Data Protection

International Laws & Policy Guidelines

B2B Data Supplier

Important guidelines

As businesses struggle to keep up with fast-changing data protection laws and face more compliance issues in their marketing, BDP Agency is uniquely positioned to help guide clients.

Supplying databases around the globe, BDP Agency provides high quality data services and management wherever our clients do business. BDP’s global presence combined with a depth of experience in each region gives clients the important advantage of local knowledge and cultural awareness, combined with consistent, practical advice.

Our team members are very involved in their local compliance culture and maintain close contacts with local regulators in Asia Pacific, Europe and the US. Our data team has successfully worked together in recent years to assist many companies with advice on their data compliance.


Request a call back today


The General Data Protection Regulation is a law in the European Union which entered into force in 2016. After a two-year transition period, it will then become applicable law in all Member States of the European Union on the 25 May 2018. This didn’t require implementation by EU Member States through their own laws. (Regulation (EU) 2016/679) (“GDPR”)

The GDPR is a ‘Regulation’, which is unlike the Directive which it has replaced. It is directly applicable and has a consistent effect in all Member States. There is still a lot of room for Member States to interpret different aspects of the GDPR in their own way, enforcement being the main category, and there are still more than 50 areas where Member States are permitted to legislate differently in their own data protection Laws.

Territorial scope – The General Data Protection Regulation depends on whether an organization is established inside the EU. The establishment takes a wide variety of forms and the organizations don’t necessarily have to be a legal entity registered in an EU Member State.

An organization that is not established within the EU will still be subject to GDPR if the organization processes the personal data of data subjects who are within the European Union where processing activities are related. This is “the offering of goods or services” where no payment is required to such data subjects in the EU. (Article 3.2.a) This also applied to “the monitoring of their behaviour” that takes place within the EU. (Article 3.2.b)


 Personal data – “Personal data” is described as being “any information relating to an identified or identifiable natural person” (Article 4). If the person can be identified by using “all means reasonably likely to be used” then the information is classed as personal data. This means that a name is not necessary either and that any identifier will do, such as an identification number, phone numbers, email addresses and location data, or any other factors which may identify the natural person.

Online identifiers could be IP addresses, cookies and RFID tags listed as examples when called out in Recital 30.

The GDPR creates more restrictive ruling with regards to the processing of “special categories” of personal data which includes data relating to race, religion, sexual life, data pertaining to health, genetics and biometrics, and personal data which relates to criminal convictions and offences. (Article 9 & Article 10.)

The GDPR is concerned with the “processing” of personal data. However, processing has a wide meaning, and also concerns any operation that is performed on data, including the storage, hosting, consultation or removal of data.

Personal data is processed by ether a “controller” or a “processor”. The controller is the decision maker, who “along or jointly with others, determines the purposes and means of the processing of personal data” whilst the processor “processes personal data on behalf of the controller”. The processor acts on the instructions from the controller. (Article 4).

The “data subject” is a natural person whose personal data is being processed by a data controller or data processor.


Also known as supervisory authorities, these are the bodies that are in charge of the enforcement of the GDPR, for example, the ICO in the UK, or the Cnil in France.

The European Data Protection Board, which is the replacement for the Article 29 Working Party, is made up of delegates from each supervisory authority, which monitors the applications of the GDPR across the European Union, issuing guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of “lead supervisory authority”. Where there is cross-border processing of personal data, such as processing which takes place in establishments of a controller or processor in multiple Member States, then the starting point for enforcement is that the controllers and processors are regulated and answer to the supervisory authority for their main or single establishment, the “lead supervisory authority”. (Article 56.1)

The lead supervisory authority is required to co-operate with all other “concerned” authorities. Another supervisory authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects in its own territory. (Article 56.2)

The lead supervisory authority concept is someone limited to help multinationals.


