information about the logic, significance and consequences of the decision

You should present this information in clear and plain language.

Specific rules for children

If you're collecting personal data from a child based on consent, for example using a social media account or a download account, you must get parental consent first, e.g. by sending a notification to a parent or guardian. The age until which someone is considered to be a child differs depending on where they live, but is between 13 and 16 years old.

Right to access and right to data portability

You must ensure that individuals have the right to access their personal data, free of charge. If you receive such a request you have to:

  • tell them if you're processing their personal data
  • tell them about the processing (the purpose of the processing, categories of personal data concerned, recipients of their data, etc.)
  • give them a copy of the personal data being processed (in an accessible format)

When the processing is based on consent or a contract, the individual can also ask for you to return their personal data to them or transmit it to another company. This is known as the right to data portability. You should provide the data in a commonly used and machine-readable format.

Right to correct and right to object

If an individual believes that their personal data is incorrect, incomplete or inaccurate, they have the right to have it rectified or completed without undue delay.

If this is the case, you should notify all data recipients if any of the personal data you shared with them has been changed or deleted. If any personal data you shared was incorrect, you may also have to inform anyone who has seen it that this was the case (unless this is deemed to require a disproportionate effort).

An individual may also object - at any time - to the processing of their personal data for a particular use when your company processes it on the basis of your legitimate interest, or for a task in the public interest. Unless you have a legitimate interest that overrides the interest of the individual, you must stop processing the personal data.

Likewise, an individual can ask to have the processing of their personal data restricted while it is determined whether or not your legitimate interest overrides their interest. However, in the case of direct marketing, you are always obliged to stop processing the personal data if requested by the individual.

Right to erasure (right to be forgotten)

In some circumstances, an individual can ask the data controller to erase their personal data, for example if the data is no longer needed to fulfil the processing purpose. However, your company is not obliged to do so if:

  • the processing is necessary to respect the freedom of expression and information
  • you have to keep the personal data to comply with a legal obligation
  • there are other reasons of public interest to store the personal data, such as public health or scientific and historical research purposes
  • you need to store the personal data to establish a legal claim

Automated decision-making and profiling

Individuals have the right not to be subject to a decision that is based solely on automated processing. However, there are some exceptions to this rule, such as when they have given their explicit consent to the automated decision. Except where the automated decision is based on a law, your company must:

•    inform the individual about the automated decision-making
•    give the individual the right to have the automated decision reviewed by a person
•    give the individual the opportunity to contest the automated decision

For example, if a bank automates its decision of whether or not to grant a loan to a certain individual, that individual should be informed of the automated decision and given the opportunity to contest the decision and request human intervention.

Data breaches – providing proper notification

A data breach is when the personal data you are responsible for is disclosed, either accidentally or unlawfully, to unauthorised recipients or is made temporarily unavailable or is altered.

If a data breach does occur and the breach poses a risk to individual rights and freedoms, you should notify your Data Protection Authority within 72 hours after becoming aware of the breach.

Depending on whether or not the data breach poses a high risk to those affected, your company may also be required to inform all individuals affected.

Responding to requests

If your company receives a request from an individual who wants to exercise their rights, you should respond to this request without undue delay and in any case within 1 month of receiving the request. This response time may be extended by 2 months for complex or multiple requests, as long as the individual is informed about the extension. Requests should be dealt with free of charge.

If a request is rejected, then you must inform the individual of the reasons for doing so and of their right to file a complaint with the Data Protection Authority.

Impact assessments

Conducting a Data Protection Impact Assessment (DPIA) is mandatory whenever the intended processing would pose a high risk to the rights and freedoms of individuals, e.g. when new technologies are used.

There is such a high risk when:

  • automated processing and profiling mechanisms are used to evaluate individuals
  • a publicly accessible area is monitored on a large scale (e.g. CCTV)
  • special categories of data or personal data relating to criminal convictions and offences is processed on a large scale (e.g. health data)

Note: Data Protection Authorities may also consider other categories of data processing as high risk.

If the measures indicated in the DPIA fail to remove all the identified high risks, the Data Protection Authority must be consulted before the intended data processing takes place.

Keeping a record

You must be able to prove that your company acts in accordance with the GDPR and fulfils all applicable obligations — particularly upon request or inspection from the Data Protection Authority.

One way to do this is to keep detailed records on such things as the:

  • name and contact details of your business involved in data processing
  • reason(s) for processing personal data
  • description of the categories of individuals providing personal data
  • categories of organisations receiving the personal data
  • transfer of personal data to another country or organisation
  • storage period of the personal data
  • description of security measures used when processing personal data

Your company should also keep — and regularly update — written procedures and guidelines and make them known to your employees.

If your company is an SME or smaller, you do not need to keep records of your processing activities as long as they:
•    are not done regularly
•    they do not affect the rights or freedoms of the individuals involved
•    do not deal with sensitive data or criminal records

Data protection by design and default

Data protection by design means that your company should take data protection into account at the early stages of planning a new way of processing personal data. In accordance with this principle, a data controller must take all necessary technical and organisational steps to implement the data protection principles and protect the rights of individuals. These steps could include, for example, using pseudonymisation.

