Why was the GDPR needed?
What does GDPR protect and regulate?
Who are the subjects involved in the data processing?
What is meant by
What's a DPA?
Who does GDPR apply to?
Does GDPR apply to you?
GDPR in 5 points
Would you like to know more? Please visit our FAQ section to find answers to all your questions about GDPR.
Is Penneo compliant with GDPR requirements?
How does Penneo demonstrate its compliance?
What is Penneo’s role under GDPR?
What role do digital signatures play in the process of compliance?
Are you complying?
How can Penneo help customers with the GDPR compliance process?
With the exponential sophistication of new technologies, the ability to share information has increased, and new ways in which confidentiality can be breached have been created. Thereafter, the public’s concern over privacy started dominating the business sphere.
In the new digital environment, the internet maps every move of its users, and digital records can live forever. We are living in the information age, where risks of privacy violation grow proportionally to the benefits of the electronic business world. Therefore, potential threats must be counterbalanced by proper and effective security measures that safeguard the right to privacy.
Companies have been gathering and processing personal information for decades, regardless of its imminent relevance and without prior specific consent from the subjects such data belonged to. Data privacy laws have been fighting such practices in the past few decades. Still, none of them has been as effective internationally as the General Data Protection Regulation - and that's perhaps due to the astounding fines it sets (up to 20 million € or 4% of the company’s global annual turnover).
All you need to know
GDPR is the acronym used to indicate the EU General Data Protection Regulation, which is currently the main framework for safeguarding the privacy of EU citizens' personal data. Being a regulation and not a directive, the GDPR became directly legally binding since its entry into force in May 2018 without requiring the EU Member States to transpose it into national laws.
The Regulation increased trust and transparency, standardized data management and protection, and provided companies in the EU market with a clear and uniform legal environment to conduct business. Stronger conditions for consent, greater obligations for data processors and data controllers, and more dissuasive penalties represent the main key points of the GDPR.
GDPR was promoted and built on two main factors.
The purpose of simplifying and updating the legal framework through the unification and harmonization of data privacy laws within the EU. A major driver has most likely been the increasing demand for modern legislation capable of building legal certainty and confidence in the online environment.
The need of ensuring deeper security and greater control powers to data subjects, both in terms of data protection (meant as keeping data safe from unauthorized access) and in terms of data privacy (that is enabling users to make their own decisions about who can process their data and for what purposes). Addressing this necessity concurrently reshaped organizations' approach to data protection and allowed businesses to benefit from a level playing field.
The Regulation protects fundamental rights and freedoms of individuals relating to the protection of their personal data. To this end, the GDPR lays down rules about the processing of personal data, that is any operation which is performed on personal data relating to individuals in the EU, whether or not by automated means, such as collection, recording, storage, alteration, use, disclosure, restriction or destruction.
Three main stakeholders can be identified:
1. Data controller: the individual – natural or legal person, public authority, agency or other body – which determines the purposes and means of the processing of personal data; the data controller is also in charge of exercising control over the processing and carries responsibility for it.
2. Data processor: the individual – natural or legal person, public authority, agency, or other body – which processes personal data on behalf of the controller following their instructions.
3. Data subject: natural person (not legal entities), individual, private citizen, whose personal data is processed by a controller or processor.
Personal data means any information relating to a natural living person (
data subject) who is identified or identifiable by reference to means of identification such as a name, a photo, an identification number, location data. With the rise of the cloud and social media, most personal data can be obtained from online identifiers, like email or computer’s IP address, activities on social networks, bank details, and so on. Personal data can also be acquired from information relating to physical, mental, economic, cultural, or social identity factors of a natural person and may relate to both public and professional life, as well as to private and intimate matters.
The DPA (data processing agreement) is a legally binding document signed between two key actors under GDPR - the data controller and the data processor - to ensure that they both understand and agree on their obligations, responsibilities, and liabilities.
The Regulation requires such an agreement whenever a data controller engages a third party for data processing on their behalf (that is, whenever a new data processing relationship is created between two entities, one of which acts as a data controller and the other as a data processor). GDPR also establishes what must be included in these contracts, such as the subject matter and duration of the processing, nature, and purpose of the processing, the type of personal data and categories of the data subject, and the controller's obligations and rights. Signing this agreement enables the data controller to prove they are acting in compliance with GDPR.
However, DPAs are not necessary just because they are required by law. Their value mainly lies in the protection they provide to each party and, most importantly, to the data subjects involved - that can rely on such agreements to better understand how their personal data is handled.
The Regulation applies if one of the stakeholders (the data controller or the data processor or the data subject) is based in the EU or the EEA. To be more specific, GDPR applies to businesses that:
are established in the EU, regardless of whether the processing takes place in the Union or not.
process personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
process personal data of data subjects who are in the Union, regardless of whether the company is located in the Union or not. If the data processed belongs to an individual located in the EU (the Regulation does not specify whether the subject must reside or be a citizen of the EU), the GDPR requirements need to be met. Therefore, any enterprise based outside the EU can fall into Regulation scope due to the collection or processing of information of people situated within the EU. This is why we can say that GDPR applies extraterritorially; essentially, every business around the world is impacted.
have more than 250 employees.
have less than 250 employees, but their data processing is not occasional, and it is likely to result in a risk to data subjects' rights and freedoms since it includes special categories of particularly sensitive personal data.
