What is GDPR? How did it increase trust and transparency? What do you need to know?

As technological advancement increased the ability of sharing information, including personal and sensitive data, new ways in which privacy can be breached have been created.

In the new digital environment, computers can permanently store records of everything, from gathering private info to mapping every move of their users. We are living in the information age, where risks of privacy violation increase proportionally to the benefits of the electronic business world. It is therefore imperative for potential threats to be counterbalanced by proper and effective security measures that safeguard the right to privacy.

Protecting our customers and their businesses privacy is a crucial factor in our mission. All our processes comply with the highest security standards, from authentication to encryption.

What is GDPR?

GDPR is the acronym used to indicate the EU General Data Protection Regulation, the most recent and important Regulation on data protection and privacy in the European Union. Being a Regulation and not a directive, the GDPR became directly legally binding since its entry into force in May 2018 without requiring EU Member States to transpose it into national laws. Leading to more standardized data management and protection, the Regulation enhanced customers' privacy while providing companies in the EU market with a clear and uniform legal environment to conduct business. Stronger conditions for consent, greater obligations for data processors and data controllers and more dissuasive penalties represent the main key points of the GDPR.

How did it increase trust and transparency?

There are two main factors on which the GDPR was built and promoted:

  • The purpose of simplifying and updating the legal framework, while unifying and harmonizing data privacy laws within the EU. A major drive has most likely been the increasing demand of a modern legislation capable of building legal certainty and confidence in the online environment.
  • The need of ensuring deeper security and greater control powers to data subjects, both in terms of data protection (meant as keeping data safe from unauthorized access) and in terms of data privacy (that is enabling users to make their own decisions about who can process their data and for what purpose).

Addressing this necessity concurrently reshaped organizations' approach to data protection and allowed businesses to benefit from a level playing field.

GDPR Overview

What does the GDPR protect and regulate?

The Regulation protects fundamental rights and freedoms of individuals relating to the protection of their personal data. To this end, the GDPR lays down rules with regard to the processing of personal data, that is any operation which is performed on personal data relating to individuals in the EU, whether or not by automated means, such as
collection, recording, storage, alteration, use, disclosure, restriction or destruction.

Who are the subjects involved in the data processing?

The three main stakeholders are

  • Data controller: the individual - natural or legal person, public authority, agency or other body - which determines the purposes and means of the processing of personal
    data. The data controller is also in charge of exercising control over the processing and carrying data protection responsibility for it.
  • Data processor: the individual - natural or legal person, public authority, agency or other body - which processes personal data on behalf of the controller and following its
    instructions. However, a data processor can itself exercise some control over the technical aspects of processing within the limits set by the data controller.
  • Data subject: natural person (not legal entities), individual, private citizen, whose personal data is processed by a controller or processor.


What is meant by "personal data"?

Personal data means any information relating to a natural living person (data subject) who is identified or identifiable by reference to means of identification such as a name, a photo, an identification number, location data. With the rise of the cloud and social media, the majority of personal data can be obtained from online identifiers, like email or computer's IP address, activities on social networks, bank details, and so on. Personal data can also be acquired from information relating to physical, mental, economic, cultural or social identity factors of that natural person and may relate to both public and professional life as well as to private and intimate matters.

What's a DPA?

The DPA (data processing agreement) is a legally binding document signed between two key data processing actors under GDPR, the data controller and the data processor, in order to ensure that they both understand their obligations, responsibilities and liabilities. Whenever a data controller engages a third party for the purpose of data processing on their behalf, the GDPR requires a data processing agreement with specific terms which also enables the data controller to demonstrate their compliance with the GDPR.

The GDPR also establishes requirements for what must be included in these contracts, which should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.

DPAs are not necessary just because they are imposed by laws; their value mainly lies in the protection they provide to each party and, most importantly, to the data subjects involved, as they increase their confidence in the handling of their personal data.

Who does the GDPR apply to?

The Regulation applies if the data controller or the data processor or the data subject are based in the EU or in the EEA. Therefore, the GDPR applies to businesses that:

  • are established in the EU, regardless of whether the processing takes place in the Union or not
  • process personal data of data subject who are in the UnionThe Regulation does not specify whether the subject must reside or be a citizen of the EU, it merely imposes the application if the individual is in the EU. Therefore, the GDPR also applies to enterprises based outside the EU if they collect or process personal data of individuals located inside the EU: that's why we can say that it applies extraterritorially, because all companies processing and holding the personal data of subjects that are in the EU must comply with the GDPR, regardless of company location. Essentially, every business around the world is impacted.
  • process personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law
  • have less than 250 employees but their data processing is not occasional, and it is likely to result in a risk to the rights and freedoms of data subjects, since it includes special categories of particular sensitive personal dataAcknowledging this minor exception, small businesses and larger firms should consider themselves equal in the eyes of GDPR. Therefore, small business which don't meet the exemption criteria must keep internal records. Moreover, companies that have less than 250 employees will need to comply with those same legal requirements if they deal with larger corporations, given the nature of joint liability established with GDPR.

