What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR), enforced starting May 25th 2018, creates consistent data protection rules across Europe. It applies to organizations who are based in the EU and global organizations who process personal data regarding individuals in the EU.

While many of the principles resemble prior EU data protection regulations, the GDPR has a wider scope, more descriptive standards, and substantial fines.

What is Labforward’s position on the GDPR?

Data protection is built into Labforward products and company culture. We comply with current EU data protection law, and have completed GDPR compliance preparations. Labforward is committed to keep its Privacy Policy, which explains how we process people’s personal data, up to date and continuously accessible to all. We will also continue to allow users to control how their data is used.

Key Legal Bases

Under the GDPR, there are a number of grounds to legitimize the processing of personal data. Below, we’ve outlined the most relevant legal bases under the GDPR.

Contractual Necessity

  • Data processed must be necessary for the Service and defined in the contract with the individual


  • Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
  • Users have a right to withdraw consent, which must be brought to their attention
  • Must be from a person over the age of consent specified in that Member State, otherwise given by or authorized by a parent / guardian
  • Explicit consent is required for some processing (e.g., special categories of personal data)

Legitimate Interests

  • If a business or a third party has legitimate interests which are not overridden by individuals’ rights or interests
  • Processing must be paused if objection is raised by an individual

Data Controller

You are the data controller when you decide the ‘purposes’ and ‘means’ of any processing of personal data.

  • Similar to what is already in place for data protection law today, data controllers must adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure people have a right to access the data held about them.

Data Processor

You are the data processor when you process personal data on behalf of a data controller. Certain obligations now apply directly to data processors, and controllers must bind them to certain contractual commitments to ensure data is processed safely and legally.

When Labforward is processing data as a data processor acting on your behalf, your organization must its own legal basis to process and share the data with us.

Services as data processor

Where Labforward provides services to our EU partners as a data processor on their behalf, we will ensure that we comply with the specific requirements for data processors. This means that, as needed, we will refresh any necessary contractual obligations to align with the GDPR.

Where we appoint parties to act as data processor on our behalf, we will also ensure that we have appropriate terms in place to comply with our requirements under GDPR and safeguard our data.

Where we act as a data processor on an organization’s behalf, we will be relying on our customer’s legal basis as data controller for our processing of such data.