GDPR FAQs

I’m not a citizen in the EU, do I still benefit from GDPR?

Whilst these laws were written for the citizens in the European Union, every organisation outside the EU which must comply to GDPR regulations if they offer goods or services to, or monitor the behaviour of, EU data subjects. Organisation which fail to do so can severe face penalties.

What sort of penalties does an organization face if they fail to comply?

Non-compliance can result in a fine up to 4% of the annual global turnover. The maximum fine is €20 Million, which is typically imposed for severe . is the maximum fine that can be imposed for violations such as insufficient customer consent to process data or violating the core of Privacy by Design concepts. A company can get fined up to 2% for not complying to Article 28, which requires records to be in order, failing to identify and report a breach to the supervising authority and data subject, or not conducting impact assessment.

What constitutes as personal data?

‘Personal Data’ refers to any information which can directly or indirectly lead a third party to identify the particular individual. Some examples of ‘personal data’ may be an individual’s name, address, place of work, identification number or ID an account details. Personal data should be carefully used in any circumstance, but what constitutes as personal data can vary depending on the organisation’s intended use and the context of which it is used in.

What is the difference between ‘explicit’ or ‘unambiguous’ data subject consent?

The conditions for consent have been strengthened, as companies are no longer able to utilise long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent,meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

Is GDPR a certification?

No, there is no certification that is issued by the EU for GDPR. EngageRocket will be sure to update you if this rule changes.

What rights do I exercise under GDPR?

  1. The right to access: This refers to your right to request access to your personal data and to ask how their data was used by us after we have gathered the information. Upon your request, we then are required to provide a free softcopy of the information we gathered of your personal information. There is more information under our privacy policy.

  2. The right to be forgotten: If you are no longer customers and therefore choose to unsubscribe for our mailing list or withdraw consent to use your personal data, then you have the right to have your data deleted from our database.

  3. The right to data portability: You can transfer your personal information from one service provider to another. However, note that the service provider should be commonly used and in a machine readable format.

  4. The right to be informed: Being ‘informed’ includes anything where you need to opt and consent for EngageRocket’s collection of your data, and for EngageRocket to inform you before we gather your data. Consent must be explicit; it should not be assumed.

  5. The right to have information corrected: It is required for your data to be updated if it is out of date, incomplete or incorrect.

  6. The right to restrict processing: EngageRocket’s customers may request for their data to not be used for processing. Note that your record will still remain in place, but it will not be used.

  7. The right to object: This is our customer’s right to prevent their data to be processed for direct marketing. This rule has no exemptions. Once your request is made and received by our side, any processing will be halted immediately. EngageRocket is ensuring that all our customers aware of all their rights before any agreements are made.

  8. The right to be notified: You will be informed within 72 hours in the case of a breach in security which endangers any of your personal data and information.

Will the agreements made with EngageRocket’s existing customers be updated to comply to GDPR?

Yes, we have updated both our confidentiality and privacy policy statements in order to comply to GDPR standards. Therefore, all agreements will apply to our existing and new customers. Even now, our team of experts is continuously improving our security systems.

What does privacy by design mean?

Privacy for design is an approach which aims to increase awareness of the importance of privacy and data protection. It shows an organisation’s serious commitment to data protection. Some examples of privacy by design includes collaborating with an external party for data sharing or building new security systems which store or access personal data.

What is a fair processing notice?

Having a ‘fair processing notice’ means that we have to inform our customers on how we process their personal data as part of our work.

How has the laws for data security and privacy changed through GDPR?

GDPR regulations standardised data and information security laws across the EU in a way that impacts all organisations globally. As a result, it eradicates the need for individualised data protection laws which differ depending on region. It also makes the laws for data security and privacy much stricter, with more severe punishments for non-compliance and explicit rules to abide to.

What is the difference between a data controller and a data processor?

A Data Controller refers to the organisation which determines what is the purpose and importance of processing the personal information of the individuals concerned. On the other hand, a Data Processor is an external party which processes personal data on behalf of the Data Controller. The data processor processes the data based on instructions from the data controller. Under the GDPR regulations, the data processors have more responsibilities to keep the processed data secure and private.

Read More:

Everything you need to know about Data Security and Privacy

Our GDPR Data Privacy