The European Union has made a great leap with the creation of General Data Protection Directive (hereinafter GDPR) and set a norm on how data subjects’ rights can be protected uniformly. GDPR is applicable in every Member State of the Union and there are no derogations in any Member State that may create any sort of significant difference. This is because the GDPR has been structured in a way that it will single handedly regulate every aspect of the privacy related affairs and also ensure the application of these protective measures beyond the Union’s territory. Moreover, GDPR also provides general provisions under its ‘Six Principles’ setting a minimal protection standard for the instances where GDPR has not directly addressed. However, as an addition to the GDPR, certain Member States has decided to apply stricter measures on certain activities in specific sectors, these additional precautions are either sourced in Union wide supplementary legislations or local laws. An example could be the E-Privacy directive which significantly changes the state of Marketing Affairs, and local Anti-Money Laundering Laws which sets different retention period of certain data types and limits their delivery to the data subject. This consequently means that the legal landscape of the Union is more complicated than it appears to be and require detailed inspection of business activities in a company to ensure compliance with applicable laws. Our experts are ready to navigate you through this complicated legal regime and help you with ensuring your compliance is intact with the regulations.
GDPR functions over 6 core principles which ensures the protection of the personal data, even in the circumstances that has not been explicitly regulated by the law:
Lawfulness, fairness and transparency
The entity that is dealing with a personal data must act with good faith and ensure that the data is used on lawful grounds, necessary consents are taken, and the processing structure is outlaid to the data subjects in a proper and acceptable manner.
No personal data shall be used for the purposes further than the reason that it was collected and communicated to the data subject. If an entity wishes to use the personal data for another reason, it must take permission before initiating operations.
Entities must only process the personal data that is strictly necessary for the provision of the terms that was agreed with the relevant subject.
While the personal data is being collected, the collecting entities also acquires the sole responsibility to integrate necessary procedures or systems that will be used for the erasure or rectification of the personal data that was collected from their data subjects.
Entities are under strict obligation to hold the personal data not more than it is needed, and the data which expires its retention span must be appropriately deleted.
Integrity and Confidentiality
Entities are required to conduct their processes in a manner that ensures appropriate security of the personal data, where necessary precautions must be implemented against unauthorized or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organizational measures.
Initial set up
Maintenance per month
Initial set up
Maintenance per month
Initial set up
Maintenance per month
Connect with our experts
Our experts will tell you how to do it as quickly and easily as possible
Gofaizen & Sherle provides the following services to their clients to ensure that they are compliant with the requirements of GDPR.
We will help you create such a document to correspond to the law and meet the requirements of the relevant country. Due to it, you will collect the required data safely and lawfully.
Entities collect information for the smooth progress of their services in their websites, and this information are usually gathered depending on the behavior of the user. They are sent by the website and held in a small file to be stored locally. These information are usually related to the preferences of the user and not strictly related to their personal traits. Once the data stored, web browser keeps and processes the information taken. A user can easily find these files and delete them if necessary. Moreover, most websites ask a visitor for permission to either use them or not.
Most websites use the following types of cookies:
In most cases, visitors can refuse to accept anything but strictly necessary cookies. Otherwise, they are used illegally. We will help you create cookie policies that meet the law and appropriate privacy expectations of every visitor and organization.
There are different assessments for various purposes and objectives. When the matter is privacy, an organization can understand the risk they are exposed to, by simply performing Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA).
DPIAs are a necessary and crucial tool to assess new products and systems before they are implemented to a business structure. This assessment may also be done at any point of time when there are suspicions of high risk imposed on a Data Subject’s personal data due changes in the service or additions to an already existing service. This assessment type is seen as the building stone of a privacy system as it helps to understand the risks associated with internal and external processes, pinpoint their sources, and assist with locating necessary remedies.
PIAs on the other hand, are required for understanding the risks associated with collection of personal data and usually performed to identify, document, and handle these risk imposed on a person’s privacy. With the help of PIA, the company guarantees the legality of the data gathering, evaluates the risks for data security, minimizes the possible danger to the data of people.
All the assessments helps with understanding:
Through these assessments, a company guarantees utilization of the six principles and it promises to be responsible for the received data, use it only when needed, secure it, and ensure both fair and transparent grounds with its clients.
A company must create agreements that explain how the information is gathered and processed by the company and associated third parties. They are established between organizations to clearly identify the roles of involved third parties and draft out the services offered. Form and the contents of the agreement are tied to the relationship between these organizations and whether they are a controller, joint-controller, or processor.
GDPR compliance is impossible without the accurately created DPA. Gofaizen & Sherle provides this service to guarantee legal collaboration between the service providers and their partners. It will help clients understand how their data is collected, stored, and used.
How can one know that the chosen companies legally collect data and use it without violations? That is where the GDPR audit is required. GDPR audit must be performed by a specialist who is aware of all the regulations demanded by a concrete state or region. Consequently, if the company doesn’t have such a person, we can be an audit company. An audit is a must for companies who want to:
The audit can require several steps to meet international standards and rules and give the desired results.