Legal Disclaimer

We, Metomic LTD, are not lawyers and we strongly encourage the readers to seek their own legal advice, the content on this website is OUR interpretation of the GDPR

A quick & digestible summary of the GDPR.

Helping you understand the complicated and convulted world of the GDPR

Principles

The GDPR specifies six data protection principles that all organisations have to adhere to when storing, collecting and processing the personal data of individuals living in the EEA (European economic area)

Lawfulness, Fairness & Transparency

Lawfulness, Fairness & Transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the individual.

    1. 1
      Don’t do anything with the personal data which is unlawful in a more general sense
    2. 2
      In order for you to remain lawful, you must process data in accordance to one of the six lawful bases.
    1. 1
      You obtain data fairly and legally.
    2. 2
      You must process data in ways that people can reasonably expect.
    3. 3
      You must consider not just how you use personal data, but whether you should in the first place.
    4. 4
      Personal data may sometimes be used in a way that negatively affects an individual without necessarily being unfair → What matters is whether or not such detriment is justified
    5. 5
      Individuals are not penalised when choosing to exercise their rights.
    1. 1
      Be clear, open and honest with people from the start about who you are, why you need their personal data and how you are using it
    2. 2
      You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand, with clear and plain language.

Purpose limitation

Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data Minimisation

Data Minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

Accuracy

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage Limitations

Storage Limitations

Personal data shall be kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed.

Integrity & Confidentiality

Integrity & Confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Accountability

Accountability

The you shall be responsible for, and be able to demonstrate compliance with all of the above principles.

Cookies

You MUST notify people if you set cookies, and clearly explain the reasoning and purpose of the cookies. You MUST also ask for the users consent before you release cookies, the option to consent (or withdraw) must be accessible and clear.

Cookie Notice

Cookies are small text files that store users information to 'remember them' Cookies can be used for a variety of things.

    1. 1

      Cookie Notice

      A clear, comprehensive and visible notice must be presented on the entry page.

    2. 2

      Display all necessary Information

      Users must be able to access all necessary information about the different types or purposes of cookies being used by the website.

      Necessary information would be:

      • The purpose(s) of the cookies
      • An indication of possible cookies from third parties or third party access to data collected by the cookies on the website
      • Retention period
      • Typical values

      Users must also be informed about the ways they can signify their wishes regarding cookies, i.e. how they can:

      • Accept some, none or all cookies
      • How to change this preference in the future
    3. 3

      Record Consent

      Consent must be sought before cookies are set or read.

    4. 4

      Positioning

      The UI element used to indicate active consent must be within or close to the location where information is presented.

    5. 5

      Information must be accessible

      The information must be present on the website and cannot disappear until the user has expressed consent.

    6. 6

      Consent must be clearly given

      A click to "more information" alone does not constitute consent.

    7. 7

      Refusal of consent

      Generally refusal of consent to cookies should not block access to the entire website.

    1. 1
      Certain classes of cookies are necessary for the functioning of a website, and thus do not require consent before they are set or read from. They must, however, fulfil one of 2 possible criteria:
    2. 2

      Criterion A

      "For the sole purpose of carrying out the transmission of a communication over an electronic communications network"

      The cookie must fulfil at least one of these conditions:

      1. The ability to route the information over the network, notably by identifying the communication endpoints
      2. The ability to exchange data items in their intended order, notably by numbering data packets
      3. The ability to detect transmission errors or data loss
      • Examples
        • In practice, only load balancing session cookies qualify
    3. 3

      Criterion B

      "The cookie is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service"

      The cookie must fulfil both of these conditions:

      1. The information society service has been explicitly requested by the user, and the user (or subscriber) did a positive action to request a service with a clearly defined perimeter
      2. The cookie is strictly needed to enable the information society service. If cookies are disabled, the service will not work.
      • Examples
        • Shopping cart cookies
        • Session (ID) cookies

          No longer than a few hours

        • Session-based Auth cookies

          The commonly seen method of using a checkbox and a simple information note such as “remember me (uses cookies)” next to the submit form would be an appropriate means of gaining consent therefore negating the need to apply an exemption in this case.

