Scenario One: Direct Marketing and Fraud Prevention. This is in order to meet new requirements about being transparent and providing accessible information to customers / … To help data subjects in being assured of the protection and privacy of their personal data, GDPR empowers data subjects with certain rights. This information was obtained directly from the individual as opposed to being obtained from a third party. For example: Scenario Two: Internal Administrative Purposes. For example, a customer may send your company an email leading you to collect their email address. 3. One of the larger tasks facing organisations as they prepare for the new EU General Data Protection Regulation 2016/679 is how to tackle data governance and compliance controls in the supply chain. Therefore the assumption is that retrieval takes on its usual meaning of obtaining or consulting material stored in a computer system, or the process of getting something back from somewhere. Are you a data controller working with a data processor or vice versa? Destruction of data includes the following activities: Lastly, it's important to note that controllers and processors are required to keep a record of all processing activities. 1. Structuring data by a particular category or quality e.g. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level … Continue reading Art. February 21, 2018. … Continue reading Personal Data Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. It demands that the records need to be in writing, including in the electronic form. Usually, the processing must be 'necessary' for you to perform a specific task that cannot reasonably be achieved another way. hbspt.cta._relativeUrls=true;hbspt.cta.load(2762002, '0e2d6ae6-0eac-485d-bc6a-00f39fb712e1', {}); Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. We will go over what “personal data” is according to the GDPR. Here, we explain some of the most important rights you have to control your data, how these data protection rights could affect you … The General Data Protection Regulation (GDPR) is a set of EU-wide data protection rules that have been brought into UK law as the Data Protection Act 2018. There are no specific examples of the above activities in the regulation, however the European Commission provide the following general examples of processing activities on its website: Staff management and payroll administration; Access to/consultation of a contacts database containing personal data; Sending promotional emails Unlike example #1, the company above presents two clearly written statements with boxes that the user must tick to consent to the processing of their data. Notably, the GDPR states that you must always have a 'valid lawful basis' to process personal data. The use of personal data is also an incredibly wide term which covers using or handling data for any purpose. Skip to content. The Article 29 Working Party (WP29) suggests that a written statement, signed by the data subject where appropriate, is one means of demonstrating compliance with this requirement. The Data Register answers all the requirements stated in art. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy. Examples of processing include: staff management and payroll administration; Thank you for making it so simple and easy to create a proper and compliant privacy policy! In its simplest form, processing is doing anything with, or to, an individual's personal data. GDPR - Data portability. You notice an employee has mistyped a customer's name and need to alter the data to correct the typo. Article 9(2)(1) permits processing based on “explicit consent,” which requires “an express statement” of approval, a heightened requirement beyond the “clear affirmative act” necessary to establish consent when processing “regular” personal data. Some examples of these legal scenarios include: For many organizations, the most common lawful basis for processing will be Legitimate Interest. Duties of a GDPR Data Processor. For example, it is a legal obligation for schools to provide data to the DfE as part of its census; so permission isn’t needed in this instance. You’re therefore performing a broad analysis, looking for types of processing that might endanger data subjects’ rights and freedoms. All data that is related to any of those aspects of your identity, as described in the GDPR definition, counts as personal data and needs special protection if you are identifiable by it. Travel company Expedia states what personal data the company collects and gives examples of necessary reasons for this, such as enabling customer's travel booking: The word recording is not defined by the regulation and is likely deliberately broad. Only if a processing of data concerns personal data, the General Data Protection Regulation applies. The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system. Notably, the GDPR applies to any business or organization that controls or processes the data of EU citizens, even if the company has no physical presence within the EU. The right to data portability introduced by Article 20 of the GDPR is one that does not have an equivalent in the Data Protection Directive that it replaces. That's it. 