Data Protection & GDPR

Who does GDPR apply to?

GDPR applies to any company processing personal data, regardless of size, if it is established in the EU or if - even from outside the EU - it offers goods or services to persons in the EU or monitors their behaviour. Small firms, online shops, startups, and consulting practices all fall within its scope.

The "250 employees" myth

Many businesses believe the exemption for companies with under 250 employees removes their GDPR obligations. This is incorrect. The exemption does not apply when processing is regular or systematic, involves special categories of data, or poses risks to individual rights. In practice, most businesses cannot rely on this exemption.

What compliance means in practice - your company must:

• Clearly define whether it is a controller or processor
• Process data only on a valid legal basis
• Transparently inform data subjects (privacy policies)
• Enable the exercise of their rights - access, rectification, erasure, objection
• Implement appropriate technical and organisational security measures
• In certain cases, appoint a Data Protection Officer (DPO)

How we can help

• Analysis of personal data processing activities
• Drafting or reviewing internal rules and policies
• Assessing whether a DPO is required
• Preparation for inspections by the data protection authority
• Practical solutions matched to your business's real needs