GDPR Certification

GDPR Certification
Data Protection Certification Scheme for personal data protection.

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) was passed on 27 April 2016 and became mandatory for all Member States of the European Union on 25 May 2018, creating a single legal framework without the need for national legislation and by abolishing existing legislation. The new regulation significantly increases the organizations’ obligations, while the significance of the fines sets it as a priority for the top management agenda.

Which organizations apply?

All private and public corporations, as well as government authorities that in any way manage personal data of customers, clients of their customers, employees, associates or other individuals must comply with the GDPR. The GDPR involves practically all businesses within and outside the European Union, as long as the data concern European citizens.

What are the obligations for the organizations?

  • to observe the basic principles of personal data protection, i.e. to collect them for a specific legitimate purpose and only those that are necessary, not to process them in a manner incompatible with the purpose, to update them, to store them for a minimum period required, to receive, where appropriate, the free and explicit consent of natural persons
  • transfer them to non-EU countries only under certain conditions
  • give access to personal data to their partners, only under certain circumstances and if they prove their compliance with the GDPR
  • develop electronic tools for timely and free response to requests for:
    • withdrawal of consent
    • access to data
    • Correcting data or deleting data
    • limitation of processing
    • delivery of data in electronic form
    • Transferring data to another carrier
  • make their rights available to natural persons in an appropriate and timely manner
  • ensure the security of personal data throughout their life cycle
  • keep records and notify any violation of the data within 72 hours to the Data Protection Authority and to natural persons with direct information or public notice
  • Prove that they comply with all requirements of the Regulation.