There is no system in place for the registration or notification. The GDPR aims to prevent indiscriminate general notification obligations. Member States do have the right to impose notification obligations for specific activities, such as the processing of personal data which is relating to criminal convictions and offences. There is a requirement in place to consult the supervisory authority in certain cases following a data protection impact assessment. This constitutes of a notification. In addition, each data controller or data processor must communicate the details of its data protection officer, where it is required to appoint once, to its supervisory authority. (Article 37.7)

External accountability to supervisory authorities via registration or notification is replaced in the GDPR by demands for internal accountability. Controllers and processors are required in order to complete and maintain comprehensive records of their data processing activities. These must contain specific details on the processing of personal data that is carried out within an organisation. This then must be provided to supervisory authorities on request.

Ready to start working with us?

Start getting better results today.

Data Protection Officers

Each controller or processor is required to appoint a Data Protection Officer, DPO, if they satisfy one or more of the following tests below:

  • They are a public authority.
  • Their core activities consist of processing operations which require regular and systemic monitoring of data subjects on a large scale.
  • Their core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer who has the responsibility for multiple legal entities. However, this is provided that the data protection officer is easily accessible from each establishment. Thus, meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer. (Article 37.2)

DPOs must have “expert knowledge” of data protection law and practices. It is possible to outsource the Data Protection Officer role to a service provider. (Article 37.5 & Article 37.6)

Controllers and processors are required in order to ensure that the DPO is involved “properly and in a timely manner in all issues which relate to the protection of personal data”. The DPO must also directly report to the highest management level, they must not be told what to do in their tasks and must not be dismissed or penalised for performing those tasks. (Article 38.1 & Article 38.3)

The specific tasks of the DPO include:

  • Informing and advising on compliance to GDPR and other Member States and Union’s data protection laws.
  • Monitoring the compliance of the law and internal policies of the organization.
  • Advising and monitoring data protection impact assessments when requested.
  • Co-operating and act as a point of contact with the supervisory authority.

Collection & Processing.

Data Protection Principles

Controllers are responsible for compliance with principles which apply to all processing of personal data. Under these principles, personal data must be:

  • Processed fairly and lawfully, and in a transparent matter
  • Collected for specified, explicit and legitimate purposes, and has not further been processed in a manner that is incompatible with those purposes, such as purpose limitation.
  • Adequate and relevant, and limited to what is necessary in relation to the purpose.
  • Accurate and up to date where necessary, this is the “accuracy principle”
  • Kept in a form which enables the identification of data subjects for no longer than it is necessary for the purpose of which the data was processed. This is the “storage limitation principle”
  • Processed in a manner that ensures the appropriate safety and security of the personal data. This includes taking appropriate technical and organization measures. This is the “integrity and confidentiality principle”.

The controller is responsible and must also be able to demonstrate compliance with the principles above. This is the “accountability principle”. Accountability is a core throughout the GDPR. Not only do organizations have to comply with the GDPR but they must also be able to demonstrate compliance. This means that they could have to demonstrate compliance maybe years after a decision was made relation to the processing of personal data. To achieve accountability, organizations will have to keep records, audit, and take appropriate governance, this will all form a key role in achieving accountability.

              Legal Basis under Article 6

The use of personal data must be justified by reference to an appropriate basis for processing in order to achieve and satisfy the lawfulness principle. Legal bases, which are also known as lawful bases or lawful grounds, which data may be processed are (Article 6.1):

  • With the consent of the data subject, where consent must be “freely given, specific, informed and unambiguous,” and must be capable of being withdrawn at any time or request.
  • Where necessary for the performance of a contract where the data subject is a party, to take steps at the request of the data subject prior to entering into a contract.
  • Where necessary to protect the vital interests of the data subject, which is usually recognised as ‘life or death’ scenarios, such as medical emergencies.
  • When necessary for the task to be carried out in the public’s interest, or in the exercise of official authority in regards to the controller.
  • When necessary for the purpose of legitimate interest of the controller, or a third party, which is subject to a balancing test, the controller must not override the interests or the rights and freedoms of the data subjects.