        • User-centric security cookies

          Persistent cookies used to prevent the login system from abuse

        • Multimedia player session cookies

          To store only technical data such as image quality, network speed, buffering parameters

        • UI customisation cookies

          Language preferences, sort order, page size

Lawful basis

There are six lawful bases for processing. Each lawful basis has a unique set of requirements for its use. Figuring out which lawful bases to use is dependent on your purpose and your relationship with the individual.

Consent

The individual has given clear consent for you to process their personal data for a specific purpose.

    1. 1

      Genuine Consent

      Consent is genuine only if it puts individuals in ongoing control over how their data is used.

    2. 2

      Withdrawing Consent

      If an individual withdraws that consent, you must respect that choice and stop that part of the processing.

    3. 3

      Valid consent

      Consent is only valid if it satisfies all of the following conditions:
      • Freely given
        • Consent must be asked for separately from other terms and conditions
        • If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.
        • Any element of inappropriate pressure or influence upon the individual, which prevents a individual from exercising their free will, shall render the consent invalid
      • Specific and Informed
        • Uses clear, plain language that is easy to understand
        • Specifies the purpose and the usage
        • Is granular enough to differentiate different purposes or usages
        • Names any third parties that rely on that consent
        • Informs the individual of a way to withdraw consent
        • Indicates, where applicable, that the data will be used solely for automated decision-making or profiling
        • Informs the individual of the possible risks of data transfers to other countries
      • Unambiguous

        Involves a clear, affirmative action. That is, the individual must opt into the processing and not out of it.

    4. 4

      Documenting consent

      You should have enough data to show a link to the processing in order to show that consent was obtained, but shouldn’t be collecting any more information than necessary.

      • In an online context

        The following data could be retained:

        • The session in which consent was expressed,
        • documentation of the consent workflow at the time of the session, and
        • a copy of the information that was presented to the individual at that time.

        It would not be sufficient to merely refer to a correct configuration of the respective website.

    5. 5

      Accountability

      • Review obtained consents regularly to check that the processing and purposes have not changed.
      • Have processes in place to refresh consent at appropriate intervals.
      • Consider implementing dashboards for users to manage their consent.
    1. 1

      Keeping records

      Keep records of when and how consent was obtained from the individual, as well as what they were told at the time.
    2. 2

      Obtaining consent online

      When consent is obtained via electronic means through only one mouse-click, swipe, or keystroke, individuals must in practice be able to withdraw that consent equally as easily via the same electronic interface.

      Forcing the user to switch to another interface for the sole reason of withdrawing consent would thus require undue effort, causing the consent mechanism to fall out of compliance.

    3. 3

      Consent cannot be compulsory

      You must ensure that individuals who withdraw or refuse consent are not penalised.
    4. 4

      Further processing includes storage

      If there is no other lawful basis justifying the further storage of the data, you should delete that data when the individual withdraws consent.
  • When it's valid:

    • Asking for consent in plain, clear and concise language

    • Informing the individual of the nature of the data, the purpose of its usage, and to which third-parties the data are being sent.

    • Informing and providing the user with an easy way to withdraw consent

    • Having confirmation emails on newsletter sign-ups

    • Giving equal prominence to Yes and No options.

    When it's invalid:

    • Having pre-ticked boxes that imply consent for marketing on sign-up pages

    • Passively consenting on behalf of the individual when they scroll down or swipe up through a website will not satisfy the requirement of a clear and affirmative action.

      The alert that continuing to scroll will constitute consent may be difficult to distinguish and/or may be missed when a individual is quickly scrolling through large amounts of text, causing such an action to not be sufficiently unambiguous

    • Using convoluted and complicated language, especially double negatives, when asking for consent

    • Not informing users of possible risks of data transfers to other countries and where there are no appropriate safeguards against these risks.

    • Check that consent is the most appropriate lawful basis for processing

    • Make the request for consent prominent and separate from our terms and conditions

    • Ask people to positively opt in

    • Don’t use pre-ticked boxes, or any form of consent by default

    • Use clear, plain language that is easy to understand

    Coming soon
    GDPR Checklist

    If you’re interested in a more curated GDPR checklist that takes the nuances of your business into account -- register your interest by signing up for our Beta

Contract

Contract

The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

    1. 1

      Conditions for using this lawful basis

      You may use this lawful basis if the processing is necessary for either of the following conditions:
      • You have a contract with the individual

        And you need to process their personal data:

        • In order to comply with your obligations under the contract.
        • So that they can comply with specific counter-obligations under the contract.

