Introduction to the GDPR

The new privacy regulation concerns the processing of personal data of citizens of the European Union and applies to all companies and individuals who carry out a professional activity in the Union or who otherwise process data of European citizens.

The "General Data Protection Regulation", also known as the GDPR, has been in force since May 26, 2016 and became fully applicable on May 25, 2018 with more severe penalties than previous privacy regulations. Penalties are expected up to the greater of 20 million euros and 4% of the annual turnover of the previous year.

The GDPR concerns us regardless of whether we deal with private customers or not, since the regulated personal data also includes data of employees and owners of the company itself.

Note

This documentation is written for informational purposes only and does not constitute legal advice. Please contact your legal counsel to receive adequate legal advice.

Who is protected by the GDPR?

The GDPR aims to protect both the personal data of citizens and the right or duty of companies and individuals who carry out a professional activity to process personal data to conduct their activity or comply with regulations.

The personal data referred to by the regulation is any information that identifies or would make an individual identifiable.

Therefore data relating to companies are excluded from personal data, but personal data of a person in their professional activity are included, such as an employee in a company.

For example, the billing data of an order are all personal data if they concern an individual. If they concern a company, some of its data, such as the first and last name of the contact who placed the order, is still personal data and therefore protected by the regulation.

Within the scope of the regulation and with respect to the data you process, you are the data controller. You decide the purposes of the processing, which data to process, for how long, and you are responsible for the integrity and confidentiality of the data.

We will see later that part of the security responsibility can be delegated to third parties who help you in processing data.

How to process personal data

You must process personal data:

for a specific and explicit purpose
only for the strictly necessary time
with security measures to ensure integrity and confidentiality

Privacy notice

When a person provides you with their personal data, you must provide them with a series of information commonly referred to as a privacy notice:

about your data and contacts as data controller,
the purpose and legal basis of processing,
your legitimate interest if processing is based on legitimate interest,
any recipients or categories of recipients of personal data,
the time during which data will be retained,
their rights over personal data, such as rectification, withdrawal of consent, deletion, access, and portability,
the right to lodge a complaint with a supervisory authority.

Legal basis for processing

The regulation requires that data processing be lawful. By lawful it means that the legal basis on which your processing is based (that is, your right to process data) must be at least one of the following:

consent: the data subject, that is the person to whom the personal data relates, has given you consent to processing.
contract: you have a contract with the data subject, such as an order.
legal obligation: you must comply with a legal obligation, such as keeping invoices for several years.
legitimate interest: you have a legitimate interest in processing personal data, such as contacting a customer who has expressed interest in your products.

There are others, but these listed are the ones that should concern you.

Consent

Consent is one of the legal bases for processing. If you have no other right to process data, asking for the data subject's consent is the proper way to comply.

For consent to be valid, all of the following must occur:

the data subject must give explicit consent, meaning there must not be, for example, already selected checkboxes.
consent must be specific, meaning it must concern a single processing purpose. So different consents for different purposes.
there must be no obligation to give consent for a processing in order to conclude a contract unless the processing is indispensable to fulfill the contract.

Legitimate interest

Legitimate interest is another legal basis for processing. The criteria on which it is based are not well defined and therefore, in case of doubt, it is better to ask for consent to have a more solid legal basis for processing.

Legitimate interest includes the legitimate activities you undertake in your professional activity and includes commercial communications. However, you must pay attention to other laws that, for example, prohibit sending emails for commercial purposes if you have not first obtained consent to send them.

For other information to provide and in which situations, see Article 13 of the regulation.

Using third parties for processing

Surely you rely on third parties for services that facilitate the collection and processing of data, such as hosting services, sending emails and newsletters, managing the online store, and receiving payments.

If these companies or professionals do not decide on the processing of personal data, meaning they do not decide which processing to do, which data to manage, when it must be updated or deleted, but only offer their services to carry out the processing, then under GDPR they are called processors (in the English translation the term processing is used more properly, that is the one who processes data).

The GDPR requires a written contract between you as data controller and your processor. The contract must specify the types of processing and categories of personal data that may be processed. In general, these contracts are predefined by the processor.

Processor tasks may include the security of the network, servers, and applications (depending on the type of service offered) and therefore they take responsibility for part of data security.

If the third party you rely on for services decides autonomously which processing to do and for what purposes, then it will not be your processor but a third-party data controller.

Rights of European citizens

The GDPR recognizes several rights for European citizens over their personal data that are processed by data controllers.

You, as data controller, are responsible for guaranteeing these rights, while the processor should provide you with appropriate tools so you can comply with privacy regulations.

Data rectification

A person has the right to have their personal data in your possession updated and accurate. They can request rectification at any time and you, as data controller, must rectify them.

When you receive a rectification request, which data should you change? For example, certainly the customer record data because they must always be up to date. However, data from an old order completed long ago should not be updated, nor should data on last year's invoice.

See also how to respond to a rectification request with Open2b.

Withdrawal of consent

A person must be able to see which consents they have given and must be able to revoke them, and revoking consent must be as easy as granting it. For example, if you request consent on the site for a processing, you must provide the ability to revoke that consent directly from the site.

Consent withdrawal can of course be done only if consent was previously granted. If the processing is not based on consent, for example it is based on a legal obligation, then the data subject will have no consent to revoke.

See also how to respond to a consent withdrawal request with Open2b.

Data deletion

A person has the right to request the deletion of all personal data you have about them. Case by case you should verify which data to delete, which to limit processing of, and which others to refuse and continue processing.

If processing is lawful and still necessary to pursue the purpose for which it is processed and you have a contract in place or a legal obligation, then you can refuse deletion.

If instead you have consent or process for legitimate interest, then you should delete them upon the data subject's request.

If instead you no longer have any legal basis to process them or their processing is no longer indispensable for its purposes, then you should delete them without waiting to be asked.

See also how to respond to a data deletion request with Open2b.

Access and portability

A person has the right to access their personal data in your possession by requesting a copy of the data in a structured format readable by an application.

You must necessarily provide upon request the data that satisfy all three of the following conditions together:

processing of these data is based on consent or a contract
they concern the data subject
they were provided by the data subject directly or indirectly (for example forms filled out or browsing data on the site). Data that you have deduced or derived from those provided are not provided by the data subject.

For other personal data, still concerning the data subject, it is at your discretion whether to provide them or not.

You must also have an authentication system to safely verify the identity of the data subject before providing the requested data. For example, the data subject might have to log in to your site to download the data they requested.

See also how to respond to a portability request with Open2b.

Objection to processing

A person has the right to object, for reasons related to their particular situation, to processing based on legitimate interest unless those legitimate reasons prevail over the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of a right in court.

In addition, a person always has the right to object if data are processed for direct marketing purposes including related profiling.

See also how to respond to an objection to processing request with Open2b.

Record of activities

As data controller you must maintain the so-called record of activities which reports the same information that must be present in the privacy notice with the addition, where possible, of a general description of the technical and organizational security measures you adopt (according to Article 32, paragraph 1).

The record would not be mandatory for companies with fewer than 250 employees and if processing is occasional. Given the general nature of the term occasional, it is recommended to always draft the record of activities.

Supervisory authorities may request a copy of the record.