Eastsource Blog

GDPR and Outsourcing

Lately, we have been receiving a number of questions regarding GDPR and how it affects outsourcing relations. We made a compilation of the most frequently asked questions about the new regulation.

What is GDPR?

GDPRGDPR is a substitute for the 1995 Data Protection Directive, which has until now set the minimum requirements for processing statistics within the European Union (EU). GDPR will substantially enhance some rights such as monitoring or deleting the non-public statistics that a company holds. If your business is non-GDPR compliant, you can get a fine of up to €20M (£17.5M/ $23.5M) or 4% of the worldwide turnover (whichever is higher).

What does it mean for you as a company?

GDPR affects every company. It does not matter whether you are a small business or a multinational company. Naturally, the biggest impact will be in the business sector which relies on acquiring and exploiting consumer data at scale. If you, as a company, rely on consent to process data, that consent now has to be explicit and informed – and renewed if the use changes.

What is the difference between B2B and B2C, regarding GDPR?


Do you need a Data Protection Officer (DPO)?

A DPO has to be employed based on two criteria: company size and the risk involved in processing data. Companies, with at least 250 employees, must employ a DPO. In addition, you have to hire a DPO also when you work with sensitive data such as collecting information about people’s health, race, religion or political preferences. Some of the responsibilities of a DPO is to educate the company’s employees on conducting regular security audits. Also, DPO is a bridge between the company and Supervisory Authorities to discuss issues related to data. You can find more information on DPO responsibilities in Article 39.

What happens after Brexit?

The GDPR Implementation Bill will be effective as a part of the UK regulation, way to the Data Protection bill that has been working its way via parliament since September 2017. The government has devoted to keeping the bill even after Brexit because it considers it as an important protective measure for its citizens. In principle, future authorities may want to change the legislation again – but even then, if any British employer wants to do business with European citizens could observe the law.

Is it relevant only for the EU?


Even though GDPR comes from the EU, you have to comply with the rules if you process data of EU citizens, regardless of where your business is based. Moreover, many businesses prefer to apply the terms globally. For example, Apple’s privacy measures are global, also as Facebook’s. Although Facebook does not promise to apply the whole GDPR globally, noting the conflict with privacy guidelines in different jurisdictions.

What if my outsourcing partner is based in a non-EU country, e.g. India?

If you are based in, for example, the Netherlands and your outsourcing partner is based in a non-EU country, such as Ukraine or India, you have to be careful. If your partner processes data in an illegal way, you are responsible. It means that you have to ensure that your offshore partner is fully GDPR compliant. In case that your partner is not in compliance with GDPR, there is a risk that you could be fined.

Why is better to have an outsourcing partner from the EU?

Based on the information provided above, we at Eastsource recommend to find and cooperate with an EU-based outsourcing partner. This simple fact ensures that your potential partner is in compliance with GDPR. And all rules apply equally to both parties. Thus, both you and the development service provider face fewer risks. Working with somebody who is from Ukraine or India, for example, would potentially result in insecurity.

Here are the most important definitions of GDPR bill, Article 4.

Personal Data

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;


(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Useful sources:

Official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation) 

Rules for the protection of personal data inside and outside the EU

20 Most Relevant Q&A about GDPR

10 Most Frequently Asked Questions about GDPR


Author: Ronald Klacman

Privacy Policy