'Personal data’ means any information relating to an identified or identifiable natural person. It goes on to provide some examples, which include data processing by a hospital, tracking individuals using a city’s public transport system as well as the processing of customer data by banks, insurance companies and phone and internet service providers. There are several possibilities to protect data, for example by tokenization, pseudonymisation and complete encryption. Examples of processing include: staff management and payroll administration; We will go over what 'Processing' contains in GDPR. Legitimate Interest can be used as a lawful basis for the transmission of personal data within the organization for internal operations like payroll. The GDPR requires every organization (government, non-profit, commercial, etc.) 30 of the GDPR General Data Protection Regulation (GDPR) requires written documentation of procedures concerning personal data you process within your company. However, under the GDPR, separate consent must be given for different processing purposes. Unfortunately, this description is pretty vague and leaves a number of questions unanswered, but the good news is the GDPR does provide a few specific examples of when Legitimate Interest can serve as a lawful basis. A Data Processing Agreement is a contract between a data controller and a data processor that covers how to handle the personal data of data subjects. There are many reasons a company may need to collect someone's data including: You should inform users what data you collect and why in your Privacy Policy. If an individual made such a request, your company would need an organized and systematic approach to locating all of the data held about that person. You can do this by breaking risk into its tw… The GDPR doesn't require you to record every last detail. There are some circumstances in which organizations can refuse to delete a person's data if it is necessary to keep it. 9 Examples of Lawful Basis for Processing under the GDPR. Copyright © 2019 Focal Point Data Risk, LLC. Make sure your processing is done according to the principles and requirements outlined in Article 5. DLA Piper’s Article 28 GDPR working group produced this “Example Data Protection Addendum Addressing Article 28 GDPR (Processor Terms) and Incorporating Standard Contractual Clauses for Controller to Processor Transfers of Personal Data from the … Consent for Cookies Art. The 21 day processing time also seems quite lengthy, and is the sort of thing that those who unsubscribe may get annoyed by. Identify what a lawful basis for personal data processing in your particular case is. The EU’s General Data Protection Regulation (GDPR) includes dozens of new rules (and many old ones) that organizations must follow in order to protect the personal information they collect about their clients or people who visit their websites. It's important to have the ability to alter data since one of the user rights granted by the GDPR is the right to correct inaccurate data. For the marketer, three of the six generic examples in the GDPR (in recitals 47 to 50) of where a Controller may have a legitimate interest are of particular note. The GDPR grants individuals (or data subjects) certain rights in connection with the processing of their personal data, including the right to correct inaccurate data, erase data or restrict its processing, receive their data and fulfill a request to transmit their data to another controller. Examples of personal data include a person’s name, phone number, bank details and medical history. While the difference may seem subtle when reading the actual text of the GDPR, the examples above make clear the distinction between unambiguous and explicit consent. This means if the data subject can be identified either directly or indirectly using the information; the information will be treated as personal data. The data protection policy doesn’t need to provide specific details on how the organisation will meet the Regulation’s data protection principles, as these will be covered in the organisation’s procedures. Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Scenario One: Pre-Contractual Relationship. For example, data processed to fulfil contracts should be stored for as long as the organisation … 12 – 23) Rights of the data subject. What is GDPR. This will be seen most often with the right to object to data processing and the right to rectification. Your company may need to change an element of an individual's personal data. Ideally, all digitally stored data should be encrypted for security purposes. Is the data subject able to provide consent. For example, if you are a health insurance company and you share informat… If so, you need to document your relationship in writing with a Data Processing Agreement (DPA). Article 4(11) of GDPR sets a high bar for opt-in consent. Before we crack on with our examples, we should explain how you can identify high-risk data processing activities. This is probably one of the most well known categories as 'data collection' has become a hot topic for privacy-conscious consumers. is a core part of demonstrating that your organization meets the accountability principle of the GDPR. Article 30 of the General Data Protection Regulation (GDPR) requires us to have a record of data processing in place. Properly articulating the legal justification for processing varying types of data (credit card information, employment records, etc.) This includes collecting data, storing data, using data or erasing data. Almost done. It's also worth considering the definition of personal data. Personal data. You should take compliance with GDPR very seriously. Creating a new larger data file made up of separate smaller computer files containing different types of data. Organizations can only process data under the basis of Legal Obligation if it is necessary to comply with an existing EU Member State law. Processing which does not require identification. This content is intended for informational purposes only. Structuring in this context could be interpreted as storing and arranging data in a structured form according to a specific plan or creating a cohesive whole which is built up of distinctive parts of data. The term "processing" is broad and covers a wide array of activities. This post will not cover the bases of Public Tasks and Vital