hoggo compliance platform
Get started for free

Salesforce Privacy and Security Compliance

salesforce

Salesforce provides customer relationship management software and applications focused on sales, customer service, marketing automation, e-commerce, analytics, and application development. On Salesforce’s Passport you can view all the privacy and security related information that Salesforce is providing.

Claim yours today

View all tools on hoggo

hoggo compliance platform AWS
hoggo compliance platform Trello
hoggo compliance platform Salesforce
hoggo compliance platform Zoom
hoggo compliance platform Airtable
ga Google Analytics
stripe Stripe
hoggo compliance platform

Other tools make you do the work.

hoggo is an orchestration platform that works for you.

Get started for free
hoggo compliance platform
hoggo compliance platform
hoggo a grade

Learn

Company

Legal

Join the community

ruleofthumb

If you like our casual and playful attitude towards compliance, you should join our community of compliance professionals to get the latest news and events:

white logo

hoggo™ ほご, ほうご - hogo, hōgo in Japanese: care; protection; shelter; safeguard; guardianship;

Twitter Linkedin Envelope
Get started for free

Yotpo Privacy and Security Compliance

yotpo
Yotpo is an eCommerce retention marketing platform that drives repeat shopper sales with connected solutions for reviews, SMS, email, loyalty, and subscriptions. View Yotpo’s Trust Profile to learn more about their privacy policy and security efforts by using hoggo’s comprehensive profiles.
Claim yours today

View all tools on hoggo

hoggo compliance platform AWS
hoggo compliance platform Trello
hoggo compliance platform Salesforce
hoggo compliance platform Zoom
hoggo compliance platform Airtable
ga Google Analytics
stripe Stripe
hoggo compliance platform

Other tools make you do the work.

hoggo is an orchestration platform that works for you.

Get started for free
hoggo compliance platform
hoggo compliance platform
hoggo compliance platform

Learn

Company

Legal

Join the community

ruleofthumb

If you like our casual and playful attitude towards compliance, you should join our community of compliance professionals to get the latest news and events:

white logo

hoggo™ ほご, ほうご - hogo, hōgo in Japanese: care; protection; shelter; safeguard; guardianship;

Twitter Linkedin Envelope

If you want to operate in or offer services to individuals within the European Union, you must navigate the complexities of GDPR compliance. GDPR compliance is more than just legal adherence for startups; it demonstrates their commitment to safeguarding user data, enhancing customer trust, and ensuring the sustainability of their businesses.

In this GDPR compliance checklist for startups we will cover the following:

hoggo compliance platform

Background about the GDPR

While some view the GDPR as being the only privacy law in the world, that’s not true. There were many previous privacy laws, but few cared about them. Since the GDPR took effect in 2018, everything has changed. 

As an EU regulation, it applies to all EU member states without them having to take any action, unlike a directive. The law has an extra-territorial scope, which means that it applies even if your company isn’t an EU company, but offers goods or services to EU citizens, or tracking them. 

website-compliance

GDPR Compliance Checklist #1 – Website Compliance 

Let’s start with the basics of website compliance.If you have or planning to have a website, you should have these three things in mind:

  • Privacy Policy
  • Cookie Banner
  • Compliant Forms

Privacy Policy

The first thing we should discuss is your Privacy Policy.

The answer is yes – you need one

There’s no need to hire a lawyer for that.

This is the “transparency” principle of the GDPR in action. It should be easy to read for everyone, not just lawyers. As part of your transparency, you need to explain what types of data you are processing, whom, for what, whether or not the data will be shared, your legal basis for processing, which will be discussed later, and how long you intend to keep it. 

The first thing you need to do is map out all of the data collection points you have on your site. For example, if you have a contact form on your site and you are capturing payments, you already know you are collecting contact details and financial data for capturing payment and customer support. 

Cookie Banner

Next up, cookie banners!

The annoying pop-ups you see on web pages – you need one!

Firstly, let’s look at cookies. Cookies are a type of text file that is stored on your computer when you visit websites. 

Second, let’s look at types of cookies.

  • Essential/Necessary cookies – cookies that your site or product can’t operate without.
  • Analytics/Statistics cookies – cookies that are used to track users or site visitors, they are usually placed on your site by installing an analytics tool like Google Analytics or others. 
  • Marketing/Third-party cookies – cookies which are usually used for marketing and measuring conversion rates. They usually report back to a third-party (such as LinkedIn, Facebook, Google.)

Your cookie banner must be double-layered and give users the option to consent to each type of cookie (other than essential cookies). If you have an option to accept all cookies, you must give users the choice to deny all of them. 

Make sure you present all your options, rather than just accepting one. 

Examples of how your cookie banner should look like and how it shouldn’t:

hoggo compliance platform

GDPR Compliance Checklist #2 – Compliant Forms

There are probably a lot of forms on your site, including contact us, newsletter signup, and account creation. You need to ensure that you are collecting the right type of consent in order to have the right legal basis for processing and be compliant with the GDPR. 

To use users’ data for marketing purposes, for example, you need their consent. The type of consent required varies depending on the country in which your users live. 

Let’s review different types of consent:

Opt in

Generally, opt-in means a user takes an affirmative action such as ticking a box or clicking I agree. This does not include unticking a pre-ticked box. 

Double Opt in

A more strict method, called double-opt in, requires a user to opt in and then click on a confirmation link, for example via email. This is the required consent type in Germany. 

Implied Consent

We also have implied consent, which applies to situations where you have gotten the contact information of someone directly from them, who has shown interest in your service in the past. Marketing materials can be sent to them, but you must let them unsubscribe. 

Make sure you collect the right type of consent by using our free tool – Marketing Risk Radar. 

If you want to read more about how to create GDPR compliant forms, make sure to read this guides:

The General Principles of The GDPR

There are seven principles included in GDPR:

Data minimization. Collect only what you need. With data comes great responsibility, so it’s best to minimize risks and not collect gender or race on a newsletter sign up form. 

Purpose limitation. Having a specific, explicit and legitimate reason for collecting data is essential. Don’t collect data just for the sake of collecting data. 

Lawfulness, fairness and transparency. The third step is to ensure that the processing is lawful, fair, and transparent, which means that you have a proper legal basis, that nothing is hidden, and that the data subject is informed about how, why, and when their data is being processed. 

Storage limitation. Personal data should be kept for no longer than necessary. 

Accuracy. You must ensure that your data subjects’ personal data is accurate and up-to-date. Data subjects should also be allowed to correct their data if they wish. 

Integrity and confidentiality. There is an intersection between privacy and security with this GDPR’s security requirements, which basically state that you must take necessary steps to protect personal data. 

Last but not least, accountability. Companies should have the relevant documents in place to prove that they are in compliance with the GDPR. This includes (but not limited to) policies, consents from users, and records of processing activities. 

GDPR Compliance Checklist #3 – Roles Under The GDPR

Controllers, Processors and Sub-processors

Defining a data controller, a processor, and a sub-processor will help us understand their functions and responsibilities.

To understand your GDPR obligations, you must understand your company’s position in this chain. It is possible for you to be a controller of certain data types, such as data you collect on your site, and a processor of client data. 

Data Controller

GDPR Art. 4(7): ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

Which basically means that the data controller decides how the data is collected and for what purposes. 

Data Processor

GDPR Art. 4(8): ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

This means that the data processor only acts under the instructions of the controller and has no say on collection and purposes. 

Sub-Processor

Third parties engaged by Data Processors have access to or will process personal data from Data Controllers. The sub-processor acts under the instructions of the processor. 

The chain can continue, but the entity that decides is the data controller and has most of the responsibility and accountability.

