GDPR FAQ

Frequently Asked Questions (FAQ)

What are the objectives of the GDPR?

The objectives of the European General Data Protection Regulation (GDPR) are "the protection of natural persons in relation to the processing of personal data", "the free movement of personal data" and "the protection of the fundamental rights and freedoms of natural persons and the personal data of natural persons" (Article 1 GDPR).

The real goal of personal data protection is not the protection of personal data itself, but the protection of the human rights of individuals who may be identified by their personal data. Personal data protection is to prevent individuals from being subjected to unfair discrimination or disadvantage due to the misuse or abuse of their personal data without their knowledge.


What are the principles of the GDPR?

The seven basic principles set forth in Article 5 of the European General Data Protection Regulation (GDPR), which incorporate the eight principles contained in the Council Recommendation on Guidelines for the Protection of Privacy and the International Distribution of Personal Data, the so-called "OECD 8 Principles," adopted by the Organization for Economic Cooperation and Development (OECD) in 1980, are The seven basic principles set out in Article 5 of the European General Data Protection Regulation (GDPR) have been established as follows

  •     Legality, fairness and transparency
  •     Purpose limitation
  •     Data minimization
  •     Accuracy
  •     Limitations on record keeping
  •     Integrity and confidentiality
  •     Accountability (or shift of burden of proof)

Who is subject to GDPR?


The European General Data Protection Regulation (GDPR) applies to companies

    Are located within the European Economic Area (EEA), including the EU ("within the EU") The GDPR applies to all companies with a location within the EU.
    If you are not located in the EU, but provide products or services to individuals in the EU
    Tracking the activities of individuals in the EU, even if not located in the EU 


Even if you are not located in the EU, the GDPR applies to you if you handle the data of individuals in the EU through the provision of products or services or through behavioral analysis. Common examples include the provision and sale of games, apps, and IT services to the EU, the handling of personnel or customer data of EU subsidiaries, and the analysis of the behavior of website visitors and customers.
What are some specific examples of GDPR?


The European General Data Protection Regulation (GDPR) is the EU's personal data protection law that applies to companies that handle data of individuals in the EU, regardless of whether they are based within the European Economic Area (EEA), including the EEU ("within the EU").


The required "GDPR compliance" varies depending on the nature of the company's business, the size of the company, the number of data handled, the number of employees, and the degree of risk to individuals in the event of a data breach. For example, a large global company that monitors and analyzes the activities of tens of millions of people and profiles individuals versus a mid-sized company that handles no personal data in the EU other than the names and contact information of its business partners will, of course, require a higher level of measures from the large company.

Enobyte offers a plan that allows companies considering GDPR compliance to easily adapt their measures to their level of compliance through a questionnaire to get a sense of scale, an assessment to compare and analyze the gap between their data protection practices and GDPR requirements, and regular meetings with them. We have a plan in place that allows companies considering GDPR compliance to proceed with measures at their own level without difficulty.

We can also compare your company's situation and requirements with our past case studies to determine the best plan for your company.

 

What are my GDPR obligations?


The European General Data Protection Regulation (GDPR) establishes the following obligations for controllers (companies that determine the purposes and methods of data processing, the source) and processors (companies that handle personal data on behalf of a controller, the consignee).

The obligations imposed on the controller are generally as follows:

  •     Be specific about the purpose (abstract purposes such as "for marketing purposes" are not acceptable)
  •     Handle only the data necessary for the purpose
  •     Inform individuals within the European Economic Area (EEA), including the EU (hereinafter referred to as "within the EU"), about the planned processing in advance
  •     Delete the data as soon as the purpose has been achieved and no other legal basis exists
  •     Respond to individuals in the EU when they exercise their rights
  •     Keeping the data up-to-date at all times
  •     Implement appropriate technical and organizational measures (TOM)
  •     Keep records of all processing activities
  •     Selecting GDPR compliant processors to handle personal data and entering into a processor agreement (Article 28 GDPR)
  •     Monitor the personal data protection of the processor
  •     Conduct a risk assessment and take appropriate measures in advance of any processing that is expected to pose a high risk to individuals in the EU.
  •     Report any data breach to the data protection supervisory authority within 72 hours
  •     Notify individuals if the data breach poses a high risk to individuals in the EU


