The “General Data Protection Regulation” (“GDPR”) is a set of rules approved by the European Parliament relating to the protection of privacy of data pertaining to (i) citizens of, and individuals residing in, the EU; and (ii) data collected during the course of marketing goods and services in the EU.
The GDPR replaces the previous directives of the European Parliament in this regard.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. It also covers the monitoring of behaviour that originated within the EU.
It would, thus, cover any organization which is provided with data collected in the EU for the purpose of its processing.
CONTROLLER means the entity which determines exercised control over the processing of personal data, i.e determines the purpose for which the personal data is being processed and/or the means of processing.
PROCESSOR means the entity which processes personal data on behalf of the controller.
PROCESSING means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
PERSONAL DATA means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
For our purposes, and based upon the activities we undertake on behalf of our customers, we would fall under the definition of a “processor” under the GDPR, with our customers being “controllers”. Therefore, insofar as the data being processed by us originates from the EU, we have certain obligations under the GDPR.
Specifically, the obligations of a processor are set out under Article 28 of the GDPR. As per this provision, a controller is prohibited from using a processor unless that processor provides “sufficient guarantees” to implement measures that ensure compliance with the rights of individuals under the GDPR.
Article 28 stipulates that these “sufficient guarantees” must be encapsulated in a written agreement between the controller and the processor. In particular, Article 28 provides that the written agreement require that the processor:
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation.
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) takes all measures relating to maintaining security of the private data collected, including those stated in Article 32 of the GDPR;
(d) does not sub-contract or delegate the processing to another entity without the written authorization of the controller. This written authorization may be general or specific.
(e) provides the necessary technical support to allow the controller to comply with its obligations under the GDPR (i.e the obligations set out in Chapter III of the GDPR)
(f) at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless EU law requires storage of the personal data.
(g) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
As stated above, these assurances and obligations need to be part of a written agreement between the “controller” and the “processor”. To ensure this, it would be most beneficial to execute a separate document that can be referred to as the “GDPR Addendum”. This “GDPR Addendum” will contain the clauses mandated by the GDPR and can be executed by us with our customers.
It is extremely likely that our customers in the EU will already have a standard format of an agreement they require their processors to execute in order to make them GDPR compliant. In such a case, we may review the contents therein to ensure that it is indeed GDPR compliant, and then proceed to execute the same. If, on the other hand, they do not have a standard format of agreement for this purpose, we can use our template which is being provided separately.
The websites operated by us would also, as is common nowadays, be collecting certain personal information of its users. In relation to those users who are based in the EU, we would thus be a “controller” for the purposes set out in the GDPR.
As such there are certain obligations that are required to be obeyed to be in compliance of the GDPR.
One of the obligations contained in the GDPR relates to transparency whilst collecting personal data. Due to the manner in which modern websites operates, certain data is collected relating to every visitor even in case of a static website. It is incumbent upon us to inform the visitors that such data is being collected and to ensure that their rights under the GDPR are protected.
PRIOR AND EXPLICIT CONSENT
MAINTAINING RECORDS OF CONSENT
As a controller we need to ensure that steps have been taken enabling us to provide the end users adequate control over the data pertaining to them that has been collected by us. The two chief forms of such control are:
RIGHT TO A COPY OF ALL DATA
The GDPR makes is mandatory that every controller be in a position to provide an individual, on demand, with a complete copy of all data of his/hers that has been collected. It is also mandatory that this copy be provided in a format that is easily readable and understandable. We need to be able to provide this information to an individual without unnecessary delay upon a request made for the same.
RIGHT TO PURGE ALL DATA
The GDPR also makes it mandatory for every controller to be able to delete all data relating to an individual upon his/her written request. After receiving such a request, it is mandatory for us to delete all copies of any data relating to that person we may have as expeditiously as technically possible. This would include any data that is stored in a manner such that it is not directly clear as to whom the data relates to, i.e “pseudonymised” data.
The GDPR imposes very harsh penalties upon violations. Infringement of Article 28 (and some other provisions) imposes a penalty of upto € 10 million or 2% of the annual global turnover of an establishment.
Certain other provisions (such as those relating to the rights of the data subjects) attract double of this amount as the maximum penalty in case of a violation.
Therefore, it is imperative that the provisions of GDPR be adhered to.
Copyright © 2015. RJGLOBUS SOLUTIONS All Rights Reserved.