What does this mean? Generally speaking, the GDPR applies to both large and small enterprises. However, taking account of micro, small, and medium-sized enterprises' specific needs, the Regulation includes a derogation for organizations with fewer than 250 employees concerning record-keeping. Small businesses with fewer than 250 employees are exempt from having to keep records of their processing activities; however, this exemption is removed if the processing happens on a regular basis, or if the data processed is about racial or ethnic origin, political opinions, religion, health, sexual orientation, criminal convictions. If that's the case, smaller firms are required to keep internal records and should consider themselves equal to larger organizations in the eyes of GDPR. Moreover, companies that have less than 250 employees will need to observe those same legal requirements if they deal with larger corporations, given the nature of joint liability established with GDPR.
Additionally, it must be highlighted that GDPR is technology-neutral, meaning that it applies regardless of the technology used or how the personal data is retained. In other words, it doesn't matter if a business processes and stores personal data using a complex IT system or via paper-based files: as long as it is based in the EU or offers services to individuals in the EU, it will be governed by GDPR.
If you are wondering whether your business is subject to the GDPR or not, you can find it out here by answering these questions:
Is your business established in the EU?
If it is not, does your company process personal data of people who are in the EU?
Do you need to comply with the record-keeping requirements?
Are there more than 250 employees in your company?
If your company has less than 250 employees, does your business regularly process particular kinds of sensitive data?
If the answers are affirmative, you need to abide by GDPR and make sure your company completely and correctly follows its requirements.
GDPR in 5 points
The legal framework about data protection needed to be updated and harmonized; at the same time, greater power had to be ensured to individuals over the collection and processing of their data. GDPR successfully reached both goals and promoted transparency as a prevailing and overarching principle.
Its provisions can be summarized as follows:
It requires data processing and storage to be lawful, accurate, relevant, and limited to what is strictly necessary.
It allows data processing if the consent was freely given, informed, specific, and unambiguous – except for established cases such as contract, legal obligation, vital, public, or legitimate interest, that justify the processing without consent.
It ensures data subjects wider rights (information, access, data portability, rectification, restriction, objection to being profiled, or to suffer automated decision-making, erasure).
It introduces the principles of data protection by design and by default.
It imposes stiff dissuasive penalties that make non-compliance a costly mistake for obliged organizations.
Would you like to know more about privacy?
Which are the principles data processing should be based on?
Lawfulness of processing mean exactly?
What are the legal bases for data processing?
What are the requirements for consent under GDPR?
What kind of rights can an individual exercise?
What is meant by
data protection by design and default?
Who is the Data Protection Officer (DPO)?
What are the GDPR penalties?
Please visit our FAQ section to find answers to all your questions about GDPR.
GDPR & Penneo
Data protection, security, and compliance are the core areas that inform our business. Being on top of those subjects, Penneo ensures transparency and preserves customers’ trust.
Our software and procedures meet all the requirements established by GDPR. We are committed to monitoring the legal landscape to ensure our services are constantly up-to-date with the latest legislative news.
At Penneo, we have heartily embedded the two new GDPR principles (data protection by design and by default) in our operational systems. Our starting point for everything we do is to acknowledge our responsibility to protect customers' privacy. We have implemented appropriate technical and organizational measures to create the foundation for effective prevention and mitigation of vulnerabilities, breaches, and leaks while promoting a stronger awareness of information security and data protection within our organization.
Being transparent about how data is used and protected is not only required by law: it’s also our way of attracting and retaining our customers' trust. Penneo shows its dedication to compliance by continuously striving to improve its security strategy and investing in internationally recognized certifications.
Our system periodically undergoes third-party audits and assessments to ensure the most advanced protection to our customers and their data. What’s more, Penneo’s IT-systems and websites, and all the customer data we hold, are hosted on locations within the EU by the market-leading cloud infrastructure services Amazon Web Services (AWS) - a highly secure global data center that maintains the highest levels of compliance.
As a SaaS company, we provide our customers with software to manage and store documents and data. Therefore, data processing and storage are essential and ineradicable parts of supplying our services. So we are acting as a data processor and, as such, we are bound to follow our data controllers' instructions, meaning our customers' wills about the purposes and the means of data processing. Such instructions are regulated in the Data Processing Agreement (DPA) that our customers sign along with the main contract with us.
As a trustworthy data processor, Penneo ensures its customers:</>
awareness, power, and control over the collection, processing, and storage of personal data;
no data processing is performed for purposes other than the ones they explicitly gave consent to;
the exercise and the effectiveness of their GDPR rights are ensured and facilitated.