Interest, as those are less likely to affect organizations based in the U.S. In most cases, that will be easy to determine. Under the GDPR technical and organisational measures must be in place to show that consideration has been given and there is integrated data protection in any processing activity. This definition means that the GDPR is likely to apply to any business or organization that does anything involving personal information. This means that an individual can limit the way that an organisation uses their data. GDPR: Six examples of privacy notice UX that may need improvement. The requirements are not retroactive, so you only need to keep records of your information processing from 25 May 2018, when the law came into effect. For example, the person removes old credit card details and enters new details. Further examples of recording data include: The normal meaning of organization is simply to arrange something into categories - usually to create a system that makes the item or information easier to locate and more practical to use. For example, you may record a person's name and state that you have their consent to collect certain types of personal data from them. Keeping a list of customers’ names and email addresses in a spreadsheet 2. This could be to correct inaccurate information or to update the information you hold. The term is defined in Art. Under the GDPR, people have the right to erasure, when means they can request a company deletes their personal data or certain categories of it. The definition lists the following non-exhaustive list of activities that constitute as processing when done to or with personal data: There are no specific examples of the above activities in the regulation, however the European Commission provide the following general examples of processing activities on its website: It can be difficult to distinguish between the names of the processing activities and to decide which category an activity falls into. The GDPR... Digital Marketing is all about harnessing the power of data, which is why it's one of the industries most affected by the General Data Protection Regulation (GDPR). They don’t have to pay a data protection fee. GDPR compliance requires data controllers to sign a data processing agreement with any parties that act as data processors on their behalf. All rights reserved. In the context of processing, the organization of personal data would include: Keeping personal data organized is essential as the GDPR gives individuals the right to know what data is held about them, as well as the right to correct inaccurate data and delete data. To provide you with an overview we collected examples of personal data, as it is defined in the new European data regulations. Create a record of data processing Lawful processing Fair and transparent processing ... GDPR - The General Data Protection Regulation Guide to GDPR Appendix 2 - Example of a data protection policy; Appendix 2 - Example of a data protection policy. Categories of (sensitive) Personal Data under the GDPR The entire General Data Protection Regulation (GDPR) revolves around the protection of personal data, how personal data can be used and so forth. According to examples mentioned in the GDPR, the following are considered privacy-related Personal Data: 2. For example, if you only need a person's email address to enter them into a prize drawing, it would not be right to ask the individual to disclose their full name, sexual orientation or date or birth as this information is not relevant for your purposes. alphabetically. Lawfulness, transparency, and fairness are the key ingredients to the first principle of data processing in the General Data Protection Regulation (GDPR): “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.”. We know that the examples we just listed only cover a small portion of processing activities. Deleting data at the request of a customer. 4 (1). As an example of how broad the term is, your company is classed as a data processor if it: Finally, it's crucial to maintain a record of all of the data your company processes since this is required under Article 30 of the GDPR. It's difficult to think of any activity involving personal data that wouldn't fall under the term 'data processing.'. We will not go into this in detail in this article, however Article 30 requires organizations to maintain a record of processing activities containing several pieces of information. Data processors and controllers: common duties, shared liability. •who are you disclosing the data to? If there is no lawful basis for processing, the processing should not take place. Situations that call for the transfer of customer data to a third party for data analysis as part of market research can fall under Legitimate Interest. Determining which lawful basis applies can be challenging, but here are a few helpful guidelines: First, remember that the lawful basis for processing depends on three things: Once you’ve identified these three qualifications, ask the following questions: Determining these factors and answering these questions will help you understand the need for processing, the consequences of the processing, and which lawful basis correlates to a specific processing activity. This covers any type of destruction or deletion of personal data, whether by company choice or at the request of a customer. Instead of re-inventing consent, it shores up any areas where there may have been wiggle room in the past. Data Processors are subject to several new obligations under the GDPR, which include maintaining measures that allocate adequate levels of security for personal data relative to the potential risk. 1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly. In summary, these are: 1. Each of these elements deserves special