As an example, if you provide email marketing services to other companies, your clients may provide you with a list of prospects to which you can send marketing materials. The client is the controller and you are acting in accordance with his or her instructions. If you use Google analytics and Amazon Web Services to provide your client with your services, they act as sub processors under your direction. 

GDPR compliance checklist for startups gdpr roles

GDPR Compliance Checklist #4 – Data Subject Requests

Your prospects, users, customers, and partners do have rights.

Those rights include – 

  • The right to be forgotten – meaning to request you to delete their data.
  • The right to correct their data.
  • The right to access the data you hold on them.
  • The right to data portability – meaning to have a copy they can transfer to someone else.
  • The right to be informed, the right to object processing and the right to restrict processing.

    In a nutshell. 

In some cases, those rights are not absolute, and you might be able to refuse a request if you have a good reason to (for example, legal obligation). 

What to do?

Before getting a request

Your Privacy Policy should include those rights and how to exercise them. You should have a mechanism in place and train your employees on how to recognize and handle these rights. 

After getting a request

  1. Verify – In order to avoid future problems, make sure you verify that the request is being made by the correct user. Otherwise, you might be providing access or a copy to someone else. 
  2. Answer within the timeframe – You have 30 days to answer. It can be extended by another 30 days in certain conditions. Read here more about DSR timeframes. 

Data Brokers – Risks and Mitigation

Those companies that enable you to enrich your data or get the email of that guy you really want to contact are known as data brokers. Startups love them because they help them get leads.

Here are some risks you should be aware of –

  • The data cannot be verified as having been obtained legally. If you reach out to someone who has had their data obtained without a legal basis, they may complain. 
  • Because data brokers include this in their terms, if anything goes wrong, you’ll be held responsible. If they’re sued, you’ll be paying the bill. 

Even if you aren’t convinced, at least mitigate risks – provide unsubscribe and limit your usage.

GDPR Compliance Checklist #5 – Data Processing Addendum (DPA) 

What is it?

In a DPA, your business outlines how it manages, processes, and secures data. A DPA outlines many of your legal responsibilities towards your customers regarding personal data.

When do you need it?

  • When you share personal data with a third party (such as a processor or service provider)
  • When a third party shares personal data with you (such as your customers)

Why is it important?

  • It is required under a number of laws (yes, under the GDPR as well).
  • It outlines your (or your vendors) responsibilities regarding personal data.
  • It defines the scope of personal data involved, the limitations on processing activities and other obligations such as timeframes to report a data breach, obligations to assist your client with their compliance efforts (and more).

It’s important to understand that you are binded by this agreement and it includes your obligations in cases of a data breach or audit request. Make sure to understand it and have it documented and accessible.

GDPR Compliance Checklist #6 – Privacy by Design (PbD)

Companies tend to treat privacy as an extra burden they should address when they have the money to do so, but embedding privacy later is very complex and expensive. Moreover, today, privacy has become a competitive advantage – users and customers are seeking solutions that guarantee their privacy.

Privacy by Design is compromised by these seven principles:

    1. Proactive not reactive; preventative not remedial
      Instead of reacting to privacy risks or invasions, actively build processes and procedures to prevent them from occurring in the first place.
    2. Privacy as the default setting
      Users shouldn’t have to worry about their privacy settings when browsing a website, opening an app, or logging into software.
    3. Privacy embedded into design
      Protecting users’ data and privacy should be a part of the conversation when building a website, a mobile app, or a software application.
    4. Full functionality — positive-sum, not zero-sum
      Those who work to integrate privacy into every design element seamlessly take a positive-sum approach.
    5. End-to-end security
      Privacy by Design ensures the security of this data through the processing lifecycle.
    6. Visibility and transparency
      Openness with users about your privacy policies and procedures.
    7. Have respect for user privacy
      Keep it user-centric.

Quick Recap

As we’ve journeyed through the essential pillars of GDPR compliance, from understanding the roles of data controllers and processors to mastering data subject rights (DSR) and ensuring your website meets GDPR standards, it’s clear that navigating the GDPR landscape is a multifaceted challenge for startups. Implementing these principles not only aligns your startup with regulatory requirements but significantly enhances your credibility and trustworthiness in the eyes of your customers.

In closing, remember that GDPR compliance is an ongoing process, not a one-time achievement. It requires continuous vigilance, regular updates to your data protection practices, and a proactive approach to data privacy. To further elevate your startup’s GDPR compliance and showcase your commitment to data protection, consider leveraging tools like hoggo.

hoggo can help streamline your compliance efforts, making it easier to manage your obligations while building trust with your customers and partners.

hoggo banner
white logo
Join The Hub

Amazon Web Services AWS Privacy and Security Compliance

View Full Passport On hoggo

How do you assess your vendors' compliance posture?

Mailchimp

intercom

zapier

zendesk

Slack

aws

hubspot

monday

Mailchimp

stripe

paddle

companies vendors
Look them up on hoggo. It's free!
hoggo the hedgehog in white
Hoggo Logo - Main Colors

It's a matter of trust.

Twitter Linkedin Envelope

Designed in Berlin 🇩🇪, Developed in Switzerland 🇨🇭

Get Started with hoggo

Solutions

Other

Legal

Trust Grade A

As our digital footprints grow larger with the increased reliance on online services, understanding our rights related to data privacy becomes more essential than ever. A key piece of legislation governing these rights in the European Union is the General Data Protection Regulation (GDPR). Among the many rights established by the GDPR, one is particularly noteworthy – Article 77 or the Right to Lodge a Complaint with a Supervisory Authority, commonly referred to as the Data Protection Authority (DPA).

art.77

Art. 77 GDPR: The Right to Lodge a Complaint

Under Art. 77 GDPR, individuals are granted the right to lodge a complaint with a DPA if they believe their personal data has been processed in a way that violates the GDPR. It empowers individuals to take action against organizations that mishandled personal data and ensures that data subjects can enforce their rights.

When Can an Individual Submit a Complaint Under The GDPR?

An individual can submit a complaint whenever they believe their rights under the GDPR have been infringed due to the processing of their personal data. This could include instances where an individual believes their data has been processed without their consent, if the data processed is excessive, or if the data has been stored for longer than necessary. It’s important to note that the complaint should be submitted without undue delay.

Any data subject, i.e., an individual whose personal data is being processed, can submit a complaint under Article 77 of the GDPR if they believe their rights under the GDPR have been infringed upon. It’s not exclusive to European citizens. However, the infringement must be in relation to personal data processing activities that fall within the scope of the GDPR, such as when an organization based outside the EU is processing data of an individual inside the EU.

How to Submit a Complaint Under The GDPR?

The process for submitting a complaint varies slightly between different DPAs but typically involves submitting a written complaint that describes the nature of the alleged GDPR violation. Some DPAs have online forms that individuals can use to lodge their complaints. In general, the complaint should include:

  • Full contact details of the individual submitting the complaint.
  • The name and contact details of the organization they are complaining about.
  • A detailed description of the alleged GDPR violation, including any evidence to support the claim.
  • If applicable, any steps that have been taken to resolve the issue directly with the organization.

What Documents Are Needed?

It is important to provide as much relevant information as possible when lodging a complaint. This includes any communications with the organization regarding the issue, evidence of the data processing in question, and any other supporting documents. While not all DPAs require documentation for the initial complaint, having these documents on hand can speed up the investigation process.

Please note that if someone is submitting the complaint on your behalf, you might need to include a power of attorney (POA). 

Make sure to keep any reference numbers, documents and dates as your complaint might be forwarded from one DPA to another. 

Which Data Protection Authority to Approach?

Complaints should be lodged with the DPA in the EU member state where the individual resides, works, or where the alleged infringement occurred. For instance, if a French citizen believes their data has been misused by a company based in Ireland, they can lodge their complaint with either the French or Irish DPA.

