BRAZIL

What does the General Personal Data Protection Law – LGPD deal with?

The General Data Protection Law – LGPD (Law n. 13.709, of 2018), provides for the processing of personal data of natural persons, defining the hypotheses in which such data may legitimately be used by third parties and establishing mechanisms to protect data subjects data against inappropriate uses.

The LGPD is applicable to the data of natural persons and must be complied with by natural persons and public or private entities, regardless of the country of their headquarters or where the data is located, that carry out any processing operation of personal data, such as the collection , storage and sharing of data with third parties, provided that such treatment (i) is carried out in the national territory, (ii) has as its object the offer or supply of goods or services or the processing of data of individuals located in the national territory, or , still, (iii) when the personal data have been collected in the national territory.

How can personal data protection legislation help Brazil?

The LGPD aims to protect the fundamental rights related to the information sphere of the citizen. Thus, the Law introduces a series of new rights that ensure greater transparency regarding the processing of data and give the holder protagonism regarding its use.

The approval of the LGPD and the creation of the National Data Protection Authority – ANPD also represent important steps towards placing Brazil on the same level as many other countries that have already approved laws and institutional structures of this nature.

The constitution of a legal environment focused on the protection of personal data also corresponds to the alignment with the guidelines of the Organization for Economic Cooperation and Development – OECD, which for decades has played an important role in promoting respect for privacy as a fundamental value and as a assumption for the free flow of data.

Finally, from the point of view of data processing agents, whether companies or the government itself, the LGPD brings the opportunity to improve data governance policies, with the adoption of good practice rules and the incorporation of technical and administrative measures. that mitigate risks and increase data subject confidence in the organization.

When did the LGPD come into effect?

The law entered into force in a staggered manner:

· On December 28, 2018, regarding arts. 55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55-I, 55-J, 55-K, 55-L, 58- A and 58-B, which deal with the constitution of the National Data Protection Authority – ANPD and the National Council for the Protection of Personal Data and Privacy – CNPDPP.

· On September 18, 2020, regarding the other articles of the law, with the exception of the provisions dealing with the application of administrative sanctions;

· On August 1, 2021, regarding arts. 52. 53 and 54, which deal with administrative sanctions.

With the LGPD, how is the Positive Register?

As it is a general law, the rules of the Consumer Protection Code (Law No. 8078/90) for the treatment of negative data and the Positive Registration Law (Law No. 12414/2011) for the treatment of of the positive data.

In Article 7, Item X, of the LGPD, the legislator expressly mentions that the processing of personal data can be carried out for “credit protection”. In the same item, it recognizes the existing provisions in the relevant legislation, thus including the laws that deal specifically with credit.

What is personal data processing, according to the LGPD?

According to the LGPD, processing of personal data is any operation carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or information control, modification, communication, transfer, diffusion or extraction.

What are personal data?

The LGPD adopts an open concept of personal data, defined as information related to an identified or identifiable natural person.

Thus, in addition to the basic information related to the name, registration number in the General Registry (RG) or in the National Taxpayer Registry (CPF) and residential address, other data that allow the identification of an individual are also considered personal data, such as sexual orientation, political party affiliation, medical history and also those referring to the individual’s biometric aspects.

According to the LGPD, those used to form the behavioral profile of a certain natural person, if identified, may also be considered as personal data.

The LGPD adopts an open concept of personal data, defined as information related to an identified or identifiable natural person.

Thus, in addition to the basic information related to the name, registration number in the General Registry (RG) or in the National Taxpayer Registry (CPF) and residential address, other data that allow the identification of an individual are also considered personal data, such as sexual orientation, political party affiliation, medical history and also those referring to the individual’s biometric aspects.

According to the LGPD, those used to form the behavioral profile of a certain natural person, if identified, may also be considered as personal data.

With the LGPD, how is the Positive Register?

As it is a general law, the rules of the Consumer Protection Code (Law No. 8078/90) for the treatment of negative data and the Positive Registration Law (Law No. 12414/2011) for the treatment of of the positive data.

In Article 7, Item X, of the LGPD, the legislator expressly mentions that the processing of personal data can be carried out for “credit protection”. In the same item, it recognizes the existing provisions in the relevant legislation, thus including the laws that deal specifically with credit.

What is personal data processing, according to the LGPD?

According to the LGPD, processing of personal data is any operation carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or information control, modification, communication, transfer, diffusion or extraction.

What are personal data?

The LGPD adopts an open concept of personal data, defined as information related to an identified or identifiable natural person.

