GDPR General Data Protection EU: Guidelines for Entrepreneurs & HR.

By Marieke Agatha StoopBusiness Support, European Union Law
Understand the General Data Protection Regulation and its impact on HR and organisations that handle data of European individuals.

GDPR stands for General Data Protection Regulation. Any organisation around the world, which has data of European individuals need to oblige to the General Data Protection Regulation.

Companies of all sizes are affected and even companies outside the European Union (EU) need to have processes in place to ensure compliance. It means in practice that also a company outside the EU, which is targeting EU consumers will be subject to the GDPR.

☰ Table of Contents

What Is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means, as well as to non-automated processing.

The processing of personal data is often part of a structured filing system, which could include Human Resource Management processes, payroll administration, employee file contacts database containing personal data but also, sending promotional emails, posting/putting a photo of a person on a website, storing IP addresses or MAC addresses and video recording (CCTV).

The General Data Protection Regulation will be enforced by May 25, 2018. The regulation provides one set of data protection rules for all companies operating in the EU, wherever they are based.

Stronger rules on data protection would result in:

  1. people having more control over their personal data.
  2. businesses benefiting from a level playing field.

Rights of Individuals under the GDPR

Under the GDPR, individuals (data subjects) have eight key rights:

  1. Right to be informed: Individuals must be told how their data is collected, used, stored, and shared.
  2. Right of access: Individuals can request access to their personal data and supplementary information.
  3. Right to rectification: Individuals can request correction of inaccurate or incomplete data.
  4. Right to erasure (right to be forgotten): Individuals can request deletion of their data under certain conditions.
  5. Right to restrict processing: Individuals can limit how their data is used.
  6. Right to data portability: Individuals can receive their data in a structured format and transfer it to another controller.
  7. Right to object: Individuals can object to data processing based on legitimate interests, direct marketing, or public tasks.
  8. Rights related to automated decision-making and profiling: Individuals are protected from decisions made solely by automated processes that significantly affect them.

Examples Personal Data under the GDPR

Examples of personal data under the GDPR are:

  • a name and surname
  • a home address
  • an email address such as name.surname@company.com
  • an identification card number
  • location data (for example the location data function on a mobile phone)*;
  • an Internet Protocol (IP) address
  • a cookie ID*
  • the advertising identifier of your phone
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person

*Note: There is a specific sectoral legislation regulating for instance the use of location data or the use of cookies, spam and marketing data. Read more in our article about the ePrivacy Directive and what this means for your business in the EU.

Examples of Data Not Considered Personal Data

The following types of data are not classified as personal data under the GDPR:

  • A company registration number: This identifies a business entity, not an individual.
  • An generic business email address: For example, info@company.com, which does not relate to a specific person.
  • Anonymised data: Data that has been processed to remove personal identifiers and cannot be traced back to an individual.

Difference Between Data Processor and Data Controller

A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data. The Data Processor processes personal data on behalf of the Data Controller.

The GDPR places accountability obligations on Data Controllers to demonstrate compliance. Data processors must implement appropriate security, following the controller’s directives.

The Data Controllers and Data Processors must designate a Data Protection Officer (the DPO) as part of their accountability programme.

Legal Bases for Processing Personal Data under GDPR

According to Article 6 of the GDPR, processing personal data is lawful only if one of the following applies:

  1. Consent: The individual has given clear permission.
  2. Contract: Processing is necessary for a contract with the individual.
  3. Legal obligation: Required to comply with a legal duty.
  4. Vital interests: Necessary to protect someone’s life.
  5. Public task: Processing is needed for official functions or public interest.
  6. Legitimate interests: Processing is necessary for the controller’s or third party’s legitimate interests, unless overridden by the individual’s rights.

Each basis has specific requirements and implications for transparency and accountability.

Impact GDPR for Entrepreneurs & HR

GAP Analysis & Impact Assessment

It is advised to conduct a GAP Analysis and integrate a Data Protection Impact Assessment to identify potential privacy issues for example regarding employee records.