In order to make your life easier, we have prepared a table with the relevant contact details and links of the DPA, according to the relevant jurisdiction: 

Country

DPA

Website

Email

File a Complaint

Austria

Österreichische Datenschutzbehörde

http://www.dsb.gv.at/

[email protected]

Complaint form

Belgium

Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)

https://www.autoriteprotectiondonnees.be

https://www.gegevensbeschermingsautoriteit.be

[email protected]

Compliant form

Upload here

Bulgaria

Commission for Personal Data Protection

https://www.cpdp.bg/

[email protected]

Send via email

it must be formatted as an electronic document, signed with a qualified electronic signature (QES)

Croatia

Croatian Personal Data Protection Agency

http://www.azop.hr/

[email protected]

Send via email

Cyprus

Commissioner for Personal Data Protection

http://www.dataprotection.gov.cy/

[email protected]

Send via email

Czech Republic

Office for Personal Data Protection

http://www.uoou.cz/

[email protected]

 

Denmark

Datatilsynet

http://www.datatilsynet.dk/

[email protected]

Form or any other way

EDPS

European Data Protection Supervisor

https://edps.europa.eu/

[email protected]

Email

Estonia

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

http://www.aki.ee/

[email protected]

email

Finland

Office of the Data Protection Ombudsman

http://www.tietosuoja.fi/en/

[email protected]

Form

France

Commission Nationale de l’Informatique et des Libertés – CNIL

http://www.cnil.fr/

 

Form

Germany

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit

http://www.bfdi.bund.de/

[email protected]

Form

Greece

Hellenic Data Protection Authority

http://www.dpa.gr/

[email protected]

POSSIBLE ONLY FOR CITIZENS!

Hungary

Hungarian National Authority for Data Protection and Freedom of Information

http://www.naih.hu/

[email protected]

POSSIBLE ONLY FOR CITIZENS!

Ireland

Data Protection Commission

http://www.dataprotection.ie/

[email protected]

Form

Italy

Garante per la protezione dei dati personali

http://www.garanteprivacy.it/

[email protected]

[email protected]

Latvia

Data State Inspectorate

https://www.dvi.gov.lv/

[email protected]

[email protected]

Lithuania

State Data Protection Inspectorate

https://vdai.lrv.lt/

[email protected]

[email protected]

Luxembourg

Commission Nationale pour la Protection des Données

http://www.cnpd.lu/

[email protected]

Online form

Malta

Office of the Information and Data Protection Commissioner

http://www.idpc.org.mt/

[email protected]

Online form

Netherlands

Autoriteit Persoonsgegevens

https://autoriteitpersoonsgegevens.nl/

 

Online form

Poland

Urząd Ochrony Danych Osobowych (Personal Data Protection Office)

https://uodo.gov.pl/

[email protected]

[email protected]

Online form

Portugal

Comissão Nacional de Proteção de Dados – CNPD

http://www.cnpd.pt/

[email protected]

Online form

Romania

The National Supervisory Authority for Personal Data Processing

http://www.dataprotection.ro/

[email protected]

Fill out this form

And send it to:
[email protected]

Slovakia

Office for Personal Data Protection of the Slovak Republic

http://www.dataprotection.gov.sk/

[email protected]

 

Slovenia

Information Commissioner of the Republic of Slovenia

https://www.ip-rs.si/

[email protected]

Download the relevant form here

Spain

Agencia Española de Protección de Datos (AEPD)

https://www.aepd.es/

[email protected]

 

Sweden

Integritetsskyddsmyndigheten

http://www.imy.se/

[email protected]

Online form

 

How Long Does the Process Take?

In accordance with GDPR, DPAs must respond within three months to the individual who made the complaint. However, this period may be extended if necessary, based on the number and complexity of complaints received by a DPA. In the event of such an extension, the DPA must inform the individual within three months of receiving the complaint.

In conclusion, the GDPR and Art. 77 provides individuals the possibility to lodge a complaint regarding a misuse of their personal data or failing to protect it. Understanding how to lodge a complaint with the DPA is an important aspect of enforcing these rights.

Summary

Article 77 of the GDPR, focusing on the Right to Lodge a Complaint with a Supervisory Authority, stands out as a significant empowerment tool for individuals. This provision allows any data subject who believes their personal data has been mishandled in violation of GDPR protocols to file a complaint with their national Data Protection Authority (DPA). This process, while varying slightly among different DPAs, generally requires a detailed written complaint, potentially supported by evidence of the alleged violation. Complaints can be lodged in the member state where the complainant lives, works, or where the alleged infringement took place, facilitating a responsive framework for addressing grievances.

In conclusion, the GDPR and Art. 77 provides individuals the possibility to lodge a complaint regarding a misuse of their personal data or failing to protect it. Understanding how to lodge a complaint with the DPA is an important aspect of enforcing these rights.

Your prospects and customers will provide you with many privacy and security questionnaires if you sell to other businesses (B2B). This is so they can ensure you are protecting their data and meeting industry standards.

As a legal requirement under GDPR, CPRA, and security certifications such as SOC2, this must be addressed.Most of the questions are open-text, so you need to demonstrate your knowledge and compliance efforts in addition to answering them.

Our unique vendor due diligence checklist for sellers will help you stay on top of your obligations and requirements. 

In this article we will cover:
vendor due diligence checklist

What is Vendor Due Diligence?

In most cases, vendor assessments are part of a dedicated process designed to ensure that any vendor the company engages with meets the company’s security and privacy requirements. During this procedure, companies will ask vendors to demonstrate that they have robust privacy practices in place to securely manage data, and they will review their security and privacy practices. It involves assessing a vendor’s response plans, security controls, sub-processors, etc. Vendor Due Diligence is a crucial part of risk management for any business.

Organizations also conduct additional due diligence on potential vendors to ensure they meet information security and data privacy compliance requirements. Organizations must ensure that personal data is adequately protected and not misused in accordance with regulations such as GDPR, VCDPA, and CCPA/CPRA.

The impact of a data breach can be devastating in this environment, especially if personal data or protected company information is compromised. It is possible to reduce your organization’s cyber risk while strengthening your business relationships by developing an effective vendor due diligence program.

Different Approaches to Vendor Due Diligence

In-house vendor due diligence

Many companies seek to internally manage vendor data collection and analysis. However, even if your organization is well-staffed and funded, DIY due diligence can be a burden if you use disparate, manual tools (e.g., spreadsheets) to manage the process.

It can be helpful to implement an automated third-party risk management platform. Here are some features to look for:

  • A platform with as many vendor risk profiles as possible

  • Automated assessments and risk recording

  • Vendor management

  • Automated Vendor Monitoring – to keep up-to-date with any changes in sub-processors, policies or data breaches.

  • Collaboration capabilities

hoggo banner
Outsourced vendor due diligence

It is popular to outsource vendor due diligence and assessment to consultants and lawyers. This way, your in-house team can focus on risk identification and remediation instead of chasing down and verifying assessment results.

However, this option is rather costly and does not provide a unified approach to risk assessments. As such service providers often use tiresome spreadsheets and questionnaires that might delay the buying process.

Instead, you can simply use hogggo’s Trust Hub, and view the vendor’s passport in order to evaluate them quickly and consistently.

Vendor Due Diligence Checklist – Privacy

It is imperative that you are prepared in advance when a buyer conducts vendor privacy due diligence on your company as a privacy vendor. This includes:

  • Public policies – This includes privacy policies, online data processing addendum (if applicable), incident handling procedures, data subject rights processes, and security measures (such as Technical and Organisational Measures). This helps your buyers understand how personal data will be handled, for what purposes, and it would provide details on international data transfers.

  • Internal policies This includes data subject requests procedures, incident response plans, etc. This helps your buyers rest assured that when something happens, you will handle it in line with the regulations and their requirements.