Thus, in addition to the basic information related to the name, registration number in the General Registry (RG) or in the National Taxpayer Registry (CPF) and residential address, other data that allow the identification of an individual are also considered personal data, such as sexual orientation, political party affiliation, medical history and also those referring to the individual’s biometric aspects.

According to the LGPD, those used to form the behavioral profile of a certain natural person, if identified, may also be considered as personal data.

The LGPD adopts an open concept of personal data, defined as information related to an identified or identifiable natural person.

Thus, in addition to the basic information related to the name, registration number in the General Registry (RG) or in the National Taxpayer Registry (CPF) and residential address, other data that allow the identification of an individual are also considered personal data, such as sexual orientation, political party affiliation, medical history and also those referring to the individual’s biometric aspects.

According to the LGPD, those used to form the behavioral profile of a certain natural person, if identified, may also be considered as personal data.

What is sensitive personal data?

Sensitive personal data are those to which the LGPD has given even greater protection, as they are directly related to the most intimate aspects of an individual’s personality.

Thus, sensitive personal data are those related to racial or ethnic origin, religious conviction, political opinion, union membership or organization of a religious, philosophical or political nature, data referring to health or sex life, genetic or biometric data, when linked to an individual.

About the data considered sensitive, how about the issue of biometric data?

The LGPD classifies biometric data as sensitive personal data, providing even more rigor in the criteria applicable to its treatment. In these cases, the treatment may be carried out without the holder’s consent when dealing with hypotheses that include compliance with a legal or regulatory obligation and fraud prevention and the holder’s security, among others.

What data is protected by the LGPD?

The LGPD guarantees the protection of all data whose holders are natural persons, whether in physical or digital format. Thus, the LGPD does not reach data held by legal entities – which are not considered personal data for the purposes of the Law.

In what cases can personal data be processed?

With the entry into force of the LGPD, the processing of personal data can be carried out when any of the hypotheses provided for in its article 7 is verified or, in the case of sensitive personal data, one of the hypotheses provided for in article 11. ten distinct legal bases for the processing of personal data and eight legal bases that legitimize the processing of sensitive personal data.

It is worth noting that the LGPD is also applicable to data whose access is public and to those made manifestly public by the holders, safeguarding the observance of the general principles and rights of the holders provided for in the Law.

What are the legal bases for processing personal data?

The processing of personal data (non-sensitive) may be carried out in any of the following cases, provided for in art. 7 of the LGPD:

· Upon the provision of consent by the holder;

· For compliance with a legal or regulatory obligation by the controller;

· For the execution of public policies, by the public administration;

· To carry out studies by research body;

· For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;

· For the regular exercise of rights in judicial, administrative or arbitration proceedings;

· For the protection of the life or physical safety of the holder or a third party;

· For the protection of health, exclusively, in a procedure carried out by health professionals, health services or health authorities;

· To meet the legitimate interests of the controller or a third party, except in the event that the holder’s fundamental rights and freedoms prevail that require the protection of personal data;

· For credit protection.

What are the rights of citizens with the entry into force of the LGPD?

The LGPD provides for a wide range of rights for data subjects, among which the following can be highlighted:

· facilitated access to information on the processing of your data, which must be made available in a clear, adequate and conspicuous manner;

· confirmation of the existence of treatment;

· data access;

· correction of incomplete, inaccurate or outdated data;

· anonymization, blocking or deletion of data that is unnecessary, excessive or treated in violation of the provisions of this Law;

· portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;

· deletion of personal data processed with the consent of the holder, except in the cases provided for in art. 16 of the LGPD;

· information on public and private entities with which the controller shared data;

· information on the possibility of not giving consent and on the consequences of the refusal;

· revocation of consent, upon express manifestation of the holder, through a free and facilitated procedure;

· petition in relation to your data against the controller, before the national authority and before consumer protection bodies;

· opposition to treatment carried out based on one of the hypotheses of waiver of consent, in case of non-compliance with the provisions of the LGPD;

· request for a review of decisions taken solely on the basis of automated processing of personal data that affect your interests, including decisions aimed at defining your personal, professional, consumption and credit profile or aspects of your personality; It is

· provision, upon request, of clear and appropriate information regarding the criteria and procedures used for automated decision-making, observing commercial and industrial secrets.

What are the rights of citizens with the entry into force of the LGPD?

