1. Company ‘X’ has an annual revenue of €10m. What is the maximum fine they could receive, for not being GDPR compliant?
Answer – €20m
Failure to properly handle how personal data is collected, stored, and used could result in significant fines of up to €20 million (Euros), or 4% of annual revenue, whichever is greater.
2. To whom do GDPR rules and fines apply?
Answer – Any company that holds EU citizens’ data, regardless of geographical location
GDPR applies to companies all over the world if they hold EU citizens’ data.
3. A US company has NO European users, but has a website with a European country code URL (such as .es, .it, .ro). Does this company have to comply with GDPR?
Answer – Yes, it does have to comply
Even if your company has no data on European users, if it has a website with a European URL, you must comply with GDPR.
4. Once consent has been given, user data of EU citizens can be kept indefinitely.
Answer – No, it cannot be kept indefinitely
EU citizens’ data can be kept for a long time provided that there is sufficient justification. The length of time for which it can be kept is dependent on several varying factors, but no data can be kept indefinitely.
5. GDPR only applies to digital data.
Answer – No, GDPR applies to non-digital data as well
GDPR applies to any data you have, including non-digital data. Even the way paperwork is collected and processed will have to comply with GDPR.
6. The way that you acquire, store, and manage your employees’ personal data will also be affected by GDPR.
Answer – Yes, GDPR applies to employee data
All EU citizen data is protected by GDPR, even that of your employees. Their data needs to be collected, used, and stored to the same standards as any non-employee’s data is processed.
7. Under GDPR, the right to portability allows individuals to obtain their personal data from any organization that holds it, free of charge. When faced with a data portability request from a user, how long do you have to respond?
Answer – One month
Portability requests must be resolved within a month, although this can be extended to two months for particularly complex cases (source).
8. How long do companies have to report a data leak?
Answer – 72 hours
Companies only have 72 hours to report a data leak. If the leak is going to significantly affect individuals’ rights and freedoms, you must also inform them as soon as possible.
9. At what age can children consent (or deny consent) to companies collecting and using their data?
Answer – 13
For children under the age of 13, parental consent is required.
10. Do we, Ogury, have to ask permission to email through your final score, and a link to the answers to this challenge?
Answer – Yes
As a responsible GDPR compliant data provider, we absolutely do have to ask for your permission to email through your final score, as well as a link to this summary of all the answers.
Looking for more information on GDPR? Read our blog posts: