The General Data Protection Regulation, enacted by the European Union, is the most comprehensive privacy law in the world. The GDPR became enforceable on May 25th 2018 - The regulation applies to the collection of data from people located in the European Economic Area (EEA), not only to the 28 European Union member states but also to the EFTA States of Iceland, Lichtenstein and Norway, regardless of nationality or citizenship.


GDPR updated existing Data Protection laws from the 1990’s to regulate the exorbitant amount of data being collected, through existing technology. The changes to data protection and privacy laws will change the way companies operate, collect data, design their websites, market to and communicate with their customers.

The expansion of the definition of "data" to include not just personal data such as name, e-mail address, phone number and sensitive data like health, religious, political and philosophical beliefs, etc. but also location and pseudonymized data such as, IP addresses, cookies, telemetry, MAC addresses, mobile device ID's, RFID tags means your website is likely to collect data from people located within the EU that would require your compliance with the GDPR to avoid a fine which may be up to 20 million Euros or 4 percent of annual global (global) turnover, whichever of both is highest.


  1. Be Informed: Article 13 and Article 14 lay out what information Users are entitled to, depending on whether the data was collected from the User or an alternative source.
  2. Access: The User has the right to know who is collecting data, what data is being collected, the purpose for processing data, who the data will be shared with, whether there will be an international transfer of data, the length of time the data will be stored or if not discernible, the criteria for the determining duration, (such as, data was will be stored until you delete your account). The Controller must notify the User of their right to amend, restrict or erase data processing, as wells as their right to file a complaint with a supervisory authority. The User has the right to request and receive one free copy of all their data being processed. An administrative fee may be charged for additional copies requested by User. If the request is made electronically or unless otherwise requested, the records of processing by Controller, may be made electronically.
  3. Rectification (Accuracy): The right to restrict processing where data is inaccurate and to amend and update incomplete or inaccurate information.
  4. Erasure (Right to be forgotten): The subject has the right to withdraw consent and ask for personal data to be “erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her…” (paragraph 65 of the preamble)
  5. Right to Restriction of Processing: The User has the right to restrict the processing of their data where it is inaccurate, unlawful, they have objected to the processing and are awaiting a decision regarding Controller's basis of processing, or the Controller is merely maintaining data for legal compliance, the establishment, exercise, or defense of legal claims.
  6. Notification Obligation: The controller must update user information that has been amended, erased or restricted with those they provided the User's data, such as a third-party processor, payment processors, CRMs and they must provide this information to the User, if requested.
  7. Data Portability: The User has the right to request and receive their personal data from a controller in a format which allows it easily to be transferred to another data controller.
  8. Right to Object: The User has the right to object to profiling or automated decision making, processing of data for direct marketing, scientific or historical research purposes.
  9. Automated Decision-Making: The default is that controllers are not allowed to make automated decisions or profile users unless their processing falls under one of the exceptions outlined in Article 22 of the GDPR.


  • Business Registration - S-Corp, C-Corp, LLC
  • DBA - Doing Business As, register an alternate business name.
  • EIN - Corporate tax identification number necessary to open a corporate bank account.
  • Registered Agent Services
  • Foreign Corporations


Business registration attorneys and startup lawyers, assist businesses in selecting and registering their business entity. Check out our answers to your frequently asked questions below or contact Kinney Firm to see how we can assist you in launching your business.