Data Protection Officer (DPO)

Check if it is required in your company to appoint a Data Protection Officer.

  • Review Current Policies and Procedures

Review the current policies and procedures an if needed, adjust these accordingly to ensure compliance.

  • Create New Policies and Procedures

Put in place clear policies and well-practiced procedures, including a framework (RACI) for responsibility and accountability. The GDPR requires that the information provided should be in clear and plain language and easily accessible.

  • European Works Council & Local Works Council

Ensure there is always a formal discussion on presenting changes in regard to the GDPR plan and inform the local Works Council.

  • Cross-Border Data Transfers

When transferring (employee) data cross border it is important to ensure that you have a legitimate basis for transferring personal data.

  • Security

Work together with IT to ensure that appropriate encryption technology is deployed on all company devices given out to employees. Also make sure the current HR Information Software (HRIS) is in line with the GDPR.

  • Talent Acquisition

Make sure you check compliance in regard to applicants data, privacy notice and background checks.

  • Third Parties Vendors HR

Check if contracts with third parties (recruitment agencies, Health & Safety Occupation Services (Arbodienst)comply with the requirements of GDPR.

  • Employee Records

Check if the employee data is compliant and where there is opportunity to minimise the amount of employee data. For the requirements of the Employee File in the Netherlands, check our free hr ebook.

  • Training

Organise and/or coordinate training for stakeholders, managers and employees.

Fines and Penalties GDPR Breaches

The GDPR has a tiered approach to penalties for breach, companies can be fined up to 4% of annual worldwide turnover and EUR 20 million.

Another type of fine could be up to the higher of 2% of annual worldwide turnover and EUR 10 million. This category of fine would be applied, for instance, if a Data Controller does not conduct impact assessments, as required by this regulation.

EU Digital Services Act (DSA) Affecting Online Platforms

The Digital Services Act (DSA), is an EU regulation adopted in 2022, that addresses illegal content, transparent advertising and disinformation. The DSA is effective since February 2024, regulates online platforms and intermediary services in the EU. Key impacts of the DSA are:

  • Platforms must combat illegal content, ensure user safety, and provide transparency.
  • Users must be notified when content is removed or restricted.
  • Profiling-based advertising using sensitive data or targeting minors is restricted.
  • Platforms must explain recommendation systems and allow users to choose how content is ranked.
  • Researchers can access platform data to study systemic risks, under supervision by the local data protection authority in each European country and the ACM.

EU-US Privacy Shield

The International Safe Harbor Privacy Principles was developed around the year 2000 in order to prevent private organisations within the European Union or United States which store customer data from accidentally disclosing or losing personal information.

The Safe Harbor Privacy Principles agreement was invalidated by the European Court of Justice on October 6, 2015. The EU-US Privacy Shield replaces this agreement and offers enhanced protections for EU data. Many American companies that have signed the EU-US Privacy Shield, including Google and Facebook.

Data Protection Authority in the Netherlands

The Autoriteit Persoonsgegevens (AP) is the Dutch Data Protection Authority. Individuals of organisations should contact the AP in case of:

  • Violation of personal data rights under GDPR.
  • Reporting of a data breach.
  • Guidance on GDPR compliance.
  • Seeking advice as Data Protection Officer (DPO).

More Information

 

 

By Marieke Agatha Stoop

Marieke Agatha Stoop, founder of Human in Progress, is a seasoned expert in Human Resources with over 15 years of expertise in employment law, international people strategy, and process management.

Renowned for her HR services, efficiency, and practical approach, she excels in resolving complex human capital matters. Marieke actively keeps track of the latest international HR strategies, labour law relations, and Works Councils matters.

Marieke contributes to the community with an eye for People & Culture in today’s workplace.

Discover more insights in our HR Blog ↓

EU Pay Transparency Directive 2026: Legal Overview.

Background Police Check Netherlands by Employers: VOG.

Understanding the Change Management Models.