GDPR Services - Privacy Desk

The General Data Protection Regulation (GDPR) is considered as a golden standard for the data protection. The European Union law on Data Protection and Privacy as introduced on 25 May 2018. The GDPR is a comprehensive law on data protection and privacy. It is hailed as one of the strictest data protection regime across jurisdictions and has been instrumental in fostering a uniform data protection atmosphere within the European Union (EU) and facilitating the introduction of National Legislations.

The GDPR’s primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The regulation contains provisions and requirements related to the processing of personal data of individuals who are located in the European Economic Area (EEA) , and applies to any enterprise—regardless of its location and the location of the data subject. Our GDPR services thus entail measures incorporating GDPR for Indian companies as well.

GDPR is applicable to all entities operating within the EU and EEA regions . It is applicable to Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden along with any national laws that these regions may enact.

The provisions of GDPR mandate compliance for processing related to the data of subjects in the European Union even if the data processing takes place outside the territorial limits. The law also mandates compliance if the entity is located outside EU, but processes data in context of activities in the EU. The focus of our GDPR services is data protection in the EU including implementing measures for data protection outside EU such as GDPR for Indian companies.

Rights of Data Subjects

The purpose of GDPR is also to lay down the rights of the data subject, the person whose data is being collected and processed by data collector to allow for stricter compliance from the initial stages to the last. All information conveyed to the data subject should be in a clear and unambiguous manner.

GDPR provides the data subjects with the following rights:

Right to Access
The right to access the information regarding their data being processed.

Right to be Informed
The right to be informed on the specifications of processing data.

Right to be Forgotten
The right to call for erasure of their data shared by them.

Right to Objection
The right to restrict the processing of the data shared by them.

Right to Restrict Processing
The data subjects have a right to limit the processing of their data for the purpose it was collected.

Right related to automated individual decision making
The data subject has the right not to be subjected to any decisions taken by the controller solely based on automated means.

Right to Withdraw Consent
The right to restrict the processing of data when they withdraw consent.

Compliance Obligations

The crucial principles embedded in the GDPR that also provide the framework of holistic data protection cast the obligation on data controllers that all processing of data must be accorded the requisite layers of protection.

The processing must be lawful, fair and transparent with regards to the data subject.
The legitimate purpose for data processing must be specified and expressly conveyed to such data subject.
The data controllers must also comply with the principles of data minimization, storage limitation, maintaining accuracy of data along with the security, integrity and confidentially of such data by way of implementing adequate security measures.
For demonstrating GDPR compliance, a substantial obligation of abiding variety of measures should be adopted by your organization for data protection, such as appointment of Data Protection Officers, establishing Data Protection by design, designation of data protection responsibilities to the team along with adequate training and awareness exercises.

Our services ensure compliance of GDPR for Indian companies as well as other globally existing companies.

Article 6 of the GDPR provides legal basis on the processing of data as allowed under the law. The processing of data would be lawful only if one of the following circumstances apply:

Consent

For the processing of personal data, a clear and affirmative consent is required to be obtained by the controller from the data subject for the processing of data for such specific purpose.

Public Interest

Processing of personal data for a purpose of carrying out obligations in a public interest or in an official capacity, are allowed under GDPR as a legal basis.

Legal Obligations

For the purposes of fulfillment of legal requirements, a controller can process personal data for such purposes.

Contractual Obligations

The processing required to comply with contracts, forms a legal basis for processing of personal data for such specific purpose.

Under Article 6 of GDPR, Data processing is only permitted when specific, unambiguous consent to process data granted by the data subject. However, at the same time it is provided under GDPR that even without consent, data may be processed in case such processing is necessary for performance of contractual or legal obligations, or such processing is necessary to protect vital interests of the data subject or any other natural person. Processing is also allowed when it is necessary for performance of public interest/official authority or legitimate interest.

Enforcement Mechanism

Article 51 of GDPR provides that each member State needs to establish one or more independent public authorities that will be responsible for monitoring the application or compliance with GDPR, known as Supervisory Authority. The GDPR also specifies on the need of complete independence of such Supervisory Authorities so that they may remain free from external influence in order to perform their tasks and exercise their powers under GDPR. They enjoy wide powers for investigation and correction and can also issue guidance and directives to the public. As per Article 77, Individuals also enjoy the right to lodge a complaint with a supervisory authority. All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision. The data subjects also have a legal remedy against any actions of the processor or controller.

Penalties

GDPR derives its stringency from the substantially high fines and penalties it imposes on organisations for their non compliance with its regulations. These fines are made flexible to adapt with the scale of the organisation responsible for non-compliance. There are two tiers of fines that depend on various factors such the nature and gravity of the infringement, intent, damage, mitigation efforts etc.

The first of the two tiers of penalties is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second tier of penalty is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.

We offer the following services to our clients as a part of our GDPR Implementation Programs providing GDPR services for Indian companies as well by:

Implementing Privacy Ecosystems
Providing Data Protection Impact Assessments
Providing GAP ecosystems
Acting as a Data Protection Officer
Data Protection and Privacy Consulting and Advisory
Evaluating and monitoring compliance levels from a legal standpoint under various jurisdiction
Drafting relevant agreements/ policies for securing consent, provision of notice etc.
Suggesting security and privacy best practices, policies and standards
Developing mitigation plan for possible privacy breaches
Assisting with disputes under the realm of data protection/ privacy, if any
Delivering trainings on the legal provisions to the concerned teams

As a part of our Data protection Services, we offer our GDPR Services through an Implementation program, done through our five-phase approach.

Implementation done for clients located in EU, India or elsewhere
Provided end-to-end support throughout the project
As a part of the project, developed protection toolkit (including draft agreements, security/ privacy best practices, policies etc.) and incidence management system

Provide compliance with the Privacy Laws efficiently and effectively.
Recognize, Access and Strategize Personal Data within your organization.
Adapt, Improvise and leverage your existing privacy compliance in order to comply with the legislations.
Respond to Data Subject Rights and fulfil Business obligations under the legislations.
Policy and Notice Management and maintain data privacy structures within the organizations.
Provide an effective solution to all organizational requirements in privacy.
Cost Effective solutions for privacy compliance with subject matter experts
Implementation of the privacy program from industry professionals with prior experience with MNC’s in the EU region.

Associate Services

Along with GDPR implementation, we provide assistance or maintenance in compliance to GDPR obligations as a part of our GPPR Consulting Services.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Scope of GDPR

Rights of Data Subjects

Compliance Obligations

Legal Basis for processing of Data under GDPR

Exceptions to Consent Requirement under GDPR

Enforcement Mechanism

Penalties

Our GDPR Services

Benefits of the GDPR Implementation Program

Associate Services

Reach out to us

Cookie Consent