          For example, if you process their payment details so that they can pay you for the goods you sold to them.

      • You are about to enter a contract with the individual

        If you have yet to sign a contract with the individual, but they have asked you to do something as a first step (e.g. provide a quote), and you need to process their personal data to do what they ask, you may use this lawful basis.

        This applies even if they don’t actually go on to enter into a contract with you, as long as the processing was in the context of a potential contract with between you and that individual.

        The principles of Purpose Limitation and Data Minimisation still apply here; once the pre-contractual task is complete, you should delete that data if you have no further lawful basis to hold on to it, regardless of whether you eventually signed the contract or not.

    2. 2

      You must pass the necessity test

      In order to use this lawful basis, you must interpret it strictly, and the processing must be genuinely and objectively necessary for the fulfilment of the contract or the pre-contractual task.

      1. Identify all of the purposes for the processing of personal data as stated within the contract.
      2. Examine carefully the perspective of the average person likely to sign your contract in order to ensure that there is a genuine mutual understanding on the contractual purpose.
      3. Determine if you can reasonably fulfil your contractual obligations by processing less data, or by using the personal data in a less intrusive way.

      If you do not pass the necessity test for any given processing, you may not use this lawful basis to carry out that the processing under question, but should pursue other lawful bases.

    3. 3

      When processing special categories of data

      If you need to process special category data for the contract, you also need to obtain explicit consent in order to process this data.

    4. 4

      When processing children’s data

      If the contract is with a child under 18, you need to consider whether they have the necessary competence to enter into a contract.

      If you have doubts about their competence, you may wish to consider an alternative basis such as legitimate interests, which can help you to demonstrate that the child’s rights and interests are properly considered and protected

    5. 5

      Upon termination of the contract

      • Data that are no longer necessary should be removed → It is unfair to swap out a different lawful basis upon termination of the contract.
      • If it is necessary to keep the information beyond the lifetime of the contract (e.g. for goods returns or payment), a further lawful basis and duration of retention must be identified and communicated to the individual at the outset.
    6. Individuals’ rights for this lawful basis

      1. 1
        A right to data portability
      2. 2
        No right to object
      3. 3
        No right not to be subjected to an automated decision making process → Only if the automated process is demonstrably necessary
    1. 1

      Determining necessity

      The processing must be more than just useful, and more than just part of your standard terms. It must be a targeted and proportionate step which is integral to delivering the contractual service or taking the requested action

    2. 2

      Demonstrating necessity

      The fact that some data processing is covered by a contract does not automatically mean that is necessary for the performance of the contract.

      It is your responsibility to demonstrate how the main subject matter of your contract with the individual cannot be performed if you do not carry out any given processing of their personal data.

    3. 3

      Party to the contract

      This lawful basis does not apply if you need to process one person’s details but the contract is with someone else

    4. 4

      Pre-contractual tasks must be made at the request of the individual

      For the processing of data in order to enter a contract, this lawful basis only applies if and only if the pre-contractual task was requested by the individual, and not by you or some other third party.

  • When it's valid:

    • Processing address for the delivery of goods

    • Processing credit card information for the payment of goods

    • Processing bank details for the payment of salary

    • Processing an individual's email or address at her request to send her an offer for a retail product

    • Processing the make and age of an individual's car at their request for a insurance quote

    When it's invalid:

    • Building a profile of a buyer’s tastes and lifestyle choices based on their clickstream and purchase history is not necessary since the contract is to deliver particular goods and services.

    • A bank performing credit reference checks prior to the grant of a loan is not covered under this lawful basis, but rather, as compliance with its legal obligations to consult an official list of registered debtors.

    • Direct marketing at your own initiative

    • If a buyer has opted to collect bought goods instead having them delivered, processing of address is no longer necessary for the fulfilment of the sale contract, and thus requires a different legal basis

    • Consider the principles: Fair and Transparent, Purpose Limitation, Data Minimisation

    • Document your decision to rely on this lawful basis and ensure that you can justify your reasoning

    • Look for a different lawful basis if the processing is not necessary for the contract.