The GDPR is also technology neutral, meaning it protects personal data regardless of the technology used or how the personal data is stored. In other words, it doesn't matter if a business processes and stores personal data using a complex IT system or via paper-based files, as long as it is based in the EU or offers goods or services to individuals in the EU, it will be governed by the GDPR.


Does GDPR apply to you?

If you are wondering whether your business is subject to the GDPR or not, you can find it out here by answering to these questions:

  • Is your business established in the EU?
  • If it is not, does your company process personal data of people who are in the EU?Being the answers affirmative, you need to abide by GDPR and be sure you are completely and correctly compliant with its requirements.
  • Are there more than 250 employees in your company?
  • If your company has less than 250 employees, does your business regularly process particular kinds of personal and sensitive data? or can its data processing impact the rights and freedoms of data subjects?Generally speaking, the GDPR apply to both large and small enterprises. However, taking account of the specific needs of micro, small and medium-sized enterprises, some differences do exist in the application of the Regulation. The main derogation refers to the storage of records of processing activities: small businesses with fewer than 250 employees are exempt from having to keep records of their processing activities, whether that's in the capacity of a controller or processor; this exemption is removed if the processing is likely to create risk to the rights and freedoms of data subjects, or if processing happens on a regular basis.

All you need to know

Compliance as an opportunity

The enactment of the General Data Privacy Regulation has forced businesses worldwide to adjust their procedures by setting up more careful processes related to personal data and updating privacy policies and security practices. The ultimate goal is protecting the privacy and security of consumers' personal data, and failure to achieve it is heavily punished, not to mention the reputational damage that noncompliance could cause. Clearly, the costs of not complying with the GDPR are far greater than any investment made to comply with it.

However, embedding the Regulation and fulfilling its requirement leads companies to greater results than just the safety of avoiding serious penalties. Customer loyalty, trust and confidence increasingly represent a decisive factor in choosing a company to do business with. In this context one could say that demonstrating seriousness about compliance is almost as important as being compliant in the first place. And this is how GDPR turns from a legal burden to a competitive differentiator.

In light thereof, it is our recommendation to clearly signalizing and communicating to your customers and shareholders the procedures being implemented for compliance and the purpose of these procedures. Not only does this show transparency about security measures taken to be compliant but is also builds a deep trust and attract & retain customers.

Which are the principles data processing should be based on?

Lawfulness, Fairness, Transparency
The GDPR requires personal data be processed lawfully, fairly and in a transparent manner in relation to the data subject

The responsibility, as well as the burden of complying with the "lawfulness of processing", lies with the controller

The processed data should be accurate and, where necessary, kept up to date, while ensuring the erasure and rectification without delay of inaccurate information

Storage Limitation
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Data Minimization
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; the personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Integrity and Confidentiality
Personal data must be processed in a manner that appropriately ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures


What does "Lawfulness of processing" means exactly?

The legal bases for data processing

Processing personal data is generally prohibited, unless it is expressly allowed by law or by the data subject.

There are six legal bases for processing personal data in compliance with the General Data Protection Regulation.

The data processing is lawful only if and to the extent that that it is justified by at least one of the following:

The data subject has given consent to the processing of his or her personal data for one or more well-defined purposes.

Vital interests
Processing is necessary in order to protect the vital interests of the data subject or of another natural person

Processing represents a contractual obligation because it is required for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Public interest
Processing is essential for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Legal obligations
Processing is needed to satisfy a legal obligation to which the controller is subject

What are the requirements for consent under GDPR?

Being one of the more well-known legal bases for processing personal data, consent is the subject of various provisions in the GDPR and it can be considered legally valid and effective if some conditions are met. In order to be able to demonstrate the data subjects' consents, the controller must keep records of them within a documentation that states exactly what a data subject has consented to and when, where and how this consent was expressed.

Consent must be:

Freely given: the consent must be given on a voluntary basis; this requirement implies a real choice by the data subject, so any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. This is why the consent should not be a precondition to the provision of any service, unless it is an essential element in that service.

