You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
Home > Client Management > GDPR Introduction
GDPR Introduction
print icon


This article is relevant to all EU clients of Hapana 


The EU law states all company's have to work with accordance to the GDPR privacy act.

GDPR stands for “*General Data Protection Regulation*”

“The “Regulation” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 06 April 2016. The Regulation replaces the Data Protection Directive 95/46/EC and is designed to harmonise data privacy laws across Europe for the protection of individuals with regard to the processing of personal data and the free movement of such data. Where appropriate, terms used in this statement shall have meanings ascribed to them in the Regulation.

In the event that either party (the “Receiving Party”), its agents, contractors or employees are permitted access to personal data held by the other party for any reason or are supplied with or otherwise provided personal data by the other party for any purpose, the Receiving Party, its agents, contractors or employees shall: :info: use and/or hold such personal data only for the purposes and in the manner directed by the other party and shall not otherwise modify, amend or alter the contents of such personal data unless specifically authorized in writing by the other party and shall take all such steps as may be necessary to safeguard such personal data; (ii) comply in all respects with the Regulation as well as local applicable law and shall not do or permit anything to be done which might jeopardize or contravene the terms of the other party’s notification under the Regulation or local applicable law; (iii) indemnify the other party against all liability, damages, costs, claims and expense which it may incur by reason of any default under this clause or any breach of the Regulation or local applicable law attributable to or caused, directly or indirectly, by Receiving Party, its employees, agents or contractors, including without limitation, the failure to prevent disclosure thereof in contravention of the Regulation or local applicable law.”


To sum up the idea of the regulation, it claims that companies that handle data are responsible for keeping it safe.

Data Controller:

A natural person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. The data controller controls the methods used for the collection and use of personal data and determines the purposes for which personal data is processed. 

Being a data controller comes with serious legal responsibilities.

(Click here for more info from the official GDPR rule and regulations website.)

Data Processor:

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

This is a person or company who holds or processes personal data at the direction of and on behalf of the data controller. Examples of data processors include third-party vendors such as payroll companies or accountants.


So how do we at Hapana deal with the GDPR requirements?

As Hapana is a B2B service provider and the GDPR requirements apply to you as our client, as well as your clients, It is our goal to provide you with all the tools to be in compliance with the GDPR and other data privacy standards.


In Article 17, the GDPR outlines the specific circumstances under which the right to be forgotten applies. An individual has the right to have their personal data erased if:

  • Personal data is no longer necessary for the purpose an organization originally collected or processed it. 

  • An organization is relying on an individual’s consent as the lawful basis for processing the data and that individual withdraws their consent.

  • An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.

  • An organization is processing personal data for direct marketing purposes and the individual objects to this processing.

  • An organization processed an individual’s personal data unlawfully.

  • An organization must erase personal data in order to comply with a legal ruling or obligation.

  • An organization has processed a child’s personal data to offer their information society services.

However, an organization’s right to process someone’s data might override their right to be forgotten. Here are the reasons cited in the GDPR that trump the right to erase data:

  • The data is being used to exercise the right of freedom of expression and information.

  • The data is being used to comply with a legal ruling or obligationGDPR compliance | :~:text=processing is necessary for the purposes of the legitimate interests pu...

  • The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority.

  • The data being processed is necessary for public health purposes and serves in the public interest.

  • The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.

  • The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing.

  • The data is being used for the establishment of a legal defense or in the exercise of other legal claims.

0 out of 0 found this helpful

scroll to top icon