The LGPD provides for a wide range of rights for data subjects, among which the following can be highlighted:

· facilitated access to information on the processing of your data, which must be made available in a clear, adequate and conspicuous manner;

· confirmation of the existence of treatment;

· data access;

· correction of incomplete, inaccurate or outdated data;

· anonymization, blocking or deletion of data that is unnecessary, excessive or treated in violation of the provisions of this Law;

· portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;

· deletion of personal data processed with the consent of the holder, except in the cases provided for in art. 16 of the LGPD;

· information on public and private entities with which the controller shared data;

· information on the possibility of not giving consent and on the consequences of the refusal;

· revocation of consent, upon express manifestation of the holder, through a free and facilitated procedure;

· petition in relation to your data against the controller, before the national authority and before consumer protection bodies;

· opposition to treatment carried out based on one of the hypotheses of waiver of consent, in case of non-compliance with the provisions of the LGPD;

· request for a review of decisions taken solely on the basis of automated processing of personal data that affect your interests, including decisions aimed at defining your personal, professional, consumption and credit profile or aspects of your personality; It is

· provision, upon request, of clear and appropriate information regarding the criteria and procedures used for automated decision-making, observing commercial and industrial secrets.

What do businesses and government need to do to comply?

The LGPD establishes a series of measures that must be adopted by processing agents, which include identifying the legal bases that justify data processing activities; the adoption of internal processes and policies that ensure compliance with personal data protection rules; and the establishment of a contact channel with the holders of personal data.

The Law determines that data controllers must appoint a Person in Charge to act as a communication channel between the controller, the data subjects and the ANPD. In certain circumstances, depending on the nature and size of the entity or the volume of data processing operations, the ANPD may establish hypotheses for waiving the need for its indication.

We still don’t have anything according to what the LGPD asks for. What to do?

It is important to remember that personal data permeates the entire organization, so the success of this work will depend on everyone’s effort and involvement. The first steps must have the company’s management involved and aware of the need to comply, in order to have a strong sponsor, in order to form a multidisciplinary team that involves several areas, such as compliance, technology, security and governance, legal and resources humans.

What is the desired profile for the Supervisor (DPO)?

The Designation of the Incumbent must be based on the professional qualities of the nominee, particularly in their legal and regulatory knowledge, in technology and information security, organizational leadership, awareness raising/educator, and also, with knowledge in governance. The more complex the data processing activities carried out by the organization, the greater the level of technical knowledge of the Person in Charge of Personal Data Processing (DPO).

What is the involvement of the IT area in the adequacy project?

The participation of the IT area is very important in the process of becoming compliant, as it is involved from supporting the availability of systems that support privacy demands to ensuring that information security tools, processes and good practices are in place and in accordance.

This area has a wide and comprehensive participation since the Law makes it clear that companies must adopt technical and administrative measures to ensure the protection of their personal data. However, the involvement of all areas is essential, especially the legal, compliance and business areas.

What is the job of the Foreman (DPO) in practice?

The Person in Charge will play a fundamental role in the organizations’ strategic decisions and must have autonomy over activities involving any type of data processing, in addition to having direct contact with the company’s management, making decisions that comply with the law.

As the LGPD deals with in Article 41, the DPO/In charge must have the following attributions:

· accept complaints and communications from holders, provide clarifications and adopt measures;

· receive communications from the national authority and take action;

· guide the entity’s employees and contractors regarding the practices to be adopted in relation to the protection of personal data;

· carry out other attributions determined by the controller or established in complementary rules.

In addition to these attributions, the ANPD, the National Data Protection Authority, may establish additional rules on the definition and attributions of the person in charge.

What is the involvement of the IT area in the adequacy project?

The participation of the IT area is very important in the process of becoming compliant, as it is involved from supporting the availability of systems that support privacy demands to ensuring that information security tools, processes and good practices are in place and in accordance.

This area has a wide and comprehensive participation since the Law makes it clear that companies must adopt technical and administrative measures to ensure the protection of their personal data. However, the involvement of all areas is essential, especially the legal, compliance and business areas.

How important is technology for the implementation of the LGPD?

The process to comply with the LGPD must go through people, areas, processes, systems, legal and technology partners. Due to all these variables involved, we understand that technology does make a difference and it is important, because, depending on the size and level of complexity of an organization, managing all these entities in accordance with the requirements of the law without a management tool that can aggregating, registering and controlling all these demands can become an extremely difficult project.

According to Art. 49 of the Law, the systems used for the processing of personal data must be structured in order to meet the security requirements, the standards of good practices and governance and the general principles provided for in this Law and other regulatory standards.

