General Data Protection

The Regulation

The GDPR 2016/679/EU (General Data Protection Regulation) was adopted on April 14, 2016. In order to process personal data, data controllers and processors must comply with this regulation. The GDPR harmonizes the protection of fundamental rights and freedoms of natural persons with regards to the processing of their data and to ensure the free flow of personal data between Member States.

The GDPR is designed to protect natural persons from unlawful processing of their personal data. The requirements in the Regulation have to be met with regards to any processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union, regardless of whether the processing itself takes place in the Union. If the controller or the processor is not established in the EU, the processing of personal data of data subjects who are in the EU for the purpose of offering goods or services or monitoring behavior falls under the scope of the GDPR.

Personal data means any information that relates to an identified or identifiable natural person. An identifiable natural person is one who can, directly or indirectly, be identified with the help of identifiers (e.g. name, identification number, location data, physical, genetic or mental characteristics). The GDPR encourages the use of pseudonymisation for the stronger protection of personal data. Anonymous information cannot be attributed to a specific natural person and, therefore, falls outside of the scope of the GDPR.

Examples of personal data include:

  • Name and surname,
  • Home address,
  • An email address, which contains the name of the data subject,
  • Location data,
  • Data held by hospitals or doctors, such as medical history and genetic data,
  • Information about education or employment, such as salary data, tax information and diploma,
  • IP address of a single user.

Processing covers any manual or automated operation which is performed on personal data. It includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

For processing to be considered as legal, it must be done under one of the lawful bases of Article 6 (1) of the Regulation: consent (paragraph (a)); performance of a contract (paragraph (b)); compliance with a legal obligation (paragraph (c)); protection vital interests (paragraph (d)); public interest (paragraph (e)); or legitimate interests (paragraph (f)).

In case of a breach of the GDPR, the penalties can be as high as 4% of the annual global turnover of the company or EUR 20 Million, whichever is greater. The fines are dependent on the obligations which were infringed.


The GDPR’s material scope covers the processing of all personal data, which relates to an identified or identifiable person. The territorial scope covers all processing, which was done in the context of the activities of an EU established controller or processor, irrespective of whether the processing itself was done in the Union. When the controller or the processor are located outside of the EU but offers goods or services to, or monitors the behavior of data subject in the Union, the GDPR is applicable.

In summary, a company must comply with the GDPR if it processes personal data and:

  • Has presence in the EU,
  • Has no presence in the EU but processes personal data of data subjects located in the EU.

With regards to size, a company should comply with the GDPR if it:

  • Has more than 250 employees, or
  • Has less than 250 employees, but the processing it does impacts the rights and freedoms of data subjects, is not occasional or includes sensitive data.


In order to be able to lawfully process personal data, the controller or processor have to do the following:

  1. Keep a record of processing activities, which should include:
  • The name and contact details,
  • The purposes of the processing,
  • A description of the categories of data subjects and of the categories of personal data,
  • The categories of recipients to whom the personal data have been or will be disclosed;
  • Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards,
  • Where possible, the envisaged time limits for erasure of the different categories of data, and
  • Where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.
  1. Comply with the requirements of the Regulation, and have written proof thereof, including but not limited to the obligations to:
  • Process personal data lawfully, fairly and in a transparent manner (Article 1 (a) GDPR),
  • Collect personal data for specified, explicit and legitimate purposes and do not further process it in a manner that is incompatible with those purposes (Article 1 (b) GDPR),
  • Process personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Article 1 (c) GDPR),
  • Keep accurate and, where necessary, update the personal data processed (Article 1 (d) GDPR),
  • Keep the personal data in a form which permits identification of data subjects for no longer than is necessary (Article 1 (e) GDPR); and
  • Process personal data in a manner that ensures appropriate security (Article 1 (f) GDPR).
  1. Process personal data only under one of the lawful bases under Article 6 of the GDPR.

  2. Comply with the requirements related to: the information to be provided where personal data have or have not been collected from the data subject (Articles 13 and 14 GDPR); the right of access of the data subject (Article 15 GDPR); the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), portability (Article 20 GDPR), object (Article 21 GDPR).

  3. Appoint a Representative if it does not have presence in the EU, but offers goods or services to, or monitors the behavior of data subjects located in the Union. Make sure to appoint a Representative, located in one of the Member States where the data subjects are.


Obelis Services

Obelis European Authorized Representative Center provides ISO certified services for the compliant processing of personal data in accordance with the EU GDPR Regulation.

Those services include, but are not limited to GDPR Representative services, Certificate of GDPR Representative, Certificate of Documentation Review, privacy policy creation/review, trade mark submissions, ad hoc studies, follow up in case of EU authorities’ inquiries and documentation translation.

Our services are backed by over 25 years of experience giving regulatory, consulting, and European Authorized Representative services. We are located within a walking distance of the European Commission, maintaining close relations with the EU Administration.

GDPR Representative Services

Our professional GDPR Representative services aim to ensure compliance with the GDPR and, when applicable, the Privacy and Electronic Communications Directive.

Those services include, but are not limited to:

  • GDPR Representative (Art 27)
  • Registered Address in the EU
  • GDPR documentation review
  • GDPR documentation keeping and updating
  • Certificates of GDPR Representative and GDPR Documentation Review
  • Information request and complaint handling

Advisory Services

Obelis aims to provide you full solutions for the compliant processing of personal data under the GDPR. Among others, our team of experts will guide you on:

  • Lawful bases for processing and regulatory advice
  • QMS implementation
  • Identification of proper regulation
  • Regulatory advice and updates

Pre-processing services

The basis for the compliance process lays on the correct identification of the lawful bases for processing and the applicable legal framework. Our pre-processing services include but are not limited to:

  • Identification of proper legal framework
  • Identification of lawful bases for processing activities
  • Guidance on privacy policy drafting
  • Coordination between the Supervisory Authorities, the data subjects and the client

Extra Services

Additionally, we also provide the following services:

  • Documentation translation
  • EU Trademark Submission
  • Agreement Consultancy and Review Services

In case of clients with medical devices, in-vitro diagnostic medical devices, products falling under the General Product Safety Directive, cosmetics or other devices, bearing the CE mark, Obelis provides a one-stop-shop solution with the following services:

  • European Authorized Representative and European Responsible Person Services,
  • Vigilance and cosmeto-vigilance contact point,
  • TIF and PIF compiling, updating and keeping accessible for the Competent Authorities,
  • National registration,
  • Free Sales Certificates.

Global Services

Our mission is to provide clients with the finest quality services and personalized solutions to the complex regulatory requirements worldwide. As such, we developed a wide range of solutions to provide you with support in over 20 markets worldwide.

  • Access to International Network
  • Regulatory Solutions
  • International representation

Sign-up for our newsletter to stay up-to-date on all GDPR related matters!

Subscribe to our Newsletter