General Data Protection Regulation

On 25th May 2018 the General Data Protection Regulation (GDPR) becomes law. The GDPR legislation is designed to enhance the control for people in the EU over their data and align across EU  on data processing. The legislation applies to all businesses that handle personal data of individuals in the EU. Pepo Campaigns has intensely worked to be compliant with the regulation by 25th May 2018.

The Pepo Campaigns projects undertaken to be compliant with GDPR

Work closely with a team of GDPR lawyers for a full GDPR assessment of Pepo Campaigns.

Educate the management and all Pepo Campaigns employees on GDPR.

Update Pepo Campaigns Privacy Policy to clearly explain the role of both processor and controller.

Identify and implement features and changes to the Pepo Campaigns software to help achieve compliance.

Review Pepo Campaigns internal processes and procedures required to achieve and maintain compliance with GDPR.

The specific tasks related to GDPR Articles

With regard to data, in compliance with GDPR Article 30 – Records of processing activities:

Pepo Campaigns maintains a list of all types of personal information it holds, the source of that information, who it shares it with, what it does with it and how long it will keep it. Pepo Campaigns, maintains a list of places where it keeps personal information and the way in which  data flows between them. Pepo Campaigns maintains a publicly accessible privacy policy that outlines all processes related to personal data.

With regard to accountability and management, in compliance with GDPR Article 37 – For any question related to accountability and management please contact us at to the attention of the Data Protection Officer.

In compliance with GDPR Article 25 – Data protection by design and by default, Pepo Campaigns has created awareness among decision makers about GDPR guidelines, it has made sure that technical security is up to date, and it has trained staff to be aware of data protection.

In compliance with GDPR Article 28 – Processor, Pepo Campaigns has a list of sub-processors and our privacy policy mentions our use of this sub-processor.

In compliance with GDPR Article 33 – Notification of a personal data breach to the supervisory authority and with GDPR Article 34 – Communication of a personal data breach to the data subject, Pepo Campaigns will be reporting data breaches involving personal data to the local authority and to the people (data subjects) involved.

With regard to new rights, in compliance with GDPR Article 15 – Right of access by the data subject, Pepo Campaigns customers can easily request access to their personal information.

In compliance with GDPR Article 16 – Right to rectification, Pepo Campaigns customers can easily update their own personal information to keep it accurate.

In compliance with GDPR Article 5 – Principles relating to processing of personal data, Pepo Campaigns automatically delete data that no longer has any use for.

In compliance with GDPR Article 17 – Right to erasure (‘right to be forgotten’), Pepo Campaigns customers can easily request deletion of their personal data.

In compliance with GDPR Article 18 – Right to restriction of processing, Pepo Campaigns customers can easily request their data to longer be processed.

In compliance with GDPR Article 20 – Right to data portability, Pepo Campaigns customers can easily request their data to be delivered to themselves or a 3rd party.

GDPR Effect on Pepo Campaigns Customers

Businesses can send emails only to users who have opted in to receive communications. Consent must be freely given, it must be distinguishable from other matters and be provided in an easily accessible form, using clear and plain language. It needs to be easy to withdraw consent and that is why Pepo Campaigns enforces businesses to have an unsubscribe link in all emails.

GDPR covers all businesses, irrespective of location. GDPR applies to all companies processing the personal data of data subjects in the European Union, regardless of the business location.

In the case of a breach businesses need to notify customers if the breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.

Customers, employees or other data subjects have the right to request and access how their personal data is being processed and for what purpose.

The data subject has now the right to have the controller of the data to erase their personal data. This only needs to be done under certain conditions outlined in article 17 of the GDPR. As a controller businesses using Pepo Campaigns should not be holding personal data for any longer than necessary.

If a business is found to have breached the regulation the fine can be up to 4% of annual global turnover or €20 million (whichever is greater). The fines apply to both controllers and processors and will be issued for serious breaches.

If you have any questions or doubt about GDPR, Pepo Campaigns advises to take legal advice where required.


Updated on May 24, 2018

Related Articles