What is Data Mapping and how to do it?

Data Mapping consists of raising, through the structure of the organization, own resources or with a specialized company, all items associated with personal data. With this information, an inventory is created, which can basically be of four types:

· Active tables or entire databases, applications that retain non-electronic data or physical files;

· Suppliers of systems with which personal data is shared, such as a CRM in the cloud;

· Processes or activities that somehow manipulate personal information;

· Partner companies also handle personal data under our responsibility.

After defining what will be inventoried, the next step is to map it through an iterative and incremental process. That is, it is interesting to start mapping what is known, since, from the outset, it is already possible to become aware of the gaps and possible risks involved.

Can the consent form be written or digital? In the case of digital, is there any rule to follow?

The term of consent can be acquired both physical and digital, but it must be, as stated in Art. 8, “in writing or by other means that demonstrates the expression of the holder’s will”. Like the GDPR, the General Data Protection Law brings the concern to limit the retention of data only to what is strictly necessary for its treatment.

In the Law there is no fixed period for the retention of processed data, but it establishes, in its Art. 16, that “personal data will be eliminated after the end of their treatment, within the scope and technical limits of activities”. It is observed, therefore, that the data retention period in the LGPD is conditioned to the purpose declared by the person responsible for the treatment, and that, once used, they must be deleted from their servers.

What is the National Personal Data Protection Authority – ANPD?

ANPD is the federal public administration body responsible for ensuring the protection of personal data and for implementing and overseeing compliance with the LGPD in Brazil.

See: https://www.gov.br/anpd/pt-br

What is the role of the National Data Protection Authority – ANPD?

ANPD’s institutional mission is to ensure the broadest and most correct observance of the LGPD in Brazil and, to that extent, guarantee due protection to the fundamental rights of freedom, privacy and free development of the personality of individuals.

Article 55-J of the LGPD establishes the main powers of the ANPD, among which the following stand out:

· develop guidelines for the National Policy for the Protection of Personal Data and Privacy;

· monitor and apply sanctions in the event of data processing carried out in breach of the legislation, through an administrative process that ensures the contradictory, ample defense and the right of appeal;

· promote awareness among the population of norms and public policies on the protection of personal data and security measures;

· encourage the adoption of standards for services and products that facilitate the holders’ exercise of control over their personal data, which should take into account the specificities of the activities and the size of those responsible;

· promoting cooperation actions with personal data protection authorities in other countries, whether of an international or transnational nature;

· edit regulations and procedures on personal data protection and privacy, as well as on reports on the impact of personal data protection for cases in which the treatment poses a high risk to the guarantee of the general principles of protection of personal data provided for in this Law;

· listen to treatment agents and society in matters of relevant interest and report on their activities and planning;

· edit rules, guidelines and simplified and differentiated procedures, including deadlines, so that micro and small companies, as well as business initiatives of an incremental or disruptive nature that declare themselves startups or innovation companies, can adapt to the Law;

· deliberate, in the administrative sphere, on a terminating basis, on the interpretation of the LGPD, its competences and omissions;

· articulate with public regulatory authorities to exercise their powers in specific sectors of economic and government activities subject to regulation; It is

· Implement simplified mechanisms, including electronic means, for registering complaints about the processing of personal data in violation of this Law.

When was the ANPD created?

The ANPD was created by Provisional Measure n. 869, of December 27, 2018, later converted into Law n. 13,853, of August 14, 2019.

In turn, Decree 10,474, of August 26, 2020, approved the Regulatory Structure and the Demonstrative Table of Positions in Commissions and Trust Functions of the ANPD, with entry into force on the date of publication of the appointment of the Director-President of the ANPD in the Federal Official Gazette.

What is the structure of the ANPD?

Pursuant to art. 55-C of the LGPD and art. 3 of Decree 10,474/20, the ANPD has the following composition:

· Board of Directors, the highest management body, made up of five Directors, including the Chief Executive Officer;

· National Council for the Protection of Personal Data and Privacy, a consultative body made up of 23 representatives from public bodies, civil society, the scientific community, the productive and business sector and the labor sector.

· Direct and immediate assistance bodies to the Board of Directors:

a) General Secretariat;

b) General Coordination of Administration; It is

c) General Coordination of Institutional and International Relations;

· Sectional bodies:

a) Internal Affairs;

b) Ombudsman; It is

c) Legal Advice; It is

· Singular specific bodies:

a) General Coordination of Standardization;

b) General Inspection Coordination; It is

c) General Coordination of Technology and Research.