Special Category Data

The processing of special category data is prohibited. However, where one of the following exemptions applies:

  • There is explicit content from the data subject.
  • Where it is necessary for the purposes of carrying out obligations and for exercising rights under employment, social security and protection or a collective agreement.
  • Where necessary to protect the vital interests of the data subject who physically or legally is incapable of giving consent.
  • Limited circumstances by non-profit organizations
  • Processing which relates to personal data which was made public by the data subject.
  • Exercise for defence of legal claims or if a court is acting on their legal behalf.
  • Reasons of substantial public interests of Union or Member State laws, proportionate to the pursued aim and taking all appropriate safeguards.
  • For assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services.
  • Where necessary for reasons of public interest in the area of public health, such as protecting against cross-border threats to health or ensuring high standards of health care and of medical products.
  • To achieve scientific or historical research purposes or statistical purposes with restrictions set out in Article 89.1.

Member States are required to introduce further laws and conditions and limitations for processing with regards to processing genetic, biometric and health data.


Collection & Processing. (Continued)

              Criminal Convictions and Offences data

The processing of personal data which relates to criminal convictions and offences is prohibited unless it is carried out under the control of an official public authority, or specifically authorised by a Member States domestic law. (Article 10)

              Processing for a secondary purpose

It is becoming increasingly more common, that organisations wish to re-purpose personal data. For example they may use data collected for one purpose then reused for a new purpose, which was not disclosed to the data subject at the time the data was first collected. This is a potential conflict with the principle of purpose limitation, which is to ensure the rights of the data subjects are protected. The GDPR has listed a series of factors that the controller must consider to check against when deciding if the new process is compatible with the purpose for which the personal data was initially collected, (Article 6.4) the factors are:

  • Any link between the original and new purpose.
  • The context in which the data was collected.
  • The nature of the personal data.
  • If special categories of data or data which relates to criminal convictions are processed.
  • The consequences of the new processing for the data subjects
  • The current appropriate safeguards

If the data controller comes to a conclusion that the new purpose or purposes are incompatible with the original purpose, then the only bases that they have to justify the re-use of data is consent or a legal obligation, this could be an EU or a Member State Law.

Transparency (Privacy Notices)

The GDPR is heavily invested on transparency. For example, the rights for a data subject to understand how and why their data is used, and what other rights are available to the data subjects control on the processing.

The following information must be provided at the time that the data is obtained in a concise, transparent and easily accessible form, using clear and plain language (Article 12.1):

  • The contact details and identity of the data controller
  • The Data Protection Officer’s, DPOs, contact details, if present.
  • The purpose for the processing of the data.
  • The legal basis for processing the data, including legitimate interests if relevant.
  • The recipients of the personal data, including categories if necessary.
  • Details of international transfers, if necessary.
  • The period of time the personal data will be stored, or if not possible, the criteria used to determine this.
  • The rights of the data subject, including the right to access, rectify, erasure, restrict processing and to object to processing.
  • The right to withdraw their consent and the rights to complain supervisory authorities.
  • The consequences of failing to provide data needed or necessary to enter into a contract.
  • The existence of automated decision making and profiling, and the consequences of this for the data subject.
  • If the controller wishes to process existing data for a new purpose, then they must inform the data subjects of the further processing, whilst providing the above information.

Rights of the Data Subject

Data subjects have the rights to control the processing of their personal data, some are broadly applicable, while others will only apply in limited circumstances. Controllers must provide the data subjects with information on the actions that can be taken in response to requests within one calendar month as a default, with limited rights for the controller to extend this period by up to a further two months where the request is excessive.

              Right of access (Article 15)

A data subject is entitles to request access to get a copy of their personal data, along with information about how the data has been used by the data controller.

              Right to rectify (Article 16)

Data subjects may require inaccurate or missing personal data to be corrected or completed without undue delay.

              Right to erasure (‘right to be forgotten’) (Article 17)

Data subjects can request the erasure of their personal data. This right is not absolute, and it only arises in quite a narrow set of circumstances. Specifically when a controller no longer needs to data for the purposes of which they collected.