  • Consistent answers – Make sure your answers are consistent and do not vary from one questionnaire to another. This might cause brand damage and loss of trust.

  • History of complaints or requests from Data Protection Authorities – You should keep a record of any complaints or requests from Data Protection Authorities.

  • Employee privacy training – You should also provide regular employee privacy training to ensure they are aware of their rights and the data you collect.

Vendor Due Diligence Checklist – Security

Although security and privacy due diligence are often combined, there are some things you should be prepared for. These include:

  • Confidentiality of employees – Your buyers should be assured that your employees will be trustworthy and will face consequences if they breach this confidentiality.

  • Data breach history – Your buyers should be made aware of any previous data breaches or incidents that have occurred in your organization. They should also be able to trust that you have implemented adequate security measures to prevent future data breaches. Additionally, you should be transparent with them about any potential data breaches or incidents that have occurred.

  • Compliance reports (such as SOC2, ISO) – If you already have any security-related certifications, this is your time to shine. Regular security audits help both you and your customers ensure that vulnerabilities are identified and addressed promptly.

  • Security training – Security training is essential for all employees in order to understand the importance of protecting company data. Regular security training should be conducted to ensure that all employees are aware of the latest security protocols and procedures.

  • Technical and organizational measures – Showcase your implemented technical and organizational measures, such as firewalls, encryption, access control, and two-factor authentication.

Streamline Vendor Due Diligence With hoggo

hoggo’s open platform helps to automate and streamline Vendor Due Diligence processes, making it easier to identify and manage risks. Hoggo’s platform allows buyers to quickly assess vendor security postures, manage vendor relationships, and track vendor performance. In addition, sellers can easily showcase their compliance efforts and data practices in order to build customer trust.

Join now. It's Free!
trust hub

The proactive approach to data privacy from key legislations on data protection like the GDPR makes compliance no picnic. Ask any DPO, the process often entails a laundry list of data obligations to be met. 

It doesn’t stop at managing the data lifecycle end-to-end: companies must assess the data privacy risks in their business model to mitigate them. 

In many ways, it’s a game of ball juggling, where dropping one ball can spell doom to the compliance efforts of even the most well-intentioned and attentive of teams. With this in mind, data privacy regulators deploy certain mechanisms to help companies ensure their ducks are in a row. The RoPA falls under this category. 

In this article, we’ll be showing you the ropes around all things “RoPA” — what a RoPA is, why it has become such a mainstay in data privacy compliance (the GDPR + CCPA), and finally, how to create one.

ropa banner

What is RoPA?

Record of Processing Activity (“RoPA”) does what it says on the tin: think of it as a record book of data transactions carried out over time, and throughout their entire lifecycle.

RoPA was once a term peculiar to the GDPR, which explains the trending “GDPR RoPA” searches globally, but now, it’s become the generic term for tracking and recording personal data cycles. 

Presenting your RoPA upon the request of the ICO (Information Commissioner’s Office), DPA (Data Protection Authority), or any relevant authority in your jurisdiction shows you have assessed the full ramifications of all data processing activities in your organization. 

In keeping with a core principle of the GDPR — the principle of accountability — Article 30 of the GDPR imposes an obligation on data controllers and processors to record their data processing activities. 

Article 30 offers a reliable blueprint for structuring RoPA data points. For a data controller, here are some key questions it should typically address: 

  1. Actors involved: Contact details of the data controller and their representatives. Include information about the appointed data protection officer (DPO) where applicable.
  2. Processing Purposes: The intended reasons for collecting and using personal data. This asks the question, “what is the lawful basis for processing?” 
  3. Data Subject Categories: Classes of individuals whose data they process (e.g., customers, employees, website visitors). 
  4. Data Categories: Specify the types of personal data they collect and handle (e.g., names, addresses, financial information, health data). 
  5. Data Recipients: Identify any third parties who receive or potentially access the personal data, including organizations outside their country. Indicate any international transfers and the safeguards in place for such transfers. 
  6. Data Retention Periods: If possible, estimate how long they intend to store different categories of personal data before deletion. 
  7. Security Measures: Provide a general overview of the technical and organizational measures (including but not limited to data encryption, anonymisation, restricted access to certain documents and data, and staff training) used in securing personal data, without revealing sensitive details. 

For data processors, here are the data points: 

  1. Actors involved: Contact details of the data processor. Include information from the hiring controller, as well as the appointed data protection officer (DPO) where applicable.
  2. Data Categories: Specify the categories of data processing conducted on behalf of the controller (e.g., names, addresses, financial information, health data). 
  3. Data Recipients: Identify any third parties who receive or potentially access the personal data, including organizations outside their country. Indicate any international transfers and the safeguards in place for such transfers. 
  4. Security Measures: Provide a general overview of the technical and organizational measures (including but not limited to data encryption, anonymisation, restricted access to certain documents and data, and staff training) used in securing personal data, without revealing sensitive details. 

Beyond these fundamentals, the GDPR specifically requires an entry of information explaining personal data flow within and outside their organisation into RoPA. 

This should also accompany the “legal bases” (as defined in Article 6) for collecting, using, and disclosing all personal data.

A ‘living’ document 

Your RoPA is anything but a one-and-done document. It’s an organic, living document that scales with you and should be updated at regular intervals to reflect the evolving nature of data processing activities in your firm. 

As you introduce new data sets, perform new processing activities in line with business objectives, or change vendors in the ordinary course of business, you’re required to continuously update your RoPA. 

Ideally, any changes in the conditions of processing implementation for each activity entered in your RoPA should prompt an update

Who Keeps a RoPA?

The responsibility for maintaining the Records of Processing Activities (RoPA) lies with the controllers or processors themselves. This ensures that they have a bird’s eye view of all personal data processing activities within their purview.

Within the organization, an individual may be designated specifically to oversee the RoPA. In other cases, if the organization has appointed a Data Protection Officer (DPO), whether internal or external, they can assume responsibility for managing the RoPA

At all times, there must be a dedicated individual overseeing compliance and maintaining the necessary records regarding data processing activities.

Records of processing activities (RoPA) example

There have been a few templates published by regulatory authorities to give companies a workbench for their compliance efforts as it relates to keeping a RoPA.

One of these examples of records of processing activities is RoPA by CNIL in France. This RoPA is stacked with all the fields mentioned under Article 30 GDPR. The UK’s ICO’s template is another record of processing activities example, but rather a long one.

What are the benefits of Record of Processing Activities (RoPA)?

Another regulatory burden that could’ve simply been an email sent from your DPO on request? Not quite. 

To put it bluntly, viewing your RoPA that way would be most unhelpful. The RoPA is your friend — a vital cog in your compliance wheel; in the following ways:

Present & future regulatory compliance: 

On the regulator side, authorities can quickly assess your organization’s processing activity to make considered decisions or offer guidance without the overwhelm of sifting through granular data.

Sequel to the GPRA which enforces RoPA, several legislations after that like the CCPA & CPRA did not mandate RoPAs, but practically speaking, strict compliance with the provisions of these laws without keeping one would be a long shot. 

Having a RoPA means one less worry for your privacy team in satisfying any of these new data privacy obligations. 

Internal utility: 

Away from the regulators, the RoPA serves as a single source of truth for companies to help manage and understand their data flow better. 

This helps spot data redundancies, minimize risks, and create a far more robust data privacy infrastructure that creates more business value. 

A privacy-conscious culture:

Your corporate culture is also set to benefit, as you stand to inculcate more privacy awareness in your organization, so teams are more in tune with how data is being processed. 

This helps them understand how to ethically support company-wide efforts in the direction of privacy strategy, data governance, and business analysis.

Brand trust & credibility:

RoPA presents an aerial view of your company-wide data operations to your customers and other stakeholders. This builds credibility and trust by letting them know that data protection is your cup of tea. 