See: https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/estrutura-organizacional-1

Is the ANPD an independent authority?

Despite being a body of the direct federal public administration, the ANPD has some institutional characteristics that give it greater independence, such as technical and decision-making autonomy and the fixed mandate of the Directors.

The LGPD also provides that the legal nature of the ANPD is transitory and may be transformed by the Executive Branch into an indirect federal public administration entity, subject to a special autarchic regime and linked to the Presidency of the Republic. Such assessment shall take place within 2 (two) years from the date of entry into force of the regulatory structure of the ANPD.

Can the ANPD apply sanctions for non-compliance with the law?

It should be remembered, firstly, that the provisions of the LGPD dealing with administrative sanctions will only come into force on August 1, 2021. After that date, the ANPD may apply, after an administrative procedure that allows full defense, the following administrative sanctions :

· warning, indicating the deadline for adopting corrective measures;

· simple fine of up to 2% (two percent) of the billing of the private legal entity, group or conglomerate in Brazil in its last financial year, excluding taxes, limited in total to R$ 50,000,000.00 ( fifty million reais) per infraction;

· daily fine, subject to the total limit referred to in item II;

· publication of the infraction after its occurrence has been duly investigated and confirmed;

· blocking of the personal data referred to in the infringement until it is regularized;

· deletion of the personal data to which the infringement refers;

· partial suspension of the functioning of the database to which the infraction refers for a maximum period of 6 (six) months, extendable for an equal period, until the processing activity is regularized by the controller;

· Suspension of the personal data processing activity referred to in the infringement for a maximum period of 6 (six) months, extendable for an equal period; It is

· partial or total ban on carrying out activities related to data processing.

Does the ANPD work with other entities and public bodies in the exercise of its powers?

Yes. The ANPD must coordinate with other entities and public bodies in order to ensure the fulfillment of its institutional mission, acting as a central body for interpreting the LGPD and establishing norms and guidelines for its implementation.

The LGPD determines, for example, that the ANPD and the public bodies and entities responsible for regulating specific sectors of economic and governmental activity must coordinate their activities, in the corresponding spheres of action, with a view to ensuring the fulfillment of their attributions with the greatest possible care. efficiency and promote the proper functioning of the regulated sectors. Likewise, the LGPD determines that the ANPD must communicate to the competent authorities the criminal offenses of which it becomes aware.

It is important to note that the application of the sanctions provided for in the LGPD is the exclusive responsibility of the ANPD, and its powers will prevail, with regard to the protection of personal data, over the related powers of other entities or public administration bodies.

What is the profile of ANPD Directors? How are they chosen?

The LGPD determines that the Board of Directors of ANPD will be composed of 5 (five) directors, including the Chief Executive Officer. The members are chosen by the President of the Republic and appointed by him, after approval by the Federal Senate, and must be chosen among Brazilians who have an unblemished reputation, a superior level of education and a high reputation in the field of specialty of the positions to which they will be appointed.

The term of office of the members of the Board of Directors will be 4 (four) years. In order to ensure that such terms do not coincide (that is, that they end in different years), the terms of the first appointed members of the Board of Directors will be 2 (two), 3 (three), 4 (four), 5 (five) and 6 (six) years, as established in the appointment act.

What is the National Council for the Protection of Personal Data and Privacy – CNPDPP for?

The National Council for the Protection of Personal Data and Privacy is an advisory entity that enables the participation of different social segments in shaping the regulatory environment for the protection of personal data. Its main duties are:

· propose strategic guidelines and provide subsidies for the preparation of the National Policy for the Protection of Personal Data and Privacy and for the performance of the ANPD;

· preparing annual reports evaluating the implementation of the actions of the National Policy for the Protection of Personal Data and Privacy;

· suggest actions to be carried out by the ANPD;

· preparing studies and holding debates and public hearings on the protection of personal data and privacy; It is

· disseminate knowledge about the protection of personal data and privacy to the population.

Participation in the National Council for the Protection of Personal Data and Privacy will be considered to provide a relevant, unpaid public service.

How will the members of the CNPDPP be chosen?