              Right to restriction of processing (Article 18)

Data subjects have the right to restrict processing of their personal data in specific circumstances. Including where the accuracy of the data is contested, where the processing is unlawful, the data is no longer needed or where the legitimate groups for processing by the controller is contested.

              Right to data portability (Article 20)

Where the processing of personal data is justified for either where the data subject has given their consent to processing, or where the processing is necessary in the performance of a contract, then the data subject has the rights to receive or have their data transmitted to another controller. All the personal data that concerns the data subject should be in a structured, commonly used and in a machine-readable format. An example of this is a file format recognised by common software applications, such as an .xsl file.

              Right to object (Article 21)

Data subjects have the rights of objecting to processing on the legal basis of the legitimate interests of the data controller or where the processing is in the public’s interest. The controllers will then have to suspend their processing of the personal data until they have demonstrated “completing legitimate groups” for processing which override the rights of the data subject.

At any given time, data subjects have an unconditional right to object from the processing of personal data for direct marketing purposes.

              The right not to be subject to automated decision taking (Article 22)

Automated decision making, also including profiling, “which produces legal effects concerning the data subject … or similarly affects him or her” is only permitted where:

  1. It is necessary for entering into or performing a contract.
  2. It has been authorised by EU or Member States law.
  3. The data subject has given their explicit consent, such as opt-in.

In cases where significant automated decisions are taken, the data subject has the rights to obtain human intervention to contest the decision, and to express his or her point of view.


Personal data that is transferred to third countries outside of the EU, Norway, Liechtenstein and Iceland, by a data controller or processor, are only permitted if the conditions that are laid down in the GDPR are met. (Article 44)

The European Commission has the power to make the decision in respect to a third country, determining that it provides an adequate level of protection of data, and therefore meaning that personal data may be freely transferred to that country or territory.

Currently the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (With some exceptions), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Switzerland, Eastern Republic of Uruguay and New Zealand.

Third country transfers are also permitted where appropriate safeguards have been met and provided by the controller or processor. This is also on the condition that the enforceable data subjects rights and legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others, binding corporate rules, standard contract clauses and the EU-U.S Privacy Shield.

The GDPR includes a list of specific points to permit transfers to third countries where:

  1. Explicit consent has been obtained.
  2. The transfer is necessary for the performance of a contract.
  3. The transfer is necessary for the implementation of pre contractual or the conclusion of a contract.
  4. The transfer is necessary for the reasons of important public interest.
  5. The transfer is necessary for the establishment, exercise or for the defence of legal claims.
  6. The transfer is necessary in order to protect vital interests of the data subject where their consent cannot be obtained.
  7. The transfer is made from a register and according the EU or Member State laws, it is intended to provide information to the public, however, subjecting to certain conditions.

There is however, very little room to transfer where no other mechanism is available, and the transfer is necessary for compelling the legitimate interests of the controller, which are not overridden by the interests and the rights of the data subject. Notification to the supervisory authorities is required and the data subject is required if you are relying on this derogation.

Transfers of data which are demanded by courts, tribunals or administrative authorities of countries which are outside of the EU are only recognised or enforceable within the EU, where they are based on an international agreement. For example, this could be a mutual legal assistance treaty in force between the requesting third country and the EU or Member State. If there is a transfer in response to these requests when there are no other legal bases for the transfer, then this is infringement of the GDPR.


The GDPR is not specific when it comes to technical standards or measures. The GDPR leans towards a proportionate and context specific approach to security and measures. Controllers and Processors are required to implement appropriate technical and organisational measures to ensure a level of security which is appropriate and proportional to the risk of the processing.


However, the GDPR does require controllers and processors to consider the following when carrying out the assessment on their security:

  1. Pseudonymisation and encryption of personal data.
  2. The ability to ensure confidentiality, integrity, availability and resilience of processing systems and services.
  3. The ability to restore the access to personal data in a timely manner following or in the event of a physical or technical incident.
  4. A regular testing process, which assesses and evaluates the effectiveness of technical and organisational measures within to ensure the security and safety of the processing taking place.

Breach Notification.

