The EU’s GDPR came into force in 2018, introducing stricter rules and harsher non-compliance penalties for companies processing the data of EU/EEA citizens. Besides providing individuals with more control over their data, the GDPR harmonizes data protection and privacy laws across the EU, thus simplifying the regulatory environment for businesses.


What is the GDPR?

The General Data Protection Regulation, aka the GDPR, is a legal act that regulates the processing of EU/EEA individuals’ personal data. It is enforceable in all EU/EEA countries and has primacy over national laws.

The main reasons behind the adoption of the GDPR are:

  • the growing demand for modern legislation regulating data protection in the digital age
  • the need for increased control of EU/EEA individuals over their personal data
  • the need for a uniform framework for data protection and privacy legislation across the EU/EEA


What does the GDPR protect?

The GDPR protects EU/EEA individuals’ personal data. Personal data is any type of data that allows for direct or indirect identification of an individual. Examples of personal data include:

  • Full names
  • Home addresses
  • Email addresses
  • IP addresses
  • Phone numbers
  • Cookie IDs

The GDPR deems special categories of personal data extra sensitive and, in most cases, prohibits companies from processing them. Sensitive personal data is information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life or sexual orientation, trade union membership, or health. Biometric and genetic data also fall in the special categories of personal data.


Who needs to comply with the GDPR?

Every company, inside or outside of Europe, that collects, stores, and manages the personal data of EU/EEA citizens needs to comply with the GDPR.

However, companies with less than 250 employees don’t have to keep records of the processing activities they carry out if:

  • the processing is occasional
  • the processing is unlikely to result in a risk to the rights and freedoms of individuals
  • the processing doesn’t include special categories of data or personal data relating to criminal convictions and offenses

This exemption is designed to simplify GDPR compliance for small and medium-sized companies.


Who are the data subjects, data controllers, and data processors?

A data controller is an individual or legal entity that determines why and how personal data should be processed.

A data subject is an individual whose personal data is processed by an individual or legal entity.

A data processor is an individual or legal entity that processes data on behalf of a data controller.

Some data processors also entrust some of their business functions to third parties, thereby providing them access to personal data. Such third parties are called sub-processors, and their data processing needs to be authorized by the data controller.

Let’s take Penneo, for example. We are a third-party digital signatures and KYC verification provider for various companies across the EU. These companies are our customers, and we process their client’s data on their behalf. Therefore, Penneo is a data processor, our customers are data controllers, and our customers’ clients are data subjects.

Data subjects, data controllers, and data processors

The relationship between the data controller and data processor is regulated by a Data Processing Agreement (DPA). A DPA is a legally binding document that ensures that both parties understand and agree on their obligations, responsibilities, and liabilities.

The GDPR requires such an agreement whenever a data controller engages a third party for data processing on their behalf. A DPA is also necessary between the data processor and its sub-processors.


What are the 7 data protection principles set out by the GDPR?

The GDPR sets out the following seven principles relating to the processing of personal data:

1. Lawfulness, fairness, and transparency

You should always have a lawful basis for processing personal data. Under the GDPR, there are six legal bases for data processing:

  • Consent
  • Contract
  • Legal obligations
  • Vital interests
  • Public task
  • Legitimate interest

Besides lawfulness, fairness and transparency play a key role in how organizations should handle personal data. Therefore, you should:

  • clearly inform individuals about why they collect the data and how will they use it
  • only process personal data in ways that individuals would reasonably expect

2. Purpose limitation

If you collect data for a specific purpose, you should not use it for other unrelated purposes.

3. Data minimization

You should only process data that is absolutely necessary to fulfil the specified processing purposes.

4. Accuracy

Under the GDPR, you have a legal responsibility to ensure that the personal data you process is accurate and up-to-date.

5. Storage limitation

Once the data doesn’t serve its original processing purposes anymore, you should properly dispose of it.

6. Integrity and confidentiality

You should take appropriate steps to ensure the confidentiality and integrity of the personal data you process, such as using role-based access control and encryption.

7. Accountability

You should implement measures that can help you ensure and demonstrate GDPR compliance. For example, implementing data protection policies, documenting processing activities, and appointing a data protection officer.


What are the GDPR penalties?

Businesses that fail to comply with their GDPR obligations can receive administrative fines of up to € 10.000.000 or up to 2% of the company’s total worldwide annual turnover, whichever is higher.

When more severe violations occur (e.g., related to consent or data subjects’ rights), the fines can reach € 20.000.000 or up to 4% of the company’s global annual turnover, whichever is greater.

Under the GDPR, fines are administered by the national authority that supervises compliance with the rules on data protection and privacy in each EU country.

Before getting a fine, a company may receive warnings or be asked to temporarily stop processing data.


How does Penneo ensure GDPR compliance?

Both Penneo Sign and Penneo KYC are GDPR-compliant platforms, so you can rest assured that your data is in safe hands.

Here’s how we ensure the utmost protection of our customers and their client’s data:

  • Penneo only processes our customers’ and their clients’ data per the Data Processing Agreement that both parties signed at the beginning of the business relationship.
  • Penneo implemented strong security controls to prevent unauthorized access to the personal data it handles. These security controls include encryption of stored data, role-based access control, multi-factor authentication, and regular backups.
  • Penneo makes it easy for data subjects to exercise their rights under the GDPR. For example, if you want your personal data erased, you can contact Penneo, and we will comply with your request.
  • Penneo allows its customers to add extra layers of security to their data. For example, customers can enable end-to-end encryption, request recipients to authenticate themselves to view the documents, and schedule the automatic deletion of personal data.

Do you want to know more? Contact us and request a copy of Penneo Sign’s ISAE 3000 report or Penneo KYC’s ISAE 3000 report. If you are not a Penneo customer yet, you’ll have to sign a non-disclosure agreement first.



If you're looking to learn more, we have a few suggestions for you

9 expert tips for picking the perfect KYC solution

9 expert tips for picking the perfect KYC solution

eIDAS 2.0

eIDAS 2.0 and its impact on digital transactions and identity verification

EU unveils ambitious AML package

EU unveils ambitious AML package