May 17, 2018

Vanessa Gentile

Get awesome content in your inbox

Subscribe to our newsletter

The Answers

1. Company ‘X’ has an annual revenue of 10m. What is the maximum fine they could receive, for not being GDPR compliant?

Answer – 20m

Failure to properly handle how personal data is collected, stored, and used could result in significant fines of up to €20 million (Euros), or 4% of annual revenue, whichever is greater.


2. To whom do GDPR rules and fines apply?

Answer – Any company that holds EU citizens’ data, regardless of geographical location

GDPR applies to companies all over the world if they hold EU citizens’ data.


3. A US company has NO European users, but has a website with a European country code URL (such as .es, .it, .ro). Does this company have to comply with GDPR?

Answer – Yes, it does have to comply

Even if your company has no data on European users, if it has a website with a European URL, you must comply with GDPR.


4. Once consent has been given, user data of EU citizens can be kept indefinitely.

Answer – No, it cannot be kept indefinitely

EU citizens’ data can be kept for a long time provided that there is sufficient justification. The length of time for which it can be kept is dependent on several varying factors, but no data can be kept indefinitely.


5. GDPR only applies to digital data.

Answer – No, GDPR applies to non-digital data as well

GDPR applies to any data you have, including non-digital data. Even the way paperwork is collected and processed will have to comply with GDPR.


6. The way that you acquire, store, and manage your employees’ personal data will also be affected by GDPR.

Answer – Yes, GDPR applies to employee data

All EU citizen data is protected by GDPR, even that of your employees. Their data needs to be collected, used, and stored to the same standards as any non-employee’s data is processed.


7. Under GDPR, the right to portability allows individuals to obtain their personal data from any organization that holds it, free of charge. When faced with a data portability request from a user, how long do you have to respond?

Answer – One month

Portability requests must be resolved within a month, although this can be extended to two months for particularly complex cases (source).


8. How long do companies have to report a data leak?

Answer – 72 hours

Companies only have 72 hours to report a data leak. If the leak is going to significantly affect individuals’ rights and freedoms, you must also inform them as soon as possible.


9. At what age can children consent (or deny consent) to companies collecting and using their data?

Answer – 13

For children under the age of 13, parental consent is required.


10. Do we, Ogury, have to ask permission to email through your final score, and a link to the answers to this challenge?

Answer – Yes

As a responsible GDPR compliant data provider, we absolutely do have to ask for your permission to email through your final score, as well as a link to this summary of all the answers.

Looking for more information on GDPR? Read our blog posts:


– What international companies based outside of the EU need to know about GDPR.

– The most pressing GDPR questions from our Ogury community of publishers, clients, marketers and developers.

– Look past the fines, focus on the positive side of GDPR and the great opportunities it presents to marketers.

– Ogury’s stance on GDPR; compliant by design.