Informed: the data subjects must at least be notified about the identity of the controller and any third parties that will be relying on the consent; they must also be aware of what kind of data will be processed, how it will be used and the purpose of the processing operations. Moreover, data subjects need to be concurrently informed about their rights and, in particular, the possibility of withdrawing consent at any time. The withdrawal must be as easy as giving consent, therefore simple and effective withdrawal mechanisms should be implemented.

Specific: the consent should be bound to one or several specified and sufficiently explained purposes, especially in the event that the consent legitimizes the processing of peculiar categories of personal and sensitive data. Data subjects must be aware of who will use the data and in what manner. Moreover, the request for the informed consent should always be a standalone mechanism, distinguishable and kept clearly unbundled from information about other contractual matters, terms and conditions and there should be a separate mechanism for obtaining authorization. When the processing has multiple purposes, consent should be given for all of them separately; similarly, when multiple types of processing are involved, granular options should be ensured to express differing degrees of consent via separated actions.

Unambiguous: Consent cannot be implied; it must be an explicit acceptance of the proposed processing of data subject's personal data. It must be expressed by means of a statement or a clear affirmative act, through an opt-in, a declaration or an active motion, excluding any possibility of misunderstanding. 'Opt-out' mechanisms with pre-checked boxes are explicitly not allowed by the Regulation. Written consent is recommended; however, no form requirement must be met and it can also be given in electronic form, provided that the request for consent is presented in an intelligible and easily accessible form, using clear and plain language. The affirmative actions that the data subject must perform to indicate their agreement could include ticking or clicking a box when visiting an internet website, signing a form or choosing technical settings for information society services.

What kind of rights can an individual exercise?

Right to be informed
Various types of information must be provided to data subjects: they range from how to contact the data controller, to information concerning the purposes of the processing and proof of its lawfulness, the period for which the personal data will be processed and stored, the possibility to withdrawing consent and complaining to a supervisory authority. The data subject should also be fully aware of their rights and be able to exercise those rights; to this end, they can ask for clarification and exercise their right to assistance. Appropriate measures should be taken to provide such in-depth information in a transparent way, free of charge and in a timely manner. Derogations apply in the event that the data subject already has the information or in case of impossibility, disproportionate effort or obtaining or disclosing personal data is expressly laid down in law. Additionally, data subjects must be informed if data has leaked and disclosed to unauthorized recipients or made temporarily unavailable or altered. This right consists of receiving proper notification in the case of a data breach that happened either accidentally or unlawfully and poses a risk to individual rights and freedoms.

Right of access
The data subject must be able to exercise their right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed.

Where that is the case, the data subject has the right to access to their personal data, receive a copy of the personal data undergoing processing free of charge and in an accessible format, and be provided with the information to which he is entitled.

Right to data portability
It involves the data subject's right to receive the personal data concerning them, in a structured, commonly used and machine-readable format (in order to obtain an intelligible overview of their information) and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. In exercising their right to data portability, the data subject can also request to have the personal data transmitted directly from one controller to another, where technically feasible.

Right to rectification
If an individual believes that their personal data is incorrect, incomplete or inaccurate, he or she can exercise the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning the data subject.

Right to restriction of processing
It is about the right to obtain from the controller restriction of processing where:

  • the data subject has objected to processing or in the event that the accuracy of the personal data or the lawfulness of processing is contested by the data subject;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.

Where processing has been restricted, such personal data would only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Right to erasure "right to be forgotten"
The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay.

The personal data must also be erased without needing a previous request in the event that

  • they are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed.

Exceptions do exist: in fact, the erasure of individual's personal data cannot be asked to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • for the establishment, exercise or defense of legal claims.

Right not to be profiled
Profiling takes place when personal aspects (characteristics such as age, sex, height) are evaluated in order to make predictions or classify a person in a category, even if no decision is taken (this often happens for actions like online recruiting or credit ratings). Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing for such marketing, which includes profiling to the extent that it is related to such direct marketing. This right must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

Right to object to automated individual decision-making
Decision-making based solely on automated means happens when decisions are taken about a person by technological means and without any human involvement, even without involving profiling.

Data subjects have the right not to be subject to a decision based solely on automated means if the decision produces legal effects concerning them and impacting their rights or in the event that the decision significantly affects them in a similar way because it influences their circumstances, behavior or choices. This type of decision-making may exceptionally take place if allowed by law and suitable safeguards are provided, or if there is no other way to achieve the same goal to enter or perform a contract, or explicit consent has been given.

Union or Member State law may restrict the scope of the obligations and rights provided for in GDPR when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national or public security, defence and important economic or financial interest, or to prevent, detect or prosecute criminal offences or to enforce civil law claims. Any legislative restrictive measure should contain specific provisions as to the purposes of the processing, the categories of personal data, the scope of the restrictions introduced, the risks to the rights and freedoms of data subjects and their right to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

The exercise of data subjects' rights must be facilitated and their effectiveness must be ensured
When a data subject exercises one of their rights, the data controller cannot refuse to act on the request and must provide information on actions taken on the request to the data subject without undue delay and in any event within one month of receipt of the request. If the controller does not take action on the request of the data subject, the controller must inform them without delay of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.


What is meant by "data protection by design and default"?

Data protection by design and data protection by default are two new principles introduced in the GDPR.

At Penneo, we have heartily embedded them in our operational systems, embraced GDPR and today our starting point for everything we do is to acknowledge our responsibility to protect our customers' privacy.

Data protection by design requires that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. During internal projects, product development, software development, IT systems implementation, the controller must integrate the necessary safeguards into the processing in order to meet the GDPR requirements and protect the rights of data subjects. To do so, it's necessary to put in place appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization. The actual application of this principle minimizes privacy risks and increases trust by placing data protection at the forefront of developing new goods or services, allowing to avoid any possible data protection issues at an early stage and helping to raise awareness about data protection across all departments and levels of a company.

Data protection by default aims to ensure that companies always make the most privacy-friendly setting the default setting. While the first principle concerns preliminary stages of product or service development, this second criterion is applied once a product or service has been released to the public. The strictest privacy settings should apply by default, without any manual input from the end user: for example, if two privacy settings are possible and one of the settings prevents personal data from being accessed by others, this should be used as the default setting. Moreover, the controller must implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

What are the GDPR penalties?

In order to strengthen the enforcement of its rules, the GDPR imposes stiff dissuasive penalties that make non-compliance a costly mistake for obliged organizations. The fines are flexible and proportionate to the infringement and apply to all types and sizes of businesses, from micro or small companies to multi-national enterprises.

Businesses that fail in complying with their obligations can incur administrative fines up to 10.000.000 euros or up to 2% of the company's total worldwide annual turnover, whichever is higher. When other more severe violations occur, the fines can reach 20.000.000 € or up to 4% of the company's global annual turnover, whichever is higher. This more significant liability is faced in case of infringements related to the very core of the right to privacy and the GDPR, such as the basic principles for processing, the conditions for consent, the data subjects' rights, and in the event of on-compliance with an order by the supervisory authority.

Under the GDPR, fines are administered by the data protection regulator in each EU country, which will determine whether an infringement has occurred and the severity of the penalty. Before deciding to impose a fine, there may be warnings, reprimands, suspension of data processing. After these preliminary measures have been taken, ten criteria are used to determine whether a fine will be assessed and in what amount:

  1. the nature, gravity and duration of the infringement,
  2. whether it was intentional or the result of negligence,
  3. whether any actions have been taken to mitigate the damage,
  4. the amount of technical and organizational preparation the firm had previously implemented to be in compliance with the GDPR,
  5. any relevant previous infringements,
  6. the degree of cooperation with the supervisory authority to discover and remedy the infringement,
  7. what categories of personal data the infringement affects,
  8. whether the firm proactively reported the infringement to the supervisory authority,
  9. whether the firm followed approved codes of conduct or was previously certified,
  10. any other aggravating or mitigating factor applicable to the circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.

GDPR & Penneo

Data protection, security and compliance are the core areas that inform our business.

Focusing on earning and retaining clients' trust, our purpose it to make our current and future customers feel safe regarding such matters.

Being on top of those subjects, Penneo ensures transparency and preserves the trust in its products and services.

Is Penneo compliant with GDPR requirements?

Our software and procedures meet the most stringent legislative requirements, including GDPR and we are committed to monitoring the legal landscape to be sure our services are constantly up-to-date with respect to the latest national, EU and international regulations. Acknowledging our responsibility to protect customers' privacy, at Penneo GDPR has been embedded and embraced in our operational systems and it represents now just one of several ways of providing our customers safe solutions.

How does Penneo demonstrate its compliance?

Being transparent about how data is used and protected is not only required by law: it' s also our way to attract and retain our customers. Penneo shows its dedication to security and compliance by continuously striving to improve its security strategy and investing in internationally recognized certifications. Our system periodically undergoes third-party audits and assessments to ensure the most advanced protection to our customers and their data. What's more, Penneo's IT-systems and websites are hosted on locations within the EU by the market-leading cloud infrastructure services Amazon Web Services, a highly secure global data center that maintains the highest levels of compliance.

Please visit our Compliance section to learn more about our approach and Attestations.

What is Penneo's role under GDPR?

In the context of providing our software and solutions to our customers, we concurrently handle and store their personal data; it's an essential and ineradicable part of
supplying our services. So we are acting as data processor and we are bound to follow our data controllers' instructions, meaning our customers' wills about the purposes and
the means of data processing. As a trustworthy data processor, Penneo ensures its customers greater power, awareness and control over the collection, processing and
storage of personal data.

What role do digital signatures play in the process of compliance?

If your company collects and holds personal data of people that are in the EU, this means that you must meet the GDPR requirements and also be able to demonstrate this compliance. This need for security is even more demanding when personal financial information and sensitive data are included. The adjustment of privacy procedures in order to legally manage data subjects' consent is achievable by adopting digital processes. Digital signatures are an essential tool to conveniently capture consent while conforming with the rules established for it because they

  • provide information about who expressed the consent, how and when this happened, who obtained it and for what purposes;
  • comply with the active opt-in requirement;
  • provide a comprehensive court-admissible audit trail;
  • comply with the GDPR's unbundled requirement since they allow for granular options within the digital documents (so it's possible to capture consent separately for different
    types of data processing) and enable to separate the signing of the documents where the consent has to be obtained in combination with other documents;
  • allow to easily request the renewing of consent.

Furthermore, digital signature can be used to securely sign data processing agreements between data controllers and data processors while complying with the Regulation.

How can Penneo help customers with the GDPR-compliance process?

Our customers can rely on Penneo for processing their documents in compliance with GDPR and other relevant regulations. The GDPR requirements set a high standard for consent and processing of personal data, but in turn being compliant definitely help to build trust, enhance brand and reputation, and avoid unwelcomed costly consequences. Our signature solution complies with both the consent requirements and the rules for DPAs. Penneo can help you to manage and automate the digital signing processes in a fast, easy and compliant way. With a single and effective solution, you can consistently reinforce your data security and privacy management, while equipping your business with an auditable and user-friendly means to comply with industry standards and legislative obligations.

Are you complying?

  1. Check the personal data you collect and process:
    • Which categories of personal data does your business process?
    • Do you have a legal basis to process personal data?
    • Does the data processing have a legitimate purpose?
    • Would it be possible to handling information in a less intrusive way?
  2. Inform your customers, employees and other individuals when you collect their personal data. Your obligation of providing transparent information results in clearly stating, at a minimum:
    • who you are, why you are processing the data, what the legal basis is, who will receive the data (if applicable);
    • you should also communicate how long the data will be stored, the individual's data protection rights, how consent can be withdrawn (when consent is the legal ground for processing) and information about automated decision-making (if applicable).
  3. Keep the personal data for only as long as necessary: if the data refer to your
    • employees, you only need them as long as the employment relationship and related legal obligations last;
    • customers, you should not keep them beyond the term of the customer relationship and related legal obligations. Make sure to deleting the data where it is no longer necessary for the purposes for which you collected it.
  4. Ensure the security of the personal data you are processing by limiting the access to the files containing the data on your IT system and regularly update the security settings of your system. If you don't store data on an IT system and use physical documents instead, you should also make sure that they are not accessible by unauthorized persons, since the GDPR is technology neutral and it protects personal data regardless of the technology used or how the personal data is stored.
  5. Keep detailed records on your data processing activities: the documentation should explain
    • what type of personal data you process and for what reasons;
    • what categories of data subjects are concerned (employees, customers, suppliers) and what categories of recipients are involved (labor authorities, tax authorities);
    • the storage periods and the duration of the relationships on which the storage periods are based;
    • the description of technical and organizational security measures to protect the personal data.
  6. Entrust to compliant subcontractors: if you need to sub-contract processing of personal data to another company, use only a service provider who guarantees the
    processing in compliance with the requirements of the GDPR.

In other words, trust us. See our Data Processing Agreement to get a clearer view of the guarantees we offer.

To learn more about how we collect, keep, and process your private information in compliance with GDPR, please view our Privacy Policy

Get started with Penneo today

Try now and get your first signatures for FREE!