Within the GDPR there is a general requirement for personal data breaches to be notified to the supervisory authority by the controller. For more serious breaches, the affected data subjects must also be notified. The definition of a “personal data breach” is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. (Article 4)

The data controller must notify supervisory authorities of the data breach without undue delay, and where possible, no longer than 72 hours of becoming aware of the data breach unless the data controller has determined that the breach is not likely to result in a risk to the data subjects. However, if it is determined that the data subjects are at high risk, then the controller is required to notify the affected data subjects without undue delay. (Article 34)

If the breach is found at the level of a data processor, then they are required to notify the data controller without undue delay after becoming aware of the data breach. (Article 33.2)

When notifying the supervisory authority of the data breach, where possible the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer, the likely consequences of the breach and the measures taken to minimise harm need to be included. (Article 33.3)

Data controllers are also required to keep a record of all data breaches, if notified to the supervisory authority or not, and audits of the record by the supervisory authority. (Article 33.5)



The GDPR supervisory authorities have the power to impose fines up to 4% of annual worldwide turnover, or up to €20 Million (EUR), whichever is higher.

The European Commission’s intentions of fines are that they should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controllers or processors. ‘Undertaking’ is not defined and the extensive case-law is not straightforward, with decisions usually being based on the specific facts within each case.

Fines are split into two categories.

The highest fine, which is up to €20 million (EUR), or, in the case of undertaking, can be up to 4% of the total worldwide turnover of the previous year, whichever is higher. This applies to the infringement of the following:

  • The basic principles within processing which include conditions for consent.
  • The data subjects’ rights.
  • Restrictions on international transfers.
  • Obligations that are imposed by Member State for special cases.
  • Certain orders of a supervisory authority.

The lower category fines, which are up to €10 million (EUR), or, in the case of undertaking, can be up to 2% of the total worldwide turnover of the previous year, whichever is higher. This applies to the infringement of the following:

  • Obligations of controllers and processors, including security and data breach notifications.
  • Obligations of certification bodies.
  • Obligations of monitoring bodies.

Supervisory authorities are not required to impose fines but they must ensure that in each case the sanctions that are imposed are deemed effective, proportionate and dissuasive. (Article 83.1)

However, it is possible for fines to be imposed in combination with other sanctions.

              Investigative and corrective powers

Supervisory authorities have the powers to investigate and correct. (Article 58) This includes the power to impose on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

              Right to claim compensation

The GDPR makes welcome for specific provisions for individuals to carry out private claims against controllers and processors. This applies when;

  • Any person, who has suffered “material or non-material damage” as the result of a breach of the GDPR, has the rights to receive compensations from the controllers or processors. Due to the inclusion of “non-material damage”, this means that individuals will be able to claim compensations for distress even if they are unable to prove or didn’t come to any financial loss.
  • Data subjects have the right to order a consumer protection body in order to help exercise rights and claim on their behalf.
  • Individuals also have the rights to lodge a complaint with a supervisory authority.

All natural and legal persons, including individuals, controllers and processors, have rights to order judicial remedy against a decision of a supervisory authority which concerns them or for failing to come to terms with a decision.

Data subjects enjoy the rights to an effective legal remedy against a controller or processor.

Electronic Marketing.

The GDPR applies to the majority of electronic marketing activities; this is due to the involvement of some use of personal data, for example, an email address which includes the recipient’s name. The most plausible legal bases for electronic marketing will be consent or the legitimate interests of the controller as there are strict standards set for consent under GDPR. When consent is replied to, the marketing consent forms need to have clearly worded opt-in mechanisms such as ticking an unticked consent box and the signing of a statement. This does not include the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website.

Data subjects have an unconditional right to object to and therefore prevent any form of direct marketing which includes electronic marketing, at any time. (Article 21.3)

There are specific rules on electronic marketing, which include circumstances in which consent must be obtained, these are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of the Member States. The ePrivacy Directive is soon to be replaced by a regulation, which is currently forecast for spring 2019.

