Acquire knowledge and skills to know the personal data protection system, in the most relevant aspects. The treatment and procedures that should be given to such data; the rights and obligations of the holder and the person responsible for them and the penalty system in case of non-compliance.

In the same way, matters as relevant to companies as Intellectual Property and Brand Registration are treated

• The GDPR applies to:

• A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or

• A company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

• If your company is a small and medium-sized enterprise ('SME') that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn't create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer ('DPO')). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities.

• When the regulation applies, when does not apply

• YES. Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrolment form.

• NO. Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

• The application of the data protection regulation depends not on the size of your company/organisation but on the nature of your activities. Activities that present high risks for the individuals’ rights and freedoms, whether they are carried out by an SME or by a large corporation, trigger the application of more stringent rules. However, some of the obligations of the GDPR may not apply to all SMEs.

• For instance, companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.

• Similarly, SMEs will only have to appoint a Data Protection Officer if processing is their main business and it poses specific threats to the individuals’ rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it’s done on a large scale.

• The rules only apply to personal data about individuals, they don’t govern data about companies or any other legal entities. However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. The rules also apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organisation, business email addresses like ‘[email protected]’ or employees’ business telephone numbers.