The CNPDPP is composed of twenty-three representatives, holders and alternates, of the following bodies and entities:

· 5 (five) from the federal Executive Branch;

· 1 (one) from the Federal Senate;

· 1 (one) from the Chamber of Deputies;

· 1 (one) from the National Council of Justice;

· 1 (one) from the National Council of the Public Ministry;

· 1 (one) from the Brazilian Internet Steering Committee;

· 3 (three) from civil society entities with activities related to the protection of personal data;

· 3 (three) from scientific, technological and innovation institutions;

· 3 (three) union confederations representing the economic categories of the productive sector;

· 2 (two) entities representing the business sector related to the area of personal data processing; It is

· 2 (two) from entities representing the labor sector.

The members of the CNPDPP and their alternates will be appointed by the President of the Republic.

The nominations of members representing the bodies of the Executive Power, the Legislative Power, the National Council of Justice, the National Council of the Public Ministry and the Internet Management Committee in Brazil must be submitted by the holders of the bodies to the Minister of State Head of the Civil House of the Presidency of the Republic.

The other nominations may be freely submitted to the Board of Directors of ANPD by entities representing the different segments, within a period of thirty days, counting from the date of publication of the call notice in the Official Gazette of the Union. Upon receipt of the nominations, the Board of Directors will form a triple list of holders and alternates for each vacancy, which will be forwarded to the Minister of State, Chief of Staff of the Presidency of the Republic, for appointment by the President of the Republic.

See: https://www.gov.br/anpd/pt-br/composicao-1/conselho-nacional-de-protecao-de-dados-pessoais-e-privacidade-cnpd

How will society participate in the work of the ANPD?

Under the terms of the LGPD, it is up to the ANPD to listen to treatment agents and society in matters of relevant interest and to report on its activities and planning. Furthermore, the regulations and standards issued by the ANPD must be preceded by public consultation and hearing, as well as by regulatory impact analysis.

Finally, it should be remembered that the CNPDPP is the form of institutionalized participation of different social groups in the ANPD.

Will natural and legal persons, public or private, who carry out personal data processing activities have to transfer their databases to the ANPD?

Individuals or legal entities that carry out data processing will not be required to transfer their databases to the ANPD. It is up to the ANPD to supervise and apply sanctions when data processing occurs in breach of data protection legislation, through administrative proceedings, with contradictory and full defense.

EUROPE

What is the GDPR?

The General Data Protection Regulation is a European Union law that was implemented May 25, 2018, and requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory. The regulation includes seven principles of data protection that must be implemented and eight privacy rights that must be facilitated. It also empowers member state-level data protection authorities to enforce the GDPR with sanctions and fines. The GDPR replaced the 1995 Data Protection Directive, which created a country-by-country patchwork of data protection laws. The GDPR, passed in European Parliament by overwhelming majority, unifies the EU under a single data protection regime.

Read our summary of the GDPR for an overview of the law. ( https://gdpr.eu/what-is-gdpr/ )

Who must comply with the GDPR?

Any organization that processes the personal data of people in the EU must comply with the GDPR. “Processing” is a broad term that covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on. Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.

Find more information about who must comply with the GDPR: https://gdpr.eu/companies-outside-of-europe/

What are the GDPR fines?

The GDPR allows the data protection authorities in each country to issue sanctions and fines to organizations it finds in violation. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. Data protection authorities can also issue sanctions, such as bans on data processing or public reprimands.

Read more about how GDPR fines are assessed: https://gdpr.eu/fines/

How do I comply with the GDPR?

Organizations can comply with the GDPR by implementing technical and operational safeguards to protect personal data they control. The first step is to conduct a GDPR assessment to determine what personal data they control, where it is located, and how it is secured. They must also adhere to the privacy principles outlined in the GDPR, such as obtaining consent and ensuring data portability. You may also be required to appoint a Data Protection Officer and update your privacy notice ( https://gdpr.eu/privacy-notice/ ), among other organizational measures.

Review our GDPR checklist to learn more about the steps to compliance: https://gdpr.eu/checklist/

What is a Data Protection Officer?

A Data Protection Officer (DPO) is an employee within your organization who is responsible for understanding the GDPR and ensuring your organization’s compliance. The DPO is the main point of contact for the data protection authority. Typically, the DPO has knowledge of both information technology and law.

Learn more about the Data Protection Officer role here:  https://gdpr.eu/data-protection-officer/

Does the GDPR require encryption?

The GDPR requires organizations to implement “appropriate technical and organizational measures” to secure personal data and provides a short list of options for doing so, including encryption. In many cases, encryption is the most feasible method of securing personal data. For instance, if you regularly send emails within your organization that contain personal information, it may be more efficient to use an encrypted email service than to anonymize the information each time.