Although five years have passed since the adoption of the GDPR, the famed EU Regulation on data protection remains a critical topic on the agenda for many companies.

This article will provide you with the essential basics of the GDPR’s provisions to assist you in meeting its requirements.

What is the GDPR?
Why was GDPR needed?
What is personal data?
What is sensitive data?
Who are the subjects involved in the data processing?
What is a Data Processing Agreement (DPA)?
What is Penneo’s role under the GDPR?
Who does the GDPR apply to?
Who is the Data Protection Officer (DPO)?
What are the GDPR penalties?


What is the GDPR?

The General Data Protection Regulation (GDPR) is the main framework for protecting the privacy of EU citizens’ personal data.

It entered into force in May 2018 and established stronger conditions for consent, more obligations for data processors and controllers, and stricter penalties.

The GDPR lays down rules about the processing of personal data, meaning any operation performed on personal data relating to individuals in the EU, such as:

  • Collection
  • Recording
  • Storage
  • Alteration
  • Use
  • Disclosure
  • Restriction
  • Destruction


Why was GDPR needed?

GDPR was adopted due to the following reasons:

  • an increasing demand for modern legislation regulating data protection
  • a need for greater security and control over personal data
  • a need for a simplified and harmonized set of data privacy rules across the EU


What is personal data?

Personal data means any information relating to a natural living person (data subject) that allows the identification of that person, such as:

  • Name and surname
  • Home address, email address
  • Location data, IP address
  • ID card number
  • Photographic image


Personal data may relate to both private, public, and professional life. With the rise of the cloud and social media, most personal data can be obtained from online identifiers, activities on social networks, bank details, and so on.


What is sensitive data?

Some specific types of information are considered more sensitive and require stronger privacy measures. Examples are:

  • the information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
  • health-related data, genetic or biometric data
  • information concerning a person’s sexual orientation
  • criminal records


Who are the subjects involved in the data processing?

Three main stakeholders can be identified:

  1. Data processor: the person or entity who processes personal data on behalf of the controller.
  2. Data controller: the person or entity who determines the purpose and means of data processing.
  3. Data subject: the individual, private citizen whose personal data is processed by a controller or processor.

For example, Penneo provides services involving data and document management (digital signing & data collection, identity verification, document storage, etc.). Therefore, data processing is an essential part of what we do.

In providing our services to customers:

  • Penneo acts as a data processor,
  • our customers are data controllers, and
  • our users (customers’ clients, employees, stakeholders – or whoever signs a document via Penneo) are data subjects.


Subjects involved in the data processing


Moreover, a data processor can entrust some of its business functions to a third party, thereby getting access to personal data. This third party is called a sub-processor, and their data processing needs to be authorized by the data controller.


What is a Data Processing Agreement (DPA)?

The DPA is a legally binding document regulating the relationship between the data controller and data processor to ensure that they both understand and agree on their obligations, responsibilities, and liabilities.

The GDPR requires such an agreement whenever a data controller engages a third party for data processing on their behalf. For instance, when adopting software like Penneo in your company to manage documents and data, you are engaging a third party for data processing – so, you need a DPA to prove that you are acting in compliance with GDPR.

A DPA is also necessary between the data processor and its subprocessors. In that case, the data processor plays the role of the data controller and the sub-processor acts as a data processor.


What is Penneo’s role under the GDPR?

For our customers: As a SaaS company, we provide our customers with software to manage and store documents and data. Therefore, as mentioned above, we are acting as a data processor. As such, we are bound to follow our data controllers’ instructions – i.e., our customers’ requirements about the purposes and the means of data processing. Such instructions are regulated in the Data Processing Agreement (DPA) that our customers sign along with the main contract with us.

For our users: Penneo ensures that no data processing is performed for purposes other than the ones our users explicitly gave consent to. Moreover, the exercise and the effectiveness of their GDPR rights are ensured and facilitated. More information about data processing when using Penneo’s platform can be read in our End User License Agreement.

For our website visitors: We act as data controllers towards the visitors of our websites, ensuring awareness and control over the collection and processing of their personal data, as outlined in our Privacy Policy and Cookies Policy.

Sub-processors: To deliver a secure, high-quality service, Penneo has a formal policy in place to manage third-party service providers. We ensure our sub-providers have robust IT security policies by looking for risk management benchmarks such as industry certifications and security audits. Replaceable high-risk or high-impact sub-providers must produce an annually updated ISAE 3402 assurance report or similar for risk management purposes. These assurance reports are reviewed and assessed biannually to determine whether any changes or deviations in the providers’ controls can affect the risk profile of Penneo. Feel free to contact us to get an exhaustive list of our current subprocessors.


Who does the GDPR apply to?

GDPR applies to companies that:

  • are based in the EU
  • process personal data by a controller based in a country where the GDPR applies due to public international law
  • process personal data of people who are in the EU


Therefore, any enterprise (even if based outside the EU) can fall into the GDPR’s scope due to the collection or processing of information of people situated within the EU. Essentially, every business around the world is impacted.

Does GDPR apply to all companies regardless of their size?

Short answer: yes.

Still, there is an exception created to make the GDPR compliance process easier for smaller companies.

The Regulation established that firms with less than 250 employees are exempt from the record-keeping requirements – as long as their data processing is occasional and is not about sensitive data.

Companies that the GDPR applies to


Who is the Data Protection Officer (DPO)?

The Data Protection Officer is the person appointed to ensure that the company processes personal data in compliance with GDPR and applicable data protection rules.

The DPO is also responsible for handling potential questions or complaints related to data privacy rules and data protection rights.


What are the GDPR penalties?

Businesses that fail to comply with their GDPR obligations can receive administrative fines up to € 10.000.000 or up to 2% of the company’s total worldwide annual turnover, whichever is higher.

When other more severe violations occur (e.g., related to consent or data subjects’ rights), the fines can reach € 20.000.000 or up to 4% of the company’s global annual turnover, whichever is greater.

Under the GDPR, fines are administered by the Data Protection regulator in each EU country.

Before getting a fine, a company may receive warnings or be asked to temporarily stop processing data. After these measures, the Data Protection regulator can issue a fine proportionate to the infringement.

With these fundamental concepts, you’ve now done the groundwork – but there is still a lot to learn. Behind every legal burden, there’s a silver lining. So fear not – with us, the GDPR journey will get easier for your business.

Our customers can rely on Penneo for handling their documents in full compliance with GDPR and other relevant regulations.



If you're looking to learn more, we have a few suggestions for you

The 6 lawful bases for data processing under the GDPR

6 Lawful Bases for Data Processing Under the GDPR

GDPR compliance

7 Steps to Ensure GDPR Compliance

Requirements for consent under GDPR

What Are the Requirements for Consent Under the GDPR?