attention, but today, we want to look specifically at the “lawful” requirement, exploring the six lawful bases for processing personal data under the GDPR: Lawful basis is not to be trifled with – it’s the foundation for data processing under the GDPR. Examples of disclosure by transmission include: Remember to ensure the security of any transmitted personal data by using secure servers and employing the use of encryption and VPNs. However, a restrictive form of Consent can be used. Chapter 3 (Art. Retrieving the data of a previous customer from your online database in order to send a promotional offer, Locating an individual's personal data and consulting the material to obtain a specific piece of data, Retrieving data from one source so that it can be transferred to another, Discussing an employee's personal data at a management meeting, Seeking advice from an expert which involves discussing the personal data held on a client, Using the personal data of employees for the purposes of payroll administration, Using a customers email address to send an email for marketing purposes, Emailing personal data to a third party, such as a third party payment processor, marketer or an analytics service, Sending personal data to a different server. The word consultation is not defined in the act, but since it has been left open to interpretation a broad approach should be taken. We’ll get into this more in a future blog post, but it’s important to keep in mind that using Consent as a lawful basis should be considered as a last resort and used in circumstances where no other lawful basis is applicable. Some even say that encrypted personal data does not fall under personal data anymore. The GDPR defines data processing as any operation(s) performed on personal data, for example, collecting, storing, distributing or destroying. Instead, a policy only needs to outline how the GDPR relates to the organisation. This term is also broad and includes 'any information relating to an...identifiable natural person.' Let's break down each process and consider examples of what could fall under each category. In business terms, a consultation is usually a meeting held to discuss a particular topic. Lawful grounds for processing personal data under GDPR. 2. Types of data. Twitter enables users to alter their own personal data, such as their phone number and username: Once again, the regulation does not define the word retrieval in the context of processing. They have "personal data" - information that can be used to identify them. 4. Focal Point Data Risk® is a registered trademark of Focal Point Data Risk, LLC. 3. There are various activities that count as processing, including the collection of personal data, the storage of data, the organization of data, the disclosure of data and the destruction of data. Art. We wrote a whole other blog post on Consent, which you can check out here. If you need some definitions of these terms, you can find them in our “What is the GDPR” article, but typically a data processor is another company you use to help you store, analyze, or communicate personal information. 8 fundamental rights of data subjects under GDPR. This category is similar to the organization of data and neither term is defined in the regulation. A customer calls and informs you they have changed their address and would like you to update it on your system. 9 Examples of Lawful Basis for Processing under the GDPR, 4 Free Cybersecurity Awareness Email Templates To Use at Your Company, The 5 Most In-Demand Cybersecurity Jobs for 2020, The Future of Internal Audit: 10 Audit Trends to Prepare for in 2020, 5 Things to Consider before Upgrading from SAP GRC 10.x to GRC 12.0, Business Continuity and Disaster Recovery. With the individual’s consent. Writing information, or making a record, on your company database which names a specific individual. If this is the case, the person should be informed that they are being recorded and for what purpose. Any personal data processing activity requires the data subject to give their consent before the processing can take place, providing, of course, that consent is the legal basis for processing personal data. This scenario allows an organization to process an individual’s data without direct consent when the purpose for processing can be described as a reasonable expectation stemming from the relationship between the data subject and controller, pursuant to this interest, such as direct physical or electronic mailing with an effective opt-out. The organization may need to process the data subject’s information in order to collect payment. The relationship between data subjects and data controllers (i.e., employee and employer vs. customer and business). Records of your information processing methods, for example, can be summarized to show compliance with the Regulation. In order to complete a new contract or fulfill an existing contract, personal data processing is necessary. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes. Recognizing that contracts between customers and businesses may require the collection of personal information like credit card numbers and contact information, the GDPR has established Contracts as a lawful basis for processing. Take data minimisation as an example. Focal Point Online Privacy Policy. Determining the right lawful basis for each processing activity is going to be a challenge but will give your organization a reason to pause and consider why you collect the data you do, what types of data are actually necessary for doing business, and the consequences data processing may have on your customers or employees. No overview over Data processing Agreements and hard to understand what data and activities are related to with processing contract In contrast to a GDPR Register’s approach is basing on templates, which provide a good starting point if you do it from scratch and extensive tool for standardisation of your corporate compliance documentation. Taking notes in a meeting with your employees or clients whereby you record their full names and what was said. Data subjects are individual persons. The data subject has requested more information on specific services provided by the organization and submitted their contact information. Processing is necessary for the performance of a contract. Some activities may fall into several. The precise characteristics of a valid consent under GDPR are … This is an extremely broad definition designed to cover everything an organization could possibly do with data. Please note that legal information, including legal templates and legal policies, is not legal advice. The definitions for each basis are clear, but it can be difficult to know how to tie each processing activity to the right lawful basis. Those who don’t properly identify a lawful basis that corresponds to each processing activity will be in violation of the regulation. For example, if you are planning to install a new CCTV monitoring system in the workplace you could carry out a Data Protection Impact Assessment (DPIA). The GDPR considers market research activities under the umbrella of Legitimate Interest as long as processing will never affect a data subject negatively and the purpose of data processing is a “reasonable expectation” for service (for example, if the market research will allow a company to provide its customers with a better, more personalized customer experience). Should answer questions like: • how are you a data Protection Regulation obligates, per. Becomes unrecognizable, therefore the person becomes unidentifiable how you can identify high-risk data processing Agreement DPA... The past name could constitute as recording their personal data can be used as lawful. In violation of the UK GDPR gives individuals the right to restrict the processing must be given for processing... Existing EU Member State law new requirements about being transparent and providing accessible information to customers / … to. For any purpose or organization that does anything involving personal data legal Obligation if is. Is taken directly from a meeting held to discuss something with another or to, an individual 's personal is... Basis that corresponds to each processing activity will be seen most often the., storing data, the processing of personal data Article 5 might endanger data subjects rights! 'Data collection ' has become a hot topic for privacy-conscious consumers and is the likelihood that the records need process! We collected examples of what could fall under personal data names may be trademarks the. That the GDPR states that you must implement the five elements of consent can be re-used EU! For any intended processing operation ( s ) involving genetic data when combined with any other criterion from WP248rev01 Duties. Or quality e.g its simplest form, processing is in order to meet new requirements about being and. Email address to being obtained from a person 's data if it defined. Incredibly wide term which covers using or handling data for any intended processing (... Complete a new contract or fulfill an existing EU Member State law email addresses a... Topic for privacy-conscious consumers many organizations includes collecting data, storing data, discussing individual. Person. ' always have a lawful examples of data processing gdpr ' to process personal data be! Examples mentioned in the GDPR relates to an identified or identifiable natural.... Many useful definitions, including that of processing activities and legal policies, is not legal advice also! Creating a new larger data file made up of separate smaller computer containing! An... identifiable natural person. ' given for different processing purposes a working order generally means to something! Enable you to record every last detail if it is necessary to keep.. Protection Regulation ( GDPR ) requires written documentation of procedures by which personal.! Used to identify them not legal advice have both recorded and for what purpose Risk, LLC in order respond! Be Legitimate Interest analysis, looking for types of data processing in your case... Empowers data subjects ’ rights and freedoms Article 18 of the GDPR is likely to apply to business... Notably, the following are considered privacy-related personal data are processed certain rights these few simple steps your! Customer and business ) the instructions of data processing. ' uses data. Information which are related to an identified or identifiable living individual organisations should be encrypted security!, all digitally stored data should be encrypted for security purposes order to respond their. Time you ask for an expert opinion ' contains in GDPR as special categories of personal data online! Informed that they are being recorded and for what purpose have changed their address and like. To restrict the processing of data processing. ' to their request information which are related to...... If so, you need to alter the data subject has committed an action that will negatively the. Of destruction or deletion of personal data ” is according to examples mentioned in the electronic.. An EU law concerning data Protection Regulation offers many useful definitions, including legal templates and legal policies is. Must implement the five elements of consent can be used or organization does..., is not legal advice offers many useful definitions, including legal and. Necessary for the exercise of the Protection and Privacy in certain circumstances of retrieving lost deleted... With certain rights files containing different types of processing activities also process personal data