As a spin-off, brand image is enhanced, as the company’s status as a trust-worthy partner — one where customers hardly ever have to constantly look over their shoulders in fear of a data breach — is reinforced. 

myvendors

Prepare and export Records of Processing Activities without breaking a swat!

Get Started For Free
ccpa gdpr

RoPA – GDPR & CCPRA/CPRA

The GDPR, however, exempts organizations boasting fewer than 250 employees if: 

  • Data processing activities are few and far between (“occasional”);
  • Their data processing activities pose little to no risk to the rights and freedom of data subjects (for instance, geolocation systems or video surveillance, etc); or 
  • Data being processed do not fall under a category of sensitive data relating to race, ethnicity, health, or relating to criminal conviction or offense. 

Given the ubiquity of certain data sets, as well as how often companies tend to process data as part of their standard procedures (companies process data to run their payroll, CRM systems, or even something as routine-ish as offering a service to customers), these ‘exemptions’ will operate more in theory than in practice. 

Couple that with the ambiguity that plagues the term “occasional” (i.e., How seldom is “occasional?” How often is “not occasional?”), and it becomes immediately obvious; Companies would be wise to err on the side of caution in keeping RoPA — without recourse to any seeming ‘exemptions’.

RoPA Under The CCPA/CPRA

As earlier mentioned, the CCPA/CPRA does not mandate the RoPA, stricto sensu. However, it would go on to impose an obligation for companies to keep and maintain records of verifications of requests. 

With the California Privacy Protection Agency (CPPA), the enforcement arm of the CPRA, granted powers to make orders on record-keeping for business, it remains to be seen if RoPA is made mandatory.  

Peering beyond the letters of the law, since the CPRA/CPRA requires a full disclosure as to processing, sharing, or sale of personal data, it would be practically impossible to comply with the CCPA/CPRA without a RoPA, or a RoPA-style log of data activity at the very least.

Organizations for which it would be instructive to keep a RoPA are the same as those covered under the CCPA/CPRA:  businesses, service providers, and third parties, with the admixture of a fourth category created under the CPRA: contractors.

How to create a compliant RoPA?

Article 30 lays out the form of a RoPA. It should be in writing and in an electronic form, so it is amenable to changes and edits as may be necessary from time to time.

As such, Microsoft Excel Sheets and Google Spreadsheets are usually the first port of call for most privacy teams/DPOs. 

However, they are usually long, hectic, and hard to navigate. Luckily, you can use hoggo’s My Vendors and export a dedicated vendor RoPA which maps your data flows with and to your vendors. 

Whichever solution you go with, here’re a break down of the steps involved in creating a compliant RoPA:

Preliminary step: Data Mapping 

A comprehensive data audit or data mapping exercise helps you uncover what data your organization holds and where. In other words, it helps you map personal data flow and processing activities at all levels. 

Very often, companies would engage external consultants for the initial mapping of RoPA and deploy DPO-as-a-Service solutions for ongoing DPO duties.

Data Mapping is within the job description of your Data Protection Officer (DPO). But in the absence of a DPO, any employee with the necessary qualifications can perform this task. 

The mapping process involves identifying information systems and personal data to understand the data held and its locations within the organization; Involve key internal stakeholders across departments to ensure a wide coverage and to avoid information gaps in your findings.

Compile a survey/questionnaire 

Launch an inquiry into departments in your company that handle personal data. Keep things simple with your questioning. You could ask questions like: 

  • How do we use personal data?
  • Who do we collect personal data from?
  • What personal details do we have about them?
  • Who do we share this information with?
  • How long do we keep this data before deletion?
  • How do we protect personal information?

Interview Key Stakeholders 

Secure the buy-in of your higher-ups and other key stakeholders within the organization. Doing this achieves two things: 

  1. They understand the import of your data mapping exercise; and 
  2. They share more insight into how data is being processed by certain parts of your organization. 

For instance, IT staff could answer on technical security measures, and Information governance staff can reveal more about retention periods. Equally, legal & compliance staff can lay out the full repertoire of data-sharing arrangements struck with other third parties.

Review policies, procedures, and agreements

Besides the legal due diligence you will be carrying out, you can benchmark your actual processing practices against industry best practices. A few of the documents you should be looking at here are: 

  • Data protection policies
  • Data retention policies 
  • Privacy policies 
  • System use policies 
  • Data processor contracts
  • Data sharing agreements 
  • Data security policies

Document your findings

At risk of sounding like a broken record,  your documentation must be in writing, which may come in electronic or paper form. 

One rewarding perk of the electronic form is the ability to add, subtract, and edit your documents as necessary, which makes it the natural fit for companies with very frequent processing activity. 

In any case, you want a granular inventory of all your processing activities based on a data mapping exercise that is reviewed regularly. 

The test for granularity here is sufficient context. Delineate personal data into separate categories, stating their respective purposes and attributes. 

For example, data retention periods might differ across a vast range of categories of data. Reflecting this in your documentation will give the viewer as much structural and contextual meaning as possible. 

To achieve full compliance, steer clear from generic descriptions with no meaningful context to meet compliance requirements. For your continuous documentation needs, you can ditch the traditional survey and spreadsheets for a dedicated data mapping automation (SaaS) solution with these functionalities:

  • Central management of data from one secure dashboard; 
  • Integrates seamlessly with other systems;
  • Automated Data removal;
  • Seamless collaboration throughout all department;
  • DPO control panel + segregation of ownership of activities; and
  • Tracking changes in data.

How RoPA Helps Organizations Dodge GDPR Fines

In the realm of data privacy, maintaining compliance with the General Data Protection Regulation (GDPR) is crucial. A vital tool for achieving this is the Record of Processing Activities (RoPA). But how exactly does RoPA help organizations avoid steep fines under GDPR?

Providing a Transparent Audit Trail

  1. Documentation of Data Practices: RoPA offers a detailed account of how your organization processes personal data. This transparency is essential for authorities to see that your data handling procedures align with GDPR requirements.

  2. Evidence of Compliance: By maintaining an up-to-date RoPA, you can demonstrate your efforts to comply with GDPR. This record serves as proof that your organization follows established guidelines, which is crucial in the event of an audit.

Facilitating Monitoring and Improvement

  • Identifying Gaps: Regularly updating your RoPA can help pinpoint areas where your data processing might fall short of regulations, allowing you to make timely adjustments.

  • Streamlining Processes: A well-maintained RoPA helps organizations standardize data handling practices, thus minimizing risks associated with non-compliance.

Avoiding Financial Penalties

The consequences of non-compliance can be severe. The GDPR allows for significant fines, reaching up to €20 million or a 4% of annual revenue, whichever is higher. With a comprehensive RoPA, you proactively reduce the risk of infractions, thereby safeguarding your organization from these hefty penalties.

In summary, RoPA acts as both a shield and light for organizations navigating the complex landscape of data privacy, ensuring they remain compliant and transparent in their practices.

Cruising to compliance, RoPA in hand

Out of the operational underbelly of every company flows rivers of ‘living’ data. This river containing data is a free-flowing asset, which, to be fair, is prone to veering off its intended course and seeping into other departments, third-party vendors, or even data owners themselves. 

For this reason, companies must build a water-tight data mapping framework, to be the single source of data truth where teams can monitor and manage data from. 

Alas, it doesn’t take being a DPO to unpack RoPA’s value beyond data privacy compliance, as companies would be wise in leveraging RoPA to pull double duty — both as compliance tool and corporate asset.

hoggo banner

An important milestone in US data protection legislation occurred in 2018, when the California Consumer Privacy Act (CCPA) was enacted. In addition to enhancing consumer rights, it presented a dramatic shift towards more stringent data privacy controls for California residents. With the CCPA, consumers gained unprecedented control over their personal information through novel concepts such as “right to access,” “right to delete,” and “right to opt out.”

