Frequently Asked Questions concerning GDPR
Warning: The information contained herein does not substitute legal advice or consultation with the competent authority. For any issues to be resolved, please, contact your legal counsel or supervisory authority.
1. What is GDPR?
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) applies as of 25 May 2018.
It concerns the protection of personal information of individuals and is applicable to the following cases:
- if the company conducts activities in the EU;
- if the processing activities are related to the offering of goods or services to individuals in the EU;
- if the monitoring of behavior of individuals takes place in the EU;
- if the EU law is applicable to the activities of the company.
Important: GDPR is not applicable to anonymous information, namely information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. GDPR does not concern the processing of such anonymous information, including for statistical or research purposes.
2. Is GDPR applicable to my company's activities?
First, you should identify if GDPR in general is applicable to your company's activities (see Q1).
Second, you should identify if your company processes personal data.
Under GDPR, “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Under GDPR, “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Under GDPR, “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the Union or Member State law.
Under GDPR, “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Example 1. GDPR is applicable if you are an employer and monitor the location of the cars that belong to or assigned to your particular employees. The data can include not just the vehicle's location but the employee's location as well. In this case the data derived from the vehicle can help to identify the individual and their location.
Example 2. GDPR is inapplicable if you monitor the location of the cars that are linked to the company's IP-address and cannot be attributed to a particular person.
To decide if the collected data are reasonably likely to be used to identify a natural person, all objective factors should be taken into account, such as the costs and the amount of time required for identification, taking into consideration the available technology at the time of processing and technological developments.
This issue is important as your company may be obliged to perform certain actions under GDPR (see Q8). We advise you to contact your local legal counsel or supervisory authority to determine if GDPR is applicable to your company's activities.
3. Is GDPR applicable to Gurtam's activities?
Gurtam does not process any personally identifiable data of the end users of its partners.
However, in cases when Gurtam's partner processes personal data using Wialon Hosting Software, Gurtam may act as a processor under GDPR (see Q5). What actions does Gurtam take to comply with GDPR? Gurtam takes all the necessary technical and organizational measures to comply with GDPR.
4. How does Gurtam obtain consent to process personal data from the end-users of its products?
Gurtam does not obtain consent from its partners' clients. In case your company processes personal data (see Q2), Gurtam is obliged to:
- Take certain actions to comply with GDPR;
- Ensure that it has a valid Data Protection Agreement with your company;
- Perform the obligations of the processor under Article 28 of GDPR.
5. What actions should my company take to comply with GDPR?
If your company is considered to be a controller or processor under GDPR (see Q2), you are obliged to perform certain actions under Articles 24-34 of GDPR.
The description of actions is also available here:
https://ec.europa.eu/justice/smedataprotect/index_en.htm#target-4
6. Will I be subject to a fine if my company's actions are not in compliance with GDPR?
Each supervisory authority shall ensure that the imposition of administrative fines with regard to GDPR is effective, proportionate, and dissuasive in each individual case.
The powers of the supervisory authority are detailed in Article 58 of GDPR.