    Coming soon
    GDPR Checklist

    If you’re interested in a more curated GDPR checklist that takes the nuances of your business into account -- register your interest by signing up for our Beta

Legal obligation

The processing is necessary for you to comply with the law (not including contractual obligations).

    1. 1

      Conditions for using this lawful basis

      • If you are obliged to process personal data in order to comply with the law.
      • Only applies to legal obligations by the EU or member states → To comply with foreign obligations, you should consider the basis of Legitimate Interest.
    2. 2

      The processing must be necessary

      • Specific legislation must be cited
      • If compliance is achievable without processing the personal data, this basis does not apply.
    3. 3

      Demonstrating compliance

      You should be able to identify the obligation in question, either by reference to the specific legal provision or by pointing to an appropriate source of advice or guidance that sets it out clearly.

      For example, you can refer to a government website or to industry guidance that explains generally applicable legal obligations.

    4. Individuals’ rights for this lawful basis

      1. 1
        No right to erasure
      2. 2
        No right to object
      3. 3
        No right to data portability
    1. 1

      What constitutes a legal obligation

      Regulatory authorities providing general policy guidelines and conditions under which it might consider using its enforcement powers do not constitute a legal obligation.

    2. 2

      Must be imposed by law

      The obligation must be imposed by law and not contractual agreements.

  • When it's valid:

    • An employer needs to process personal data to comply with its legal obligation to disclose employee salary details to the tax authority.

    • A court order may require you to process personal data for a particular purpose and this also qualifies as a legal obligation.

    • A utilities supplier passing customer data to an antitrust regulator, who has legal powers to order remedies for adverse effects on competition.

    When it's invalid:

    • Using this basis when your country is based outside of the EU or member states

    • Make sure you cite the specific legislation when applying this lawful basis

    • Make sure the processing of personal data is absolutely necessary for compliance when applying this basis

    Coming soon
    GDPR Checklist

    If you’re interested in a more curated GDPR checklist that takes the nuances of your business into account -- register your interest by signing up for our Beta

Vital interest

Vital interest

The processing is necessary to protect the individual's life.

    1. 1

      Use this lawful basis if you need to process personal data in order to protect someone’s life.

    2. 2

      If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply.

    1. 1

      Limited scope

      This lawful basis is very limited in its scope, and generally only applies to matters of life and death.

    2. 2

      Prefer alternatives

      • Where possible, use the basis of consent.
      • If the individual is able to but refuses consent, you cannot fall back onto the Vital Interest basis for health data or other special category data.
      • For wide scale processing in the interest of the public, If consent cannot be practically obtained in such cases, the bases of Legal Obligation or Public Task may be used instead
  • When it's valid:

    • The wide scale collection of airline passengers’ data as a preventative measure of epidemiological disease, or if a security incident has been identified

    • An individual has life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect their vital interests.

    When it's invalid:

    • Processing one person‘s personal data to protect someone else‘s life.

    • Medical care that is planned in advance → Use consent instead.

    • If you are to rely on this lawful basis, document the circumstances where it will be relevant and ensure you can justify your reasoning.

    • Limit the application of this basis to a case-by-base basis

    Coming soon
    GDPR Checklist

    If you’re interested in a more curated GDPR checklist that takes the nuances of your business into account -- register your interest by signing up for our Beta

Public Task

Public Task

The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

    1. 1

      Conditions for using this lawful basis

      • In order to exercise your official authority → This covers public functions and powers that are set out in law
      • In order to perform a specific task in the public interest that is set out in law.
    2. 2

      Specific statutory power is not needed for the particular processing activity

      • But the overall purpose must be to perform a public interest task or exercise official authority.
      • And that your application of the law is clear and foreseeable.
    1. 1

      Not just for public authorities

      It is most relevant to public authorities, but can apply to any organisation that exercises official authority or carries out tasks in the public interest.

    2. 2

      Consider the Legitimate Interest basis instead

      If you are a private sector organisation you are likely to be able to consider the Legitimate Interest basis as an alternative

    3. 3

      The processing must be necessary

      If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.