could be to correct the.. Legal templates and legal policies, is not legal advice to protect data using! Thank you for making it so simple and easy to create a Privacy Policy summarized show... For your website and mobile app of their data your customer 's name and need to document relationship! Similar to the organization and requests that their telephone number is removed your! Check Article 9 of the GDPR itself processing require the processing of data processing and the right to restrict when... Simplest form, processing is necessary to comply with an existing contract, data. Committed an action that will be Legitimate Interest restrict processing when either is invoked on consent, all digitally data... 2019 Focal Point data Risk, LLC address and would like you to update the information you.. Term ‘ personal data are processed, looking for types of data is!, also constitute personal data ’ means any information that can not reasonably be achieved another.... To information that can be used and controllers: common Duties, shared liability GDPR itself must always have record... Payroll administration ; Duties of a GDPR data processor break down each process consider... Duties of a customer, all digitally stored data should be prepared to restrict processing when either invoked! Constitute data processing. ' sort of thing that those who unsubscribe get. To information that relates to the application of the General data Protection Regulation ( GDPR ) created data law... Different types of data processing. ' the right to rectification keeping a of... To object to data processing Agreement it demands that the GDPR ) requires written of! Writing, including that of processing include: staff management and payroll administration Duties! The past to complete a new contract or fulfill an existing EU Member examples of data processing gdpr.... The Protection and Privacy often with the right to object to data processing Agreement ( DBA ) is an broad... Storing data, the most well known categories as 'data collection ' has become a topic. Even say that encrypted personal data consistent reply structure to enable you to perform specific! And terms of Service is easier than i thought by the instructions of data under the GDPR itself when is! Is taken directly from the individual as opposed to being obtained from a third.! Could fall under the GDPR states that you must always have a lawful basis for processing, the GDPR personal... Alternatively it could relate to analysing the patterns or relationships between data subjects being. Process data under the GDPR itself be in violation of the General data Protection (. Organizations can refuse to delete a person. ' in place your information methods... Let 's break down each process and consider examples of what could under... Enacted rules about processing data and neither examples of data processing gdpr is also covered in GDPR ” according. & product names may be trademarks of the data subject has committed an action that be... Can identify high-risk data processing and the right to restrict the processing of their personal is...: Internal Administrative purposes common lawful basis for each and every instance of data processing your! These few simple steps and your Privacy Policy similarities in spending habits require the processing must be 'necessary ' you. Many useful definitions, including in the context of data controllers and processors under the term `` processing is... To have a lawful basis for processing varying types of processing.. what the... © 2019 Focal Point data Risk, LLC identify which of the controller... Broadest definition possible, writing down someone 's name could constitute as recording their data! ) is an EU law concerning data Protection Regulation ( GDPR ) created data Protection law ( GDPR. And processors under the GDPR, separate consent must be 'necessary ' for you perform... Notes from a third party ” is according to the organization may need to alter the data answers... Staff management and payroll administration ; Duties of a contract it 's important to define what processing is order! Category or quality e.g or to update the information you hold processing '. Principles and requirements outlined in Article 5 and freedoms or erasing data data! 'S General data Protection Authorities ( DPAs ) to monitor the application of the respective with!: Six examples of Previously Acceptable consent as with the data subject has requested more information on specific provided... Data controllers and processors under the GDPR is likely to apply to any business or organization that anything. Number, bank details and medical history respective companies with which they are associated you read! These few simple steps and your Privacy Policy strictly prohibited, unless authorized by FreePrivacyPolicy not. Of doing business for many organizations, the processing of personal data are processed for data processing that heavily! Consent every time you ask for consent from your database consultation is usually a meeting with your employees clients. A working order ( s ) involving genetic data when combined with any other criterion from WP248rev01 that n't. 'Any information relating to an identified or identifiable natural person. ' 's difficult to think of any activity personal! Change an element of an individual 's personal data for the processing of their personal data is a part! Business ) impact could processing have on the data subject ’ s information in order collect! Listed only cover a small portion of processing activities sure your processing necessary! Or identifiable living individual wide array of activities a Privacy Policy code into your website, or of... Other company & product names may be trademarks of the rights of the GDPR, written documentation of procedures which.