The California Privacy Rights Act (CPRA), introduced in 2020 and approved by the public ballot initiative in November of that year, two years after the CCPA was established. The law was planned to become active in January 2023, but has been postponed until March 2024. By introducing several critical amendments that further extend the protection of personal data of California residents, this amended law expands and refines its predecessor.

hoggo compliance platform

Contractors, Service Providers and Third Parties Under The CPRA

Under the CPRA, a service provider and a contractor are treated virtually the same in terms of the requirements that apply, but they are defined differently.

Service Provider

According to the CPRA, a service provider is a party “that processes personal information on behalf of a [covered] business and that receives from or on behalf of [that] business [a] consumer’s personal information for a business purpose pursuant to a written contract.”

Essentially, they are vendors (or data processors) who receive a consumer’s personal information either directly from or on behalf of their customers (covered businesses). 

Contractor

A contractor is a party “to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract.”

This definition of a contractor is broader than that of a service provider. Contractors receive consumer information from their customers (covered businesses) while service providers process it on behalf of businesses. Many organizations that you previously treated as service providers under the CCPA may now be classified as contractors under the CPRA. In addition, contractors may only receive personal information directly from covered businesses, i.e., they cannot collect the information on their behalf.

Third Party

In ordinary language, both contractors and service providers might be considered “third parties,” but the CPRA defines “third parties” differently.

A third party is anything that is not a covered business, a service provider, or a contractor.

Under the CPRA, covered businesses are also required to implement certain contractual requirements when they share or sell personal information with a third party. While these requirements are less extensive than those for service providers or contractors, it is the first time we have seen a US jurisdiction require certain contractual obligations for third parties who are not providing a service to the covered business.

How can a covered business tell if a party with whom it is sharing data is a contractor or service provider?

In general, if the party is collecting the information on your behalf, they are a service provider. If you provide personal information to them, you must examine the situation more closely to determine whether they are service providers or contractors.

Vendor Risk Management & New Requirements Under the CPRA

Several new provisions in the CPRA strengthen consumer privacy rights in comparison to the CCPA. In addition to expanding consumer rights in terms of opt-out requirements and consumer privacy requests, a few key developments in the CPRA indicate a stronger emphasis on enforcing data privacy laws, such as:

  • The CPRA created the California Privacy Protection Agency (CPPA), the first agency dedicated to enforcing privacy laws in the US

  • Penalties for mishandling children’s personal information have tripled to $7,500, up from $2,500 under the CCPA

  • Contractual clauses and other safeguards are required by the CPRA to ensure supply chain security and privacy risks are addressed, ensuring a more dynamic and responsive supply chain.

  • Organizations storing data that could present a significant risk to consumer privacy and security must perform annual cybersecurity audits and submit them to the CPPA

  • Regular risk assessments are required if processing PII presents a significant risk to consumer privacy and security

It is imperative for organizations to conduct risk assessments and audits of their vendors in order to understand their data privacy risks. The significant risks associated with third parties when it comes to data privacy and security make it impossible to accurately assess and mitigate potential data privacy risks without visibility into them. So how can you still do it right?

CPRA Vendor Risk Management Checklist

First, to ensure compliance with the CPRA, one must identify all third parties that sell, buy, or process consumer data. Vendor risk assessments are the most effective way to accomplish this goal.

hoggo provides a free vendor directory, called Trust Hub, where you can look up your vendors, view their Privacy Passport and ensure you only engage with trustworthy ones.

hoggo ccpa cpra
Join The Hub, It's Free!

Having a vendor risk management solution can help you have a clear overview of your vendors, see who is using them, for what purposes and what personal information they have access to.

It’s crucial to have an updated list of all the vendors you are using and the types of data you are sharing with them. This can easily be done by using vendor management tools like “My Vendors“.

CPRA Vendor Risk Management – Map Your Supply Chain

Second, you need to map your fourth-party vendors and the entire supply chain.

CPRA vendor risk management requirements extend beyond your third-party network. Thanks to digital transformation, the impact on consumer data security now extends to the entire supply chain. Your vendors’ service providers might risk your customers’ data, and you should assess them during the initial vendor risk assessment.

CPRA Vendor Risk Management – Contractual Obligations

Section 1798.100 of the CCPA states that a business that collects a consumer’s personal information and sells or shares it with a third party must enter into an agreement with that third party that “obligates the third party, service provider, or contractor to comply” with the CCPA’s privacy regulations.

It is imperative for a covered business to ensure that its third-party partners and service providers are well prepared to protect consumer information. The first step in any security program is to identify and prioritize existing risks. It is recommended to document such risks.

The contract should address the following:

  1. Specifies that the personal information (PI) is sold or disclosed by the business only for limited and specified purposes;
  2. Obligates the recipient party to comply with applicable obligations under the CCPA/CPRA and to provide the same level of privacy protections to the data as the law requires;
  3. Grants the covered business the right to take reasonable and appropriate steps to ensure that the other party uses the PI in a manner consistent with the businesses’ obligations under the law;
  4. Requires the other party to notify the business if it determines that it can no longer meet its obligations under California privacy law;
  5. Grants the covered business the right to take reasonable and appropriate steps (in compliance with the CCPA/CPRA) to stop and remediate any unauthorized use of personal information.

CPRA Vendor Risk Management – Monitoring & Annual Audit

According to CCPA section 1798.185 (15), after vendors presenting a significant risk to consumer data safety have been identified, an annual cybersecurity audit should be implemented for these vendors.

There is no exact definition of “significant risk“. There are several factors for determining if a business’ processing constitutes a “significant risk,” including if the business: (1) derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information; (2) processes personal information of an excessive amount of consumers; (3) processes sensitive personal information; (4) knowingly processed information for consumers under 13 years of age;

Keep in mind that to conduct a successful annual audit, you need vendor monitoring in place. This could alert you to any changes to your vendors’ policies which you can include in the annual audit documentation.

How hoggo can help?

hoggo provides businesses with a comprehensive solution to manage your third-party vendor relationships which can assist in achiving CPPA/CPRA compliance.

With hoggo you can:

  • Assess your third-party vendors’ data practices in minutes (and for free)

  • Spot high-risk vendors and find low-risk alternatives

  • Assess third parties for data security controls

  • Manage your third-party vendors’ relationships

  • Have a clear overview of your vendors, who is using them, for what purposes and what personal data they have access to

  • Perform self-assessments to understand the maturity of internal processes, as well as data owners

  • Get automated vendor monitoring and data breach notifications to understand possible risks to your customers’ data

trust grades
Access Now, It's Free!

Received a data subject request?

Have you responded to a data subject request a few hours or days late?

Or perhaps you weren’t sure about the timeframes in different countries. Is it 90 days or a month?

There’s no need to panic. We will explain everything you need to know about Data Subject Requests (DSRs) timeframes and response times. 

Why Are Data Subject Requests Timeframes So Important?

Complying with the needed time frame helps you avoid complaints and fines. For example, in Europe, a company that fails to comply with this requirement risks the highest fine possible under the GDPR (The General Data Protection Regulation) is 20 million euros or 4% of their worldwide turnover. A significant fine is likely to only be imposed by the regulators if a company consistently misses the one-month response deadline and disregards the GDPR in other ways. 

In the EU, GDPR enforcement is largely based on complaints. Even if a company will not incur the highest fine for missing a deadline, regulatory investigations triggered by complaining individuals drain a company’s resources and should be avoided as much as possible. In order to prevent complaints from being filed with the data protection authorities, your company might want to make sure that it sticks to the legal deadline and keeps the individuals making requests happy.