When a data subject submits a request (using the form on our website) and specifies their willingness to exercise one of their rights, our Support Team acquires more information to act promptly, and our DPO proceeds to perform the necessary actions to satisfy the request, that is usually fulfilled within a week.
The adjustment of privacy procedures in order to legally manage personal data is achievable (and it gets easier) by adopting digital processes. Digital signatures are an essential tool to conveniently capture consent while conforming with the rules established for it by GDPR because they:
provide information about who expressed the consent, how and when this happened, who obtained it, and for what purposes;
meet the active opt-in requirement;
provide a comprehensive court-admissible audit trail;
conform to the GDPR’s unbundled requirement since they enable granular options within the digital documents (so it’s possible to capture consent separately for different types of data processing) and allow to separate the signing of the documents where the consent has to be obtained in combination with other documents;
allow requesting the renewing of consent easily. Furthermore, the digital signature can be used to securely sign data processing agreements between data controllers and data processors while respecting the Regulation.
Furthermore, the digital signature can be used to securely sign data processing agreements between data controllers and data processors while respecting the Regulation.
The enactment of GDPR has forced businesses worldwide to adjust their procedures by setting up more careful data protection processes and updating privacy policies and security practices. It can still seem tricky, and it does take time to dive into; still, on the flip side, it pursues the noble goal of protecting people's information, and failure to achieve it is heavily punished with serious penalties - not to mention the reputational damage that noncompliance could cause. Scandals and legal actions related to privacy breaches and GDPR violations make headlines in the news on a regular basis; therefore, it's increasingly apparent that the costs of not satisfying GDPR provisions can be far greater than any investment made to adhere to it.
At Penneo, we firmly believe that fulfilling GDPR requirements leads to greater results than just avoiding unwelcome costly consequences. It definitely helps to build trust and enhance the company's image. For us, obeying the law implies strategic advantage as it highly contributes to positive public relations, the brand's reputation, and, as a result, to long-term profits. Comparing different providers for the same service, the legality and compliance they can demonstrate represent the decisive factor in choosing a company to do business with.
Ultimately, giving customers certainty and safety about their data privacy not only helps to strengthen the business risk management but also results in a more transparent security framework, which in turn enables greater confidence in the market and distinguishes the organization from its competitors. In this context, one could say that demonstrating compliance might be almost as important as being compliant in the first place. And this is how GDPR turns from a legal burden into a business benefit.
In light thereof, our recommendation is to clearly signalize and communicate to your customers and shareholders the procedures being implemented for compliance and the purpose of these procedures.
What's the current status of your organisation?
Are you sure you're doing things right? Here's a quick check-up for your business:
1. Check the personal data you collect and process:
Which categories of personal data does your business process?
Do you have a legal basis to process personal data?
Does the data processing have a legitimate purpose?
Would it be possible to handle information in a less intrusive way?
2. Inform your customers, employees and other individuals when you collect their personal data.
Your obligation of providing transparent information results in clearly stating, at a minimum:
who you are, why you are processing the data, what the legal basis is, who will receive the data (if applicable);
you should also communicate how long the data will be stored, the individual?s data protection rights, how consent can be withdrawn (when consent is the legal ground for processing), and information about automated decision-making (if applicable).
3. Keep the personal data for only as long as necessary; if the data refers to your:
employees, you only need it as long as the employment relationship and related legal obligations last;
customers, you should not keep it beyond the term of the customer relationship and related legal obligations.
Make sure to delete the data when it is no longer necessary for the purposes for which you collected it.
4. Ensure the security of the personal data you are processing by limiting access to the files containing the data on your IT system and regularly updating its security settings.
Suppose you don't store data on an IT system and use physical documents instead. In that case, you should also make sure that they are not accessible by unauthorized persons since the GDPR is technology-neutral. It protects personal data regardless of the technology used or how personal data is stored.
5. Keep detailed records on your data processing activities; the documentation should explain:
what type of personal data you process and for what reasons;
what categories of data subjects are concerned (employees, customers, suppliers) and what categories of recipients are involved (labor authorities, tax authorities);
the storage periods and the duration of the relationships on which the storage periods are based;
the description of technical and organizational security measures to protect personal data.
6. Entrust to compliant subcontractors: if you need to outsource activities to another company and the outsourcing involves transferring personal data you hold to that company, choose only service providers who guarantee data processing under the GDPR rules.
Our customers can rely on Penneo for handling their documents in full compliance with GDPR and other relevant regulations. In collecting and processing personal data through Penneo, users can be sure that they’re handling sensitive information in abidance by the requirements established about consent, data subjects rights, lawful processing, storage within the EU, and so on.
Penneo can help you manage and automate the digital signing processes in a fast, easy, and compliant way. With a single and effective solution, you can consistently reinforce your data security and privacy management while equipping your business with an auditable and user-friendly means to meet industry standards and legislative obligations.
See our Data Processing Agreement to get a clearer view of the guarantees we offer.