Frequently asked questions on the EU GDPR General Data Protection Regulation


+ How CONOVAH can help you?

We can offer various services in this area, for example:

  1. Help to structure your implementation of the EU Personal Data Regulation.
  2. Initial review of your compliance with the requirements of the EU Personal Data Regulation.
  3. Counseling in specific areas where you need it most.
  4. Hotline function for clarifying legal issues.
  5. External DPO function.
  6. Develop procedures and processes.
  7. Training and instruction.

+ What is personal data?

Personal data is a general term that includes all information that is relating to an identifies or identifiable person, but also sensitive data such as health information. This also applies to data that can only be related to a particular person in combination with other information. This applies even if the information is replaced by a code or is encrypted.

You can divide the information into:

  • General personal data
  • Social Security No. (DK)
  • Criminal record
  • Special categories of personal data (sensitive data)

This makes a difference depending on how you can do with such data.

+ What is special categories of personal data?

Special categories of personal data are defined as data revealing information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, also information on health and sexual relations are included.

The new regulation also includes genetic and biometric data. Biometric data is information about physical characteristics, such as fingerprints.

+ Are you the data controller?

You are the data controller if you have overall responsibility for the purposes and the means of processing personal data. This also applies if there are others who process the data on your behalf.

+ Are you the data processor?

You are the data processor if you process data on behalf of a data controller and following instructions from a data controller. A data processor never processes data for any own purposes.

+ Do you in control of your data processors?

One of the tasks is to find out who actually processes data on behalf of your company. Here it is good to start in the IT department, but all experience shows that you also need to get hold of the employees around the company, because almost always several programs are used, which the IT department is not aware of.

When you know who is processing data for you, you should give them a critical review and see whether they are all necessary in the future. For those that are necessary you need to have a data processing agreement with. It is the responsibility of the data controller to control this.

+ What types of treatments are included?

All personal data processing done by automated means and other non-automatic processing that is or will be contained in a filing system. The regulation includes any form of handling, such as collection, recording, structuring, storage, disclosure, deletion etc.

You must have a legal basis to process personal data; in addition, there are some basic principles for the treatment, including that the treatment must be factual, necessary and proportional.

Please be aware that the authority you may have to collect information, may not give you authority to disclose the information.

First of all, there is a number of provisions in the regulation that allow for many of the processing’s regular enterprises do. If you can’t find a legal basis for your processing here, it is a possibility in most cases to obtain a consent from the person that you want to process data about. A request for consent must be given freely an be specific, informed and unambiguous of the data in question. The request must be in a clear and simple language that is easily understood. It should also be possible to withdraw the consent just as easy as giving it.

Please note, that there are special rules for consent regarding children.

+ Should you make a data protection impact assessment (DPIA)?

Under the regulation, companies that have data processing that are likely to involve a high risk that shall prior to the processing carry out an impact assessment.

In reality, you can argue that you will have to go through the consequences of your processings no matter what in order to document whether you have such processings or not.

+ What are the rights of the registered person (data subject)?

The regulation gives the data subjects a number of rights, for example information that data is processed, right to access, right to rectification and right to erasure. There are also a number of limitations in the rights.

Individuals who are exercising their rights should have response without undue delay and normally within one month. Companies should therefore be prepared for such inquiries and able to respond to such requests when they appear.

+ What is a DPO and who should have one?

A DPO is a Data Protection Officer. Only public authorities and certain private companies that process data by virtue of their nature or large scale of special categories of data, such as private hospitals, insurance companies, etc., must have a DPO. A DPO does not have to be employed internally in the company. If your company must have or wants a DPO, CONOVAH can offer such services.

+ Fines?

The regulation allows fines up to 4% of the company's turnover.

The future will show how the new fine options will be used in practice.