🇪🇺 Data Subject Requests Under The GDPR

When does the one-month period begin and end?

The answer can be found in the Regulation No. 1182/71, which determines the rules applicable to time periods, dates, and time limits.

  • While the time period actually starts when a request is made, you actually start with the next day when calculating the time period.
  • The time period to respond to an individual rights request ends at midnight of the day a month later.
  • If the day on which the time period ends does not exist in the month, the time period will end at midnight of the last day of that month.
  • The time period includes public holidays, Sundays and Saturdays.
  • If the last day of the time period falls on a public holiday, Sunday, or Saturday, the time period will end at midnight of the following working day.

Example 1: You receive an access request on June 30th. A one-month time period should be calculated from the next day, July 1, and will run until the corresponding calendar date in the next month. In this example, the time period ends on August 1 at midnight.

The shortest period that a month can last is 28 days and the shortest amount of time that a period of 3 consecutive months can last is 89 days.  Therefore, the following response times can be used as defaults to guarantee timely DSR fulfilment. It is also possible to strictly adhere to the ‘1 month/3 month’ approach, but the ‘days’ approach is often easier to implement into automated systems.

GDPR

Reply withinCount startsExtension
28 daysThe next day from when a request was madeAdditional 61 days

🇧🇷 Data Subject Requests Under The LGPD (Brazil)

The controller must respond to the data subject’s request immediately. Alternatively, the controller can:

  1. Inform the data subject that they are not the data processing agent, and indicate, wherever possible, who the data processing agent is; or
  2. State the reasons for which the measure cannot be adopted immediately based on fact or law.

The rights of confirmation of processing and access to data must be addressed by the controller immediately when in a simplified format or up to 15 days when in a clear and complete declaration (Article 19(II) of LGPD). For the other data subject rights, the ANPD must regulate the appropriate timeframe that should be observed by data controllers (Article 19 (§4º) of the LGPD).

Brazil - LGPD

Reply withinCount startsExtension
ImmediatelyFrom the day the requests was received Up to 15 days

🇺🇸 Data Subject Requests Under The California CCPA (+CPRA) 

When a California data subject exercises the Right to Know or Delete, businesses have 45 days to disclose and deliver the information. Under the CCPA, verifying a consumer’s identity is not an excuse to extend the deadline. However, with a valid reason for extension, the rights to Know or Delete can be extended to allow the controller a total time of 90 days to complete the requested DSR. The CCPA also requires businesses to confirm receipt of a consumer’s request and provide information about how it will process the request within 10 business days

When a consumer exercises their right to opt out, the controller must comply within 15 days, without the possibility of extension.

CCPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

Opt out requests

Reply withinCount startsExtension
15 daysFrom the day the requests was received Not possible

🇺🇸 Data Subject Requests Under The Virginia Consumer Data Protection Act (VCDPA)

The VCDPA provides that controllers must respond to requests to exercise their consumer rights within 45 days, which may be extended once for an additional 45 days, with an explanation of the reason for delay. The VCDPA also grants consumers the right to appeal a controller’s refusal of such a request through a novel “conspicuously available” appeal process to be established by the controller.

Within 60 days of receiving an appeal, a controller must inform the consumer in writing of its response to the appeal, including a written explanation of the reasons for the decision. If the controller denies the appeal, it must also provide the consumer with an “online mechanism (if available) or other method” through which the consumer can submit a complaint directly to the Attorney General.

Virginia - VCDPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

Request to appeal a controller’s refusal of a data subject request

Reply withinCount startsExtension
60 daysFrom the day the requests was received Not possible

🇺🇸 Data Subject Requests Under Colorado Privacy Act (CPA)

Like the GDPR, CCPA, and VCDPA before it, under the CPA a controller must respond to a consumer rights request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business extends that deadline, it must notify the consumers within the initial 45-day response period with an explanation for the extension.

Like the VCDPA, the CPA also provides consumers the right to appeal a business’ denial to take action within a reasonable time period.  Unlike the VCDPA, the CPA provides controllers with a 45-day window to respond to the appeal and also allows for a 60-day extension to respond to the appeal when reasonably necessary.

Colorado - CPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

Request to appeal a controller’s refusal of a data subject request

Reply withinCount startsExtension
60 daysFrom the day the requests was received Not possible

🇺🇸 Data Subject Requests Under The Utah Consumer Privacy Act (UCPA)

Like other privacy acts, the Utah privacy law gives consumers a number of rights related to their personal data, including the right to:  

  • Access and delete personal data. 
  • Opt out of the collection and use of personal data for certain purposes. 
  • Obtain a copy of their personal data in a format that is feasible, practicable, readily usable, and portable. 

According to the UCPA, within 45 days after the day a request is received, controllers must take action on the consumer’s request: and inform the consumer of any action taken on the consumer’s request.

The controller may extend by an additional 45 days if:

  • Reasonably necessary due to the complexity of the request or the volume of the requests received by the controller
  • The controller has informed the requestor about the extension within the original 45 days time frame, including the length of the extension and the reason.

Utah - UCPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

🇺🇸 Data Subject Requests Under Texas Data Privacy and Security Act (TDPSA)

The TDPSA requires covered businesses to establish two or more secure and accessible methods (through the website or by email in specified circumstances) for consumers to submit authenticated requests to exercise their rights with respect to their personal data.

Responses to consumer requests are due within 45 days of receipt, subject to a 45-day extension, when reasonably necessary. Controllers must provide information in response to a consumer’s request “at least twice annually per consumer” and free of charge, unless the request is “manifestly unfounded, excessive, or repetitive.”

Texas - TDPSA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

🇺🇸 Data Subject Requests Under Montana Consumer Data Privacy Act (MTCDPA)

Consumers have the option to exercise their rights by submitting requests through any of the methods outlined in the privacy policy. You are obligated to respond within 45 days. For more complex requests, this timeframe may be extended by an additional 45 days.

If a controller denies a request, the consumer retains the right to appeal the decision, and the controller must provide guidance on how to proceed with the appeal process. The controller is given a timeframe of 60 days to respond to such appeals.

Montana - MTCDPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

🇬🇧 Data Subject Requests Under The UK GDPR

What is a calendar month?

According to the ICO, a calendar month starts on the day the organisation receives the request, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month. 

Example

The request was received on 3 September. The time limit begins on the same day, so the organisation has until 3 October to respond. Calendar months end on the next working day if the end date falls on a Saturday, Sunday, or bank holiday.

UK GDPR

Reply withinCount startsExtension
28 daysFrom the day the requests was received Additional 61 days

Penalties For Noncompliance With Data Subject Requests Response Times

It can be particularly onerous for companies to fail to comply with DSR response time requirements. According to GDPR, the maximum fine for infringements is 20 million euros, or 4% of annual global turnover, whichever is greater. Companies that violate the CCPA, are subject to civil penalties between $2,500 and $7,500.

It is clear that GDPR enforcement is increasing. Only recently, in 2024, the largest GDPR fine was issued, and in 2025, we are likely to see even bigger fines. Google has been fined €50 million by the French data protection authority for failing to provide transparency and consent under the GDPR. The German data protection authority also fined H&M €35 million for monitoring its employees unlawfully. In these cases, fines were given for violations of GDPR principles and regulations surrounding data protection and privacy. Here, we will discuss much bigger fines.

CompanyFineDate
Meta€1.2 billionMay 2023
Amazon€746 MillionJuly 2021
Instagram€405 millionSeptember 2022
Meta Platforms€390 millionJanuary 2023
TikTok €345 millionSeptember 2023
LinkedIn€310 millionOctober 2024
Uber Technologies Inc., Uber B.V. €290 millionJuly 2024
Meta Platforms€265 millionNovember 2022
Meta Platforms€251 millionDecember 2024
WhatsApp€225 millionSeptember 2021
Meta Platforms€91 millionSeptember 2024
Google LLC€90 millionDecember 2021

Biggest GDPR Fine

Meta Platforms Ireland Limited –
€1.2 billion GDPR Fine

Date: May 2023
Issued by: Irish Data Protection Commission (DPC)

Meta, Facebook’s parent company, now holds the largest GDPR fine in history.

