What is EU-GDPR?
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a comprehensive data protection law that passed after years of preparation on May 25, 2018, by the joint efforts of the European Parliament, the Council of the European Union, and the European Commission.
It can be determined as the world’s finest and strongest set of data protection legislation which was substantial at its foundation and contains 99 individual articles that lay down rules to regulate the processing and protection of European citizen’s personal data.
The legislators had even asserted that GDPR was drafted with such wide-ranging data protection concepts that strike a balance across all of EU member countries by providing the highest level of protection to an individual’s privacy rights.
Whom does GDPR apply to?
The EU-GDPR is applicable to all EU residents. The usage of the term “residents” is quite wide here as it means that the resident need not be a citizen of any EU member state. It could be any individual who resides in the EU.
The scope of the GDPR covers all entities that deal with or process EU residents’ personal data, irrespective of whether the entity has a presence in the EU or not, whether it is a private entity or a government entity, whether it is a data controller or data processor.
As stated earlier, it must be apparent that the organization envisages that activities will be directed to EU data subjects. Therefore, pursuant to Article 3(2), even non-EU established organizations will be subject to GDPR where they process personal data of EU data subjects in connection with the “offering of goods or services” or “monitoring their behavior” within the EU region.
For instance, a US software company with all its offices in the US that handles the data of the EU residents can be investigated, fined, and prosecuted by the Supervisory Authority.
KEY TERMS INVOLVED IN GDPR?
> GDPR seeks to add accountability to the data controllers and processors:
A controller is the one who “determines the purposes and means of the processing of personal data” (that’s you, and maybe us).
They are the decision-makers who decide the purpose and methods of processing personal data. A Data Controller may be: (a) the natural or legal person, (b) any public authority, or (c) alone or joint agency or other body as such.
There might be a situation where there can be a joint controller of personal data, where two or more groups determine the handling of data. A processor is one who “processes personal data on behalf of the controller” and they work under the instructions of the data controller and handles the data accordingly. (that’s us when you use our applications, products, or services).
> Personal Data:
Personal data has been defined under Article 4 of GDPR which means anything that can identify a “natural person” or any information relating to an identified or identifiable natural person. Please note that personal data does not precisely match a term used in the USA as personally identifiable information (PII). While they are similar and many portions overlap but they are not precisely the same and should not be used interchangeably.
Examples of PD: Name, IP address, email, location data, web-browser cookies; these all help indicate who one is or where is their location, physical, genetic, cultural, or social backgrounds, etc.
Additionally, data that may alone could not be personal data would potentially become one when used with another set of data such as a doctor’s record in your college graduation year that would then determine your age.42Gears readiness towards GDPR Compliance:
The GDPR has looked afresh at existing privacy principles in general and enlists few principles of processing of personal data under Article 5 which 42Gears adheres to:
1. Accountability and Governance:
We have designed comprehensive but proportionate measures to minimize the risk of breaches and uphold the protection of personal data throughout our organization Further, we are proactive and quite organized in our approach whilst handling any personal data to ensure the principle of Accountability imbibes in our culture.
We indeed have a robust framework for handling the personal data which includes a regular evaluation and assessment procedure.
To simplify “We have records for what we do and why”
2. Data Protection by Design and Default:
42Gears has adopted and put in place appropriate technical and organizational measures to consider and integrate data protection into our entire lifecycle of processing activities.
3. Lawful basis of processing:
We aim to ensure a valid lawful basis for the processing of the personal data and meet all the requirements described in the GDPR which includes data collection, processing, and storage
To be transparent, we have a Privacy Policy setting out our purpose of collecting and processing of personal data which means we use the personal data only for the purposes and during the time period we have indicated.
4. Security:
GDPR requires personal data to be processed in a manner that ensures its security. We have defined and implemented adequate systems to maintain effective and proportionate security that includes protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. For the detailed information, please visit our “Security and Compliance” Page available on our website https://www.42gears.com/security-and-compliance/
5. Contracts:
We determine appropriate means to validate the contractual obligations in relation to data processing with the third parties (sub-processors) to avoid the risk posed by processing.
In pursuance of this, we get the Data Processing Agreement signed with our sub-processors to ensure that they offer an equivalent level of protection for personal data.
6. International Transfer:
In light of the Court of Justice of European Union (CJEU) Schrems II decision to invalidate Privacy Shield and in preparation for the United Kingdom’s departure from the European Union (Brexit), we have made it easy for our customers to maintain a lawful data transfer mechanism by incorporating the Standard Contractual Clauses (SCC’s) in our Data Processing Agreement.
Further, Where processing takes place in the United States, we ensure that the Service Providers have Standard Contractual Clauses (SCCs) included in their Data Processing Agreement (DPA) to maintain a lawful transfer mechanism.
7. Data Breach:
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
In order to prevent any data breaches, we provide timely training to our employees to inform them how to recognize a data breach and escalate a security incident to the appropriate team assigned by us in this regard. . Under GDPR, we are subject to a direct obligation to notify controllers and Supervisory Authority of a data breach within 72hours of becoming aware of it. Therefore, we ensure that we engage appropriately with our controllers in the event we become aware of any data breach and have prepared an effective response plan for any personal data breaches if occur.
8. Individual Rights:
Apart from the privacy principles, the GDPR articulates the following rights to individuals (Known as Data Subject Rights):
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (or right to be forgotten)
- The right to restrict processing
- The right to data portability
- The right to object
Rights in relation to automated decision making and profiling. We are obligated to provide fair processing of data and support individuals to exercise their rights under GDPR.
9. CONSENT:
Since GDPR has placed a great responsibility on the data controllers when it comes to processing personal data on grounds of user consent, we have revamped permissions and consent across all our solutions to honor data subject requests regarding the personal data.
Fulfilling our privacy and data security commitments are important to us and considered as one of our top priorities. So we’re glad to help you prepare for all the changes and get compliant under GDPR. This page will be revised to update more GDPR-related information as and when required.
If you have any questions about how we can help you in your journey with GDPR compliance, feel free to reach out to us at legal@42gears.com.