The General Data Protection Regulation: Achieving Compliance for EU and non-EU Companies

• Published in: Business law international Vol. 18; no. 3; pp. 225 - 197
• Main Author: Karaduman, Ozan
• Format: Journal Article
• Language: English
• Published: London International Bar Association 01.09.2017
• Subjects: Compliance; Electronic commerce; General Data Protection Regulation; Jurisdiction; Legislation; Personal information; Turkish language; Websites; Germany
• ISSN: 1467-632X

According to Recital 23, a case-by-case analysis must be made in order to determine whether an activity can be regarded as 'offering of goods or services' in terms of Article 3. According to the International Association of Privacy Professionals, more than 75,000 DPOs will be required to meet the GDPR requirements. According to the GDPR, the data controller and processor must designate a DPO in any case where: 1. processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 2. the core activities of the controller or processor consist of processing operations, which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or 3. the core activities of the controller or the processor consist of the largescale processing of special categories of data and personal data relating to criminal convictions and offences. According to Article 25 of the GDPR, the data controller is required to implement the appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into processing in order to meet the requirements of the GDPR, protect the rights of data subjects and keep the data secure.