How To Make GDPR Compliant A Company Operating In The EU

In today’s business landscape, the issue of privacy and data protection is increasingly central to companies, especially due to the rapid development of new technologies.

The importance of managing and protecting personal data has been reaffirmed by the introduction of the General Data Protection Regulation (GDPR), in force since 2018. The latter sets out the modalities as well as the protection measures that companies – both in the EU and outside the EU – are required to implement whenever they process personal data of EU citizens or otherwise carry out data processing in the EU.

This article aims to provide an overview of how companies that want to operate in Europe should handle and manage the personal data they hold.

To do so, it is first necessary to understand what is meant by personal data. Personal data is any information relating to an identified or identifiable natural person, even indirectly. Therefore, personal data is any information relating to an identified or identifiable living person. Under the GDPR, the person to whom the data relates is referred to as a “data subject”; it is important to note that a data subject can only be a natural person and not a company.

The GDPR, then, provides a distinction between so-called normal personal data and so-called sensitive personal data; the latter are a special category of personal data that reveal particularly sensitive information and, therefore, require additional protection and their processing is subject to stricter rules. By way of example, sensitive data include, among others, information such as a person’s ethnic origin, religious beliefs, health data or biometric data.

It also seems appropriate to mention that personal data belong to the data subjects to whom those data refer; therefore, the latter have certain specific rights with regard to their collection, use, storage and protection.

Before going on to outline what data a company normally has to process, as well as the obligations it has to put in place to ensure it is in compliance with the provisions of the GDPR, it is first necessary to mention the distinction between data controller and data processor.

Data controller means the natural person, company or organization that decides why and how people’s personal data are used; data processor means the natural person, company or organization that processes personal data on behalf of the data controller. Any company that collects and processes personal data is automatically a data controller; in fact, no formal appointment is required, since responsibility derives from the processing activity itself. When a company that is the data controller wishes to outsource data processing to another company, it must instead proceed to appoint a so-called data processor, who will precisely manage and process the data on behalf of the controller. The data processor, unlike the data controller, must be formally appointed by means of a contract, which must clearly set out the data processor’s responsibilities.

It follows from this that any company that is in possession of personal data belonging to natural persons is automatically a data controller and will have to process such data in accordance with the provisions of the Regulation in question. The company may then decide to appoint a data processor or not.

Companies normally process different types of personal data. These include employee data, such as name, address, telephone number and bank details for salary payments; supplier data, such as contact information and payment details; and customer data, such as name, email, shipping address and purchase history.

It is crucial that all these people are informed about how their data will be used. To do this, companies must provide clear, simple and easily understandable privacy notices. These disclosures must explain (i) what data is being collected, (ii) why this data is being collected, (iii) how this data is being used, (iv) whether this data will be shared with third parties, and (v) what rights data subjects have (such as rights to access their data, requests for rectification or erasure, rights to object to the processing of their data). The disclosures must be provided at the time the data is collected and must be easily accessible, e.g. via a website, within contracts or in confirmation e-mails on data acquisition.

In addition to providing information to data subjects, in order for a company to be in compliance with the GDPR, it is essential that the company carries out the following activities.

Firstly, it is important that the company appoints a Data Protection Officer (DPO). This person, who can be either an employee or someone outside the company specifically appointed for this role, is responsible for monitoring the company’s compliance with the GDPR, as well as acting as a point of contact between the company and the data protection authority. The appointment of a DPO is not always necessary but depends on the size of the company and the type of data processed; small companies do not normally need one. However, a DPO is compulsory whenever a company engages in regular, large-scale, systematic monitoring of individuals or processes categories of personal data defined as special by the GDPR.

Secondly, it is important to carry out a Data Protection Impact Assessment (DPIA). This is a procedure that aims to describe the data processing to be carried out in order to assess its necessity, proportionality and related risks, so that all necessary measures can be taken to address them. DPIA is mandatory when the processing to be carried out presents a high risk to the privacy of natural persons. Small companies do not normally require a DPIA.

Finally, it is crucial that the security measures taken are proportionate to the nature of the data processed, as well as to the potential risks.

Another factor for companies to take into account is the handling of requests from individuals whose data are processed. These may consist, among other things, of requests for access to their data, requests to rectify their data, requests to object to processing and requests to delete data. Companies must ensure that they respond to such requests within a reasonable period, which is normally set at 30 days.

Another key element concerns the implementation of internal policies and procedures in the event of a data breach, such as the prompt notification of the competent authorities, as well as the relevant stakeholders. It is, in fact, extremely important that companies implement risk management measures internally and adopt guidelines to deal with such possible and hypothetical situations.

Finally, every company should ensure that its staff is properly trained on the GDPR and the company’s data protection procedures. Indeed, training often helps prevent mistakes.

With careful and continuous management, a company not only avoids sanctions, but also demonstrates a concrete commitment to data protection and transparency.

If you would like to be kept up-to-date on developments in this legislation, please send an e-mail to

D’Andrea & Partners Legal Counsel and PHC Advisory Tax & Accounting (a DP Group company) offer assistance and consultancy services in the legal and tax fields. For any enquiries, please contact us at:

The above contents are provided for information purposes only. The publication of this article does not create an attorney-client relationship between DP Group and the reader and does not constitute legal advice. Legal advice must be tailored to the specific circumstances of each case.

Riccardo Verzella Riccardo Verzella

Riccardo Verzella

Senior Associate
Riccardo Verzella, a highly qualified Italian lawyer, has been based in Shanghai, China since January 2020.
Valentina Pica Valentina Pica

Valentina Pica

Junior Associate
Valentina Pica, a Junior Associate at D'Andrea & Partners Legal Counsel, is a based in Milan

Contact us for a
free consultation


This field is for validation purposes and should be left unchanged.