The obligations imposed on the processor are generally as follows:

  •     Handle personal data only in accordance with instructions from the controller
  •     Obtain prior approval from the controller before outsourcing to another processor (sub-contractor)
  •     Assume full responsibility to the controller for the other processor
  •     Keep records of all handling activities
  •     Implement appropriate technical and organizational measures (TOM)
  •     Immediately report any data breach to the administrator (contractor)
  •     Return the data to the controller or erase all data in accordance with the controller's instructions upon completion of the entrusted task


Enobyte will investigate the specific requirements of each company and provide extensive support to ensure that the company is prepared for the GDPR. Enobyte will research the specific requirements of each company and provide support to ensure that they are met.

 

Which countries are members of the GDPR?

The European General Data Protection Regulation (GDPR) applies to companies that handle the data of individuals within the European Union (EU), regardless of whether or not they are located within the European Economic Area (EEA), including the EU ("within the EU").


What does a sufficiency certification mean?


Sufficiency certification is a recognition granted by the EU Commission to countries outside the European Economic Area (EEA) ("EU"), including the EU, that ensure the same level of personal data protection as the European General Data Protection Regulation (GDPR) (Article 45 of the GDPR). This makes it as easy to transfer data from within the EU to a country with sufficiency certification as it is to transfer data within the EU.

However, it should be noted that when transferring data from within the EU to Japan, it is necessary to comply with the four Supplementary Rules set forth by the EU Commission.

Currently, the following 14 non-EU countries have received "sufficiency certification" from the EU Commission as countries that ensure an equivalent level of data protection as GDPR: Angola, Argentina, Canada, Canada, and the United States.

Angola, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Korea, Switzerland, Uruguay, and the United Kingdom.

 

What does EU Representative mean?


A person who represents a company outside the EU as a local contact between individuals within the European Economic Area (EEA), including the EU ("EU"), and the EU Data Protection Supervisory Authority is called an "EU Representative", "EU Representitive" or "EU rep".


Article 27 of the European General Data Protection Regulation (GDPR) requires organizations that are not based in the EU to establish an EU representative in one of the EU member states in which their main market is located if they provide products or services to individuals in the EU or track the activities of individuals in the EU on an ongoing basis. For example, a Japanese company that does not have a presence in the EU may be required to establish an EU agent in one of the EU member states where it has a main market.


For example, a Japanese company that does not have a presence in the EU but sells software to EU users. If a website is available in EU languages (German, French, Italian, Spanish, etc.) or displays prices in Euros, it is also considered to target individuals in the EU and is subject to the obligation to have an EU representative.


What does GDPR Representative stand for?


Without the term GDPR Representative, a person who represents a company outside the EU as a local contact between individuals within the European Economic Area (EEA), including the EU ("EU"), and the EU data protection supervisory authority is called an "EU representative", "EU representitive" or "EU rep". EU rep".


Article 27 of the European General Data Protection Regulation (GDPR) requires organizations that are not based in the EU to establish an EU representative in one of the EU member states in which their main market is located if they provide products or services to individuals in the EU or track the activities of individuals in the EU on an ongoing basis. EU Representative in one of the EU Member States where the main market is located.


What is the role of the EU Representative?


The EU Representative represents a company outside the EU as a local contact between individuals within the European Economic Area (EEA) ("EU"), including the EU, and the EU Data Protection Supervisory Authority.


For example, if a German customer of a company that provides services to EU users has a complaint about the company's handling of personal data, these complaints may have legal force. The EU representative receives the complaint and undertakes all data protection-related communication with the complaining customer. The company will be informed of the complaint, the nature of the complaint, the EU representative's response, and the information necessary to respond, as appropriate.


The appointment of an EU representative is also recommended for individuals in the EU or companies that are concerned about communicating with the EU data protection supervisory authority in a foreign language: Enobyte has employees with expertise in GDPR who can communicate closely with customers in Japanese and with local authorities in English or EU languages. languages while communicating with local authorities in English or EU languages.