thelegalstop - Profile


Forum titleForum Member
JoinedFeb 2013
Latest activity 2nd Jun 2018 11:35pm  

Recent Posts
Flower Crown Workshop 30th May 2018 10:43 PM

Have you thought about using videos to advertise? Your content is quite visual so a vlog, how-to tutorials or a narrative video could be very good for that purpose. Facebook is also good if you want to target your videos to very specific audiences

A very happy day indeed, excellent celebration and good coverage of the event in the international news outlets!

Re-write Terms Conditions 29th April 2018 11:41 PM

Always happy to do that, Andy! Fixed-fee for all your docs to be GDPR  compliant.

LOAN SHARKS 11th April 2018 11:18 PM

Thanks a lot for the post! We need to look out for these things and beware!

What is GDPR? What do you need to know about it? Here's a comprehensive legal guide for you. Any questions, post below!

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) aims to standardise and simplify data protection protocols across EU member states. It covers all individuals within the European Union (EU) and regulates the export of the personal data outside the EU.

GDPR comes into effect on 25 May 2018, and it will cover all individuals within the European Union (EU). The General Data Protection Regulation will govern all companies operating within the EU and all foreign companies processing the data of the EU residents.

The Regulation is estimated to cost up to four percent of the digital business turnover worldwide: this being the cost of implementation and penalties to non-compliant businesses.

Scope of the document

GDPR introduces three definitions of parties dealing with personal data. Data Controller shall be a person or an organisation that collects data from the EU residents. Whenever an organisation merely processes data on behalf of the data controller, e.g. for the purpose of algorithmic analysis or cloud storage, it shall be called a Data Processor. The Data Subject shall be a person who is based in the EU and provides the data.

The personal data shall be any information relating to the Data Subject, in their private, public and professional life. Therefore, the Regulation covers a whole spectrum of information, from an official data like name, home address and national insurance number, through to the posts on social media or IP address visit logs.

Supervisory Authority

Each member state shall establish an independent Supervisory Authority (SA) which will be tasked with receiving and investigating complaints, issuing fines and administrative sanctions. Each Data Controller or Processor will have their lead SA in the member state of their main establishment. That lead SA will be managing all affairs relating to the Data Controller or Processor and will supervise all activities across the EU.

The GDPR also creates the Data Protection Officers. They shall be tasked with ensuring that the organisations are compliant with the General Data Protection Regulation. A Data Protection Officer will be appointed for all public authorities and all businesses which core activities consist of data processing operations or large-scale data handling. The Data Protection Officer will have a sound knowledge of data protection law, IT proficiency and data security expertise. The Officer will assist the business with GDPR compliance, deal with cybercrime attacks and ensure business service continuity in respect of personal data processing and protection.

Citizens rights 

According to the General Data Protection Regulation, all Data Subjects will have a fundamental right to be informed about their data processing, including the purposes of data collection, retention time, and contact information to the Data Controller and Data Protection Officer.

Even when the above decisions are made by an algorithm, not a physical person, all Data Subjects will have the right to question and appeal all significant decisions that are made on the basis of this algorithmic processing.

The Data Controller will have an obligation to explain exactly what the personal data will be used for and be held liable for all decisions made. This may prove particularly difficult in the cases of deep learning or artificial intelligence, where the exact inside-the-box processing of the algorithm may be less clear.

Data Subjects will also have the Right of Access, which will enable them to access any data held by the Data Controller and to be informed about how this data is acquired, processed, and shared. Furthermore, the Right to Erasure will give Data Subjects a right to have all their personal data removed (similar to the Right to be Forgotten)

Whilst anonymised and encrypted data is excluded, whenever data could be linked back to the individual, Data Subjects will also have a right to request a transfer of the data to another Data Controller. This data portability rule will not be hindered or obstructed by the Data Controller.

Data Controller’s obligations

Businesses will have to demonstrate that they are GDPR compliant. They must implement robust security and privacy policies, and personal data collected should be anonymised or at least pseudo-anonymised at the earliest opportunity during the data collection.

It is important to note that under GDPR, the Data Controller assumes responsibility and liability for the compliance of the data processing activities. Thus, even if the processing is outsourced to the Data Processor, the commissioning Data Controller is still fully liable.

The Data Controller is also obliged to notify the SA about any data breach within 72 hours of becoming aware of the event. The Data Subject will also be notified if there is any adverse impact anticipated as a result of the breach. If the data was properly anonymised, however, the notification would not be feasible and thus is not necessary.

Ensuring lawful basis for data processing

For the Data Processor to lawfully accept and process personal data, the Data Subject must give an informed consent to the exact activities the data shall be processed for, for the exact given time and exact given purpose. The data must not be used for just any purpose or left without a given purpose on the Data Processor’s servers. The processing of the data must be necessary for the performance of a contractual relationship between the Data Processor and the Data Subject.

Other purposes outlined by the GDPR include compliance with a legal order or obligation, protecting vital interests of the Data Subject or another person, to fulfil a request from a relevant authority in the public interest.


There are a number of fines and sanctions that could be imposed under GDPR. The SA can issue a warning in writing, especially if non-compliance is non-intentional and had not been committed before. There could be regular audits of compliance and financial fines of up to 20m EUR or 4% of the annual worldwide turnover for an infringement of the basic rights and principles of the GDPR.

Final note

Whilst GDPR remains a hugely controversial regulation, businesses must ensure that by 25th of May 2018 they have the right infrastructure in place to be fully compliant. For more information about GDPR and how to ensure compliance please get in touch by writing to, our Data Protection Officer will be happy to help.

Welcome aboard! And yes, do tell us about your exciting designs!

Holiday entitlement miscalculation 8th October 2017 1:10 PM

I think you should be looking into the employment contract and the employment policies of your company. They usually outline the holiday entitlement and the overpayment procedures. If you're going to talk to the employee, you may be able to solve the issue by discussing it and offering different solutions.

I would, however, strongly recommend reading up on your current policies to see which ways out of the problem are at the table currently.

Let us know if you have any further questions!

I think that the new technology of advertising is going to make more of these old media obsolete. We should embrace the future and stay afloat by using the benefits of new ways to contact our customers and tailor our services to their needs. 

I wrote the entire article on how to keep thinking global after Brexit! I think we should keep up the good attitude and carry on with our good work!

I would definitely go for https. It gives your customers extra confidence, secures the information that is processed by the website, and, quite frankly, is a must if you sell online!