In the meantime, GDPR makes it clear that references to the Directive 95/46/EC will be replaced with references to the GDPR. References to the Directive 95/46/EC are standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent. (Article 94)

Direct marketing to natural persons is only allowed by means of automated calling systems, fax, email, text, voice, sound or image messages and only if the natural person has given their prior consent to it. Using other means of direct marketing is allowed, if the natural person in question has not specifically forbidden to it. If, for example, a service provider receives an email address, or another category of contact information, in relation to the sale of a product or a service, then the service provider may use this contact information to market their own products or services, as long as they are within the same product group or that they are otherwise similar to the natural person in question. However, the natural person must be able to easily forbid/opt-out, at no cost, of any direct marketing, and the service provider must clearly inform the natural person of that possibility.

A service provider is able to use direct marketing with legal persons unless it has been specifically forbidden.As with natural persons, legal persons must also be able to easily, and at no cost, forbid to any direct marketing. The service provider must also clearly inform the natural person of that possibility.

Electronic Marketing is not specifically addressed in The Act however the use of personal data for marketing purposes falls within the scope of the act. In the case of processing personal data for marketing purposes it is argued that the consent of the data subject is a requirement.

Electronic Marketing is regulated by the Austrian Telecommunications Act(2003,’TKG’). In line with the TKG sending electronic messages without gaining consent prior from the recipient is considered to be unlawful as long as it is for direct marketing purposes or it is to more than 50 recipients. In the case of data which has been acquired through the sale of goods or provision of services and is being used for the sale of similar goods or services it is not required to have consent however the recipient has to be able to decline the usage of their personal data easily. The recipient can also be entered onto the relevant list which is maintained by the Austrian Regulatory Authority for Broadcasting and Telecommunications to state that they do not want to be contacted.

Online Privacy.

The Information Society Code also regulates online privacy, such as the use of cookies and location data.


A service provider is allowed to save cookies and other data in a user’s terminal device, as well as use such data, but this is only with the consent of the user. The consent can be given via a web browser or other applicable settings. The service provider must also give the user clear and complete information on the purpose of use of cookies.

However, the above restrictions do not apply to use of cookies only for the purpose of enabling the transmission of messages in communications networks or which is necessary for the service provider to provide a service that the subscriber or user has specifically requested.

The section which is relevant to the TKG states that a user must give informed consent for the storage of personal data which includes a cookie. The user also has to be aware that consent has been given and that they have actively agreed. Therefore, obtaining consent through a pop up or an agreement is advice.

              Location Data

The location data of a natural person can be processed if it is for the purpose of offering and using added value services, if:

  • The user or subscriber in question has given their consent.
  • If the consent is clear from context.
  • Is provided by law.

The value added service that is in question that is being offered needs to ensure that:

  • The user or subscriber has easy and free access to specific information on their data being processed, the purpose and the duration of its use.
  • If the location data will be disclosed to a third party, only for the purpose of providing the service.
  • If the above mentioned information is available to the user or subscriber, before they gave their consent
  • The user or subscriber can easily and at no cost, chose to revoke the consent and ban the processing of their location data, if this is technically feasible.

The user or subscriber is entitled to request and receive the location data from their device from the service or communications provider at any time. Location Data can only be processed for value added services  and the consent of the user is required. In the case of consent the user must be able to prohibit the processing through easy means and it must be free of charge. 

Traffic Data

Traffic Data which is held by communications service providers must be erased or anonymised when it is no longer needed for the purposes of transmission of a form of communication however Traffic Data can be retained for the purposes of invoicing the services. In a case like the if the invoice has been paid and if no appeal has been made with the CSP within three months of the Traffic Data must be erased of anonymised.

Your Dream. Our Mission.


Here is a list of all the contact information you need for the data protection authorities in Europe.

Electronic Marketing.

Happy Customers


Year On Year Retention


Years Experience



BDP Agency and GDPR.

Our licensing and terms and conditions ensure that all purchases from us and any consequent marketing undergone is GDPR compliant. GDPR regulations consist of rules regarding the processing of data and its purpose, as well as documenting use and possession.

Learn more >

Scroll to top