Data protection by default means that your company should always make the most privacy friendly setting the default setting. For example, if two privacy settings are possible and one of the settings prevents personal data from being accessed by others, this should be used as the default setting.

Infringement of the rules and penalties

Failure to comply with the GDPR may result in significant fines of up to EUR 20 million or 4 % of your company's global turnover for certain breaches. The Data Protection Authority may impose additional corrective measures, such as ordering you to stop processing personal data.

Cookies

There are several different types of cookies that you can use on your website. Depending on the purpose of the cookie, you may require the prior consent of your users.

Cookies that do not require consent

The following are some cases where consent is not required:

  • Cookies used for the sole purpose of carrying out the transmission of a communication, such as cookies that allow the processing of web server requests over a pool of machines instead of just one (load balancing).
  • Cookies that are strictly necessary to provide an online service that the person explicitly requested.  e.g. user-input cookies (cookies used when you ask your users to fill out an online form or when your customers use a shopping basket while purchasing products on your web site), or authentication cookies (when users authenticate themselves on your web site to log in in order to check online services such as their bank account).

Cookies that require consent

Some cookies require the consent of your users before you can use them to collect their data. This means cookies cannot be set when the webpage is first opened. You can only set the cookie and use the information collected through it once you have obtained the user's consent.

The following are some cases where consent is needed:

  • social plug-in tracking cookies (such as those used for behavioural advertising, analytics or market research)
  • third party cookies used for behavioural advertising.

Intended purpose of the cookies

If you use cookies that require consent, you must give the person browsing your website clear and comprehensive information about the cookies used on your website and their purpose. Your users should be allowed to give their specific consent depending on the purpose of the different types of cookies they are accepting, e.g. they should be able to give separate consent for tracking cookies.

Withdrawal of consent

You must make sure it's as easy for your users to withdraw their consent as it is for them to accept cookies. If the user chooses to withdraw their consent, you still have to provide some sort of minimum service for them, e.g. they can at least access part of your website.

FAQs - Data protection and online privacy

Contact a local business support partner

Do you have questions on operating a business cross-border, for example exporting or expanding to another EU country? If so, the Enterprise Europe Network can give you free advice.

Local business support

Help & advice

Get in touch with specialised assistance services

Help & advice

Contact a local business support partner

Do you have questions on operating a business cross-border, for example exporting or expanding to another EU country? If so, the Enterprise Europe Network can give you free advice. To assist the advisor in your local area to respond in a timely and correct manner, please provide as much information as possible.

EEN-logo

Contact form

(All fields are mandatory)
Thank you, your message has been sent successfully.
Due to technical problems, your message could not been sent. Please try again later.
Please provide a valid e-mail address.

Personal details

Company details

YesNo

Austria

Wien

Belgium

Brussel

Bruxelles

Namur

Bulgaria

Sofia

Croatia

Zagreb

Cyprus

Nicosia

Czech Republic

Praha

Denmark

Copenhagen

Estonia

Tallinn

Finland

Helsinki

France

Blagnac Cedex

Caen

Dijon

Guadeloupe, Martinique

Lille

Lyon

Paca

Paris, Ile-de-France, Centre, Nouvelle-Calédonie, Polynésie

Rennes

Saint-Denis

Germany

Berlin

Bremen

Erfurt

Hannover

Kiel

Leipzig

Magdeburg

Mainz

Mülheim an der Ruhr

München

Rostock

Stuttgart

Wiesbaden

Greece

Athens

Hungary

Budapest

Iceland

Reykjavík

Ireland

Dublin

Italy

Firenze (Toscana, Umbria, Marche)

Milano (Lombardia, Emilia Romagna)

Napoli (Abruzzo, Calabria, Campania, Basilicata, Molise, Puglia, Sicilia)

Roma (Lazio, Sardegna)

Torino (Piemonte, Liguria, Valle d’Aosta)

Venezia (Veneto, Trentino Alto Adige, Friuli Venezia Giulia)

Latvia

Riga

Lithuania

Vilnius

Luxembourg

Luxembourg

Malta

Pieta`

Netherlands

Den Haag

Norway

Oslo

Poland

Kielce

Lublin

Warsaw

Wroclaw

Portugal

Lisboa

Romania

Baciu Cluj

Bucuresti

Constanta

Timișoara

Slovakia

Bratislava

Slovenia

Ljubljana

Spain

Barcelona

Madrid

Oviedo

Palma

Santa Cruz de Tenerife

Sevilla

Valencia

Vitoria- Gazteiz

Zaragoza

Sweden

Stockholm

United Kingdom

Belfast (Northern Ireland)

Cardiff (Wales)

Edinburgh (Scotland)

London (England)

3000/3000

This information entered on this form is sent directly to a partner from the Enterprise Europe Network. Personal data entered on the form will only be used to assist the advisor to respond to your enquiry; the data will not be stored thereafter.