Is there life on Mars? What secrets does a black hole hold? What requirements are at the heart of GDPR? The last question may not be as exciting as the first two, but it affects each of us in the digital age. GDPR is not just a set of letters or a piece of legislation. It is a beacon in the world of data privacy, a magic word that can both open and close many doors. Our clients often ask questions about GDPR, trying to understand its intricacies. That's why we've compiled 5 of the most common questions and provided specific answers.

1. How does GDPR affect small companies?

Company size doesn't affect GDPR compliance, because small companies still need to obtain consent to collect and process personal data from Users. However, for many small companies, complying with these requirements can be more difficult due to limited resources. Nevertheless, it is unacceptable to ignore or circumvent these laws, as the penalties for violation can be substantial.

Plus, GDPR compliance promotes trust from customers and business partners, which in turn impacts business growth and development. GDPR compliance is not just a legal necessity but an investment in a company's long-term success.

2. Does GDPR affect companies based in the US?

GDPR does not only affect companies in the European Union. This law also applies to other countries. If your company processes the data of at least one EU resident, you are subject to these rules.

There are two main criteria under which GDPR applies: having an "establishment" in the EU and "targeting".

• If a company outside the EU has a branch or representative office there (in the EU), it must comply with GDPR. This even applies to marketing and advertising activities

• GDPR also applies to those companies that target EU residents. This includes online activities such as the use of cookies, advertising, and the sale of goods and services. Even if you don't have a presence in the EU, you are still covered by GDPR if your services are targeted at EU residents

3. When do I need to post a Privacy Policy on my website?

A privacy policy is a basic requirement for any website, service, or company that handles personal data. Users need to understand what happens to their data. The use of cookies and other analytical tracking tools is a sufficient reason to create a privacy policy.

Why it matters:

• Legal Requirements. In many jurisdictions, including the European Union and the United States, it is mandatory to post Privacy Policies. Failure to do so can result in fines and penalties

• E-commerce. If your site makes sales or collects information for future transactions, having a Privacy Policy is mandatory to reassure customers that their financial data is secure

• Social Responsibility. Posting a Privacy Policy and following it is part of a company's social responsibility. It is a statement that you value privacy not only as a legal requirement but also as a fundamental human right

4. Who should ensure GDPR compliance in the organization? Do you need to hire a data protection officer (DPO)?

The responsibility for GDPR compliance lies with the company itself. The law includes data protection principles and requires proof of compliance. Companies are given a number of tools to do this and some of them are mandatory.

If your business handles sensitive data on a large scale or is involved in 'profiling' people, it may be necessary to appoint a DPO (Data Protection Officer). This role is important as the DPO ensures compliance with laws on the processing of personal data. It's not just a formality, but key to transparency with those who entrust you with their data.

In some cases, hiring a DPO may not only be good practice but also a legal requirement.

5. What are the penalties for GDPR violations? Do authorities actually fine for GDPR violations?

Failure to comply with GDPR carries legal sanctions — fines and sometimes more serious measures. Regulatory authorities have the power to investigate, impose financial penalties, and even restrict a company's operations.

Case

In 2020, the Italian regulator fined the American company Clearview AI 20 million euros. The company collected selfies on the Internet without people's consent for its database of individuals, which it sold to law enforcement agencies. Thus, violated the norms of GDPR. In addition to the fine, the authorities demanded the removal of all data on Italians and prohibited further processing of biometric data.

The GDPR penalty system is designed to make it impossible for companies to ignore data protection requirements. Fines can reach 10 million euros or 2% of annual turnover for less serious violations, and 20 million euros or 4% of annual turnover for more serious violations. Authorities are actively fining for GDPR violations. Evidence of this can be found on the Enforcement Tracker website, which provides examples and amounts of fines for violations.