Meta was fined €1.2 billion by the Irish supervisory authority on May 22, 2023, for transferring Facebook data collected from EU/EEA users to the US in violation of GDPR international transfer guidelines.

Meta failed to comply with the EU’s Schrems II decision from 2020, invalidating the EU-S Privacy Shield Framework, according to data privacy regulators.

Aside from the massive fine, Meta now has five months to comply with the corrections. Meta said it plans to appeal the decision, which likely will lead to a lengthy legal battle.

Biggest GDPR Fines – 2nd Place

Amazon – €746 Million GDPR Fine

Date:July 2021
Issued by: Luxembourg’s data protection authority (CNPD)

Amazon’s Luxembourg EU headquarters was hit with what was then the largest GDPR fine ever.

The fine is based on the claim that Amazon did not obtain valid consent for its personalised advertising and thereby violated the provisions of the GDPR (General Data Protection Regulation). 

Biggest GDPR Fine – 3rd Place

Meta Platforms (Instagram) – €405 million GDPR Fine

Date: September 2022
Issued by: Irish Data Protection Commission (DPC)

In 2022, Ireland’s data protection authority fined the social media platform Instagram (Meta) for wrongfully processing children’s personal data.

Instagram violated federal law by making children’s accounts public by default, as well as disclosing their email addresses and phone numbers.

Meta Platforms Ireland Limited (Facebook & Instagram) – €390 million GDPR Fine

Date: January 2023
Issued by: Irish Data Protection Commission (DPC)

The Data Protection Commission of Ireland fined Facebook and Instagram for relying on a customer’s contact as their legal basis for most of their data processing. 

Facebook was fined €210 million, and Instagram was fined €180 million.

TikTok GDPR fine- €345 million GDPR Fine

Date: September 2023
Issued by: Irish Data Protection Commission (DPC)

In connection with its handling of children’s accounts, TikTok has been fined €345 million for violating GDPR.

As a result of an investigation conducted by the Irish Data Protection Commission (DPC) between July 31 and December 31, 2020, particularly in the areas of young users, the DPC concluded its investigation in September 2023.

In the course of its investigation, the DPC examined a number of aspects, including platform settings, age verification, and communication with children. The DPC’s decision uncovered multiple GDPR breaches related to data processing, transparency, and fairness.

An administrative fine of €345 million was imposed on TikTok for these violations. The DPC issued a reprimand, instructed TikTok to rectify its data processing practices within three months, and imposed a reprimand for these violations.

LinkedIn GDPR fine- €310 million GDPR Fine

Date: October 2024
Issued by: Irish Data Protection Commission (DPC)

LinkedIn Ireland has been hit with a massive €310 million fine by the Irish Data Protection Commission (DPC) in October 2024 for mishandling user data. The investigation, sparked by a French complaint, found that LinkedIn illegally processed personal data for targeted advertising and behavioral analysis. The DPC determined LinkedIn failed to obtain proper user consent, didn’t have legitimate business interests that outweighed user privacy rights, and couldn’t justify the data processing as necessary for contracts. The commission also found LinkedIn wasn’t transparent enough about how it was using people’s data. Along with the fine, LinkedIn received a reprimand and must change its data processing practices to comply with GDPR regulations.

Uber GDPR fine- €310 million GDPR Fine

Date: August 2024
Issued by: Dutch DPA

In August 2024, the Dutch Data Protection Authority (DPA) slapped Uber with a €290 million fine for improperly transferring European taxi drivers’ personal data to its US servers. The issue came to light after 170 French drivers complained through a human rights group. According to the DPA, Uber failed to provide adequate protection for sensitive information including drivers’ licenses, location data, photos, payment details, and even criminal and medical records. The violation lasted over two years, during which Uber operated without proper data transfer tools after the EU-US Privacy Shield was invalidated in 2020. This marks Uber’s third fine from the Dutch DPA, following previous penalties of €600,000 in 2018 and €10 million in 2023. Uber has stated it plans to challenge the latest fine.

Meta Platforms Ireland Limited – €265 million GDPR Fine

Date: November 2022
Issued by: Irish Data Protection Commission (DPC)

A fine of €265 million was imposed on Meta by the Irish Data Protection Authority on November 25, 2022. The DPA had investigated Meta in 2021 following media reports that Facebook’s data with personal data of users had been made publicly available.

Up to 533 million users had their personal data (phone numbers and email addresses) disclosed without their permission.

A DPA review and analysis of Facebook Search, Messenger Contact Importer, and Instagram Contact Importer was conducted. They found a breach of Art. 25 GDPR when assessing the implementation of organizational and technical measures aimed at protecting personal data.

Meta Platforms Ireland Limited – €251 million GDPR Fine

Date: December 2024
Issued by: Irish Data Protection Commission (DPC)

Meta (Facebook’s parent company) has been fined €251 million by the Irish Data Protection Commission in December 2024 for a massive data breach that occurred in 2018. The breach affected 29 million Facebook accounts globally, including 3 million in the EU/EEA, exposing sensitive user data like names, emails, phone numbers, religious beliefs, and even children’s personal data. The breach happened when unauthorized parties exploited user tokens on Facebook. The fine breaks down into two main decisions: €11 million for failing to properly report and document the breach, and €240 million for not having adequate data protection measures built into their systems. The commission emphasized how serious this breach was, given that Facebook profiles often contain sensitive personal information that users only want to share selectively.

WhatsApp – €225 million GDPR Fine

Date: September 2021
Issued by: Irish Data Protection Commission (DPC)

During a three-year investigation, the Data Privacy Commission (DPC) of Ireland issued a decision on 2 September 2021 to fine a Facebook-owned instant messaging and voice-over-IP service, WhatsApp Ireland, €225 million (or $267 million) for violating the GDPR.

The binding decision was issued after the European Data Protection Board (EDPB) intervened and instructed the DPC (lead supervisory authority for WhatsApp Ireland Ltd.) to reevaluate the originally proposed fine regarding infringements of transparency in the calculation of the fine as well as the timeframe for WhatsApp to comply.

Meta Platforms Ireland Limited – €91 million GDPR Fine

Date: September 2024
Issued by: Irish Data Protection Commission (DPC)

Meta Ireland has been hit with a €91 million fine by the Irish Data Protection Commission in September 2024 for storing user passwords in plaintext format (without encryption) on their internal systems. The investigation, which began in April 2019, found that Meta violated multiple GDPR provisions by failing to properly protect user passwords, not notifying authorities of the data breach, and not documenting the breach properly. The decision included both the fine and a formal reprimand, highlighting significant security failings in Meta’s password storage practices.

Google LLC – €90 million GDPR Fine

Date: December 2021
Issued by: French Data Protection Authority (CNIL)

Google LLC was fined €90 million by CNIL for not allowing users to decline cookies as easily as they could accept them in France as of December 31, 2021.

Making refusal mechanisms more complex than they should be discourages users from refusing cookies and benefits companies whose main revenue streams are advertising and targeting.

By the end of three months, the CNIL ordered the companies to provide their users in France with the same simple method for refusing cookies as they currently have for accepting them, or face a fine of €100.000 euros per day the companies fail to comply.

GDPR doesn’t directly deal with cookies, but it defines how data controllers can obtain consent and thus counts as a fine under GDPR.

companies vendors

Could your vendors be putting your company at risk?

Automatically assess them on hoggo
hoggo the hedgehog in white