  • When it's valid:

    • The administration of justice

    • Parliamentary functions

    • Statutory functions

    • Governmental functions

    • Activities that support or promote democratic engagement

    When it's invalid:

    • Private sector organisation that does not carry out a function of public administration

    • Document your decision that the processing is necessary for you to perform a task in the public interest or exercise your official authority.

    • Identify the relevant task or authority and its basis in common law or statute.

    • include basic information about your purposes and lawful basis in your privacy notice.

    Coming soon
    GDPR Checklist

    If you’re interested in a more curated GDPR checklist that takes the nuances of your business into account -- register your interest by signing up for our Beta

Legitimate interest

Legitimate interest

The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

    1. 1
      This is the most flexible lawful basis, but it comes with the additional burden of responsibility to consider and protect people's rights and interests.
    2. 2
      Public authorities can only rely on this lawful basis if they are processing for a legitimate reason other than performing their tasks as a public authority.
    3. 3

      Conditions for using this lawful basis

      In order to use this lawful basis you must conduct and document the outcome of a Legitimate Interest Assessment, which comprises 3 tests:

      • Purpose Test

        What are the legitimate interests pursued by you or a third party, and what commercial or societal benefits do you gain from this processing? A legitimate interest must be:

        1. Lawful. It is not illegal.
        2. Non-speculative. It is a real and present interest, something that corresponds with current activities, or benefits that are expected in the very near future.
        3. Specific. It is sufficiently clearly articulated so that you can carry out the balancing test below.

        Note that an interest may be legitimate but still fail the balancing test below.

      • Necessity Test

        Is the processing necessary for the purposes you have identified? You must consider if the processing is a proportionate way to achieve your interests, and that there is no less intrusive way to achieve the same result.

        If there are other alternatives, you must demonstrate why these are not reasonable, especially if they are less intrusive.

      • Balancing Test

        You must then consider the rights and interests of the individual, and whether these override your legitimate interests. To do so, analyse the:

        1. Sensitivity of the data. Is the data considered "private", such as financial, health, criminal offence or other special category data? Do the data belong to particular sensitive individuals such as children or those who may not be able to fully comprehend the impacts of your processing? Are the data about an individual’s personal or professional life?
        2. Reasonable expectations of the individual. Can the individual have a reasonable expectation of how you are going to use their data?

          Can they expect that the processing does not cause them unwarranted harm?

        3. Potential impacts. Consider the likelihood and severity of whether your processing will

          • Impede individuals from exercising their rights and freedoms
          • Prevent individuals from accessing services or opportunities
          • Cause physical harm
          • Result in financial loss, identity theft or fraud, or
          • Disadvantage individuals in any other social or economic way.
        4. Additional Safeguards. Lastly, identify any potential safeguards you might take to limit these impacts, including

          • Data minimisation
          • Privacy-enhancing technologies
          • Increased transparency
          • Providing a general and unconditional right to opt-out or object to processing
          • Providing a data portability mechanism.

        If there’s a conflict, your interests may still prevail as long as there is a clear justification for the impact on the individual and the impact on the individual is less significant.

        If you identify the potential for a high risk, you will need to conduct a DPIA to assess those risks in greater detail.

    1. 1

      High risk processing

      If during your Legitimate Interest Assessment you uncover that your processing is likely to significant risks to individuals, you must conduct a Data Protection Impact Assessment (DPIA), which will supersede the LIA. This will help you identify and mitigate the data protection risks for your processing.
    2. 2

      A more suitable alternative

      Consider using Legal Obligation rather than Legitimate Interest where possible
    3. 3

      Burden of proof

      If the individual objects to the processing, the burden of proof lies with you to demonstrate that the your interests prevails.
    4. 4

      Failure to demonstrate

      If you do not succeed in demonstrating to the individual in a specific case that your interests prevail, this may also have broader consequences on the whole processing, not just with respect to the individual who objected.
  • When it's valid:

    • Processing that takes place within a client-vendor relationship

    • Direct marketing purposes

    • Unsolicited non-commercial messages, including for political campaigns or charitable fundraising

    • Enforcement of legal claims including debt collection via out-of-court procedures

    • To prevent fraud, misuse of services or money laundering

    • To ensure physical, IT, and network security

    • Exercise of the right to freedom of expression or information, including in the media and the arts

    • Employee monitoring for safety or management purposes

    • Whistle-blowing schemes

    • Processing for historical, scientific or statistical purposes

    • Processing for research (including marketing research)

    • Publication of data for purposes of transparency and accountability

      • For example, the salaries of top management in a company. In this case it can be considered that the public disclosure is done primarily in the interest of other stakeholders, such as employees or journalists, or the general public
      • But consider using Legal Obligation rather than Legitimate Interest where possible

    When it's invalid:

    • You cannot rely on "legitimate interests" to monitor the on/off-line activities of your customers, combine vast amounts of data about them from different sources that were initially collected in other contexts and for different purposes, or via intermediary data brokers, to create complex profiles of the customers' personalities and preferences without their knowledge, a workable mechanism to object, let alone informed consent.

    • Conduct a Legitimate interest assessment

    • For LIAs that identify a significant privacy impact, also consider what other additional safeguards to adopt, and whether a DPIA needs to be done.

    • Document decisions on legitimate interests in order to demonstrate compliance.

    • Include information about legitimate interests in your privacy policy

    Coming soon
    GDPR Checklist

    If you’re interested in a more curated GDPR checklist that takes the nuances of your business into account -- register your interest by signing up for our Beta

Individual Rights

The GDPR has set out 8 rights that all organisations processing the data of EU citizens have to abide by. The onus is on the organisations to facilitate these rights if at all exercised by EU citizens.

Right to be informed

Right to be informed

The principles of fair and transparent processing require that the individual be informed of any processing operations and their purposes.

Coming soon

Right of Access

Right of Access

The individual shall have the right to know whether you are processing personal data concerning them, and if so, access to that personal data.

Coming soon

Right to rectification

Right to rectification

The individual shall have the right to request you to rectify any inaccurate personal data concerning them.

Coming soon

Right to erasure

Right to erasure

The individual has the right to request you to erase personal data concerning them. This is also known as the right to be forgotten.

Coming soon

Right to restrict processing

Right to restrict processing

The individual has the right to request you to pause certain processing activities of their personal data.

Coming soon

Right to data portability

Right to data portability

The individual has the right to request their personal data from you in a machine-readable format, or have you send that data to someone else.

Coming soon

Right to object

Right to object

The individual has the right to stop you from processing their personal data if the data are used for direct marketing, performance of a public task, or the fulfilment of your legitimate interests.

Coming soon

Accountability

The principle of Accountability requires that you not only need to comply with the GDPR, but also enact certain technical and organisation measures, and supply sufficient documentation that demonstrates that you have done so.

Roles & Responsibilities

Roles & Responsibilities

Your roles and responsibilities depend on whether you decide why and how data is processed, or whether you are processing data on behalf of someone else.

Coming soon

Security

Security

You must employ technical and organisational security measures to reduce the risk of unauthorised access, disclosure, alteration or loss of data.

Coming soon

Demonstrating Compliance

Demonstrating Compliance

Maintain a Record of Processing activities and perform Data Protection Impact Assessments for high risk processing activities.

Coming soon

Data Breaches

Data Breaches

Establish a response protocol in case of a data breach, and for notifying the relevant and affected parties.

Coming soon

Data Protection officers

Data Protection officers

Certain organisations must designate a Data Protection Office, whose role as an independent expert is to consult on and monitor compliance with data protection laws.

Coming soon

Transfer of Data

The GDPR establishes certain rules and requirements for organisations that transfer personal data outside of the EEA (European economic area).

Adequacy Decisions

Adequacy Decisions

An decision made by the European Commission that a third country or international organisation has ensured an adequate level of personal data protection, allowing you to transfer data to them without additional authorisation.

Coming soon

Appropriate Safeguards

Appropriate Safeguards

Technical and organisational measures that you can take to reduce the risk to individuals when you transfer data outside of the EEA.

Coming soon

Other Situations

Other Situations

The GDPR lists other situations that can allow transfers to occur without Adequacy Decisions or safeguards.

Coming soon

Recieve updates when we update our GDPR Summary