TechClass and GDPR
At TechClass, we hold steadfast to our professional, legal, and ethical obligations in safeguarding all information under our care. We are committed to ensuring that our data handling practices adhere strictly to the principles of confidentiality, integrity, privacy, and availability.
From the moment the General Data Protection Regulation (GDPR) took effect on May 25, 2018, we have integrated its stringent data protection standards into every facet of our operations. When we rolled out the Minimum Viable Product (MVP) of our platform in February 2019, we had already taken into account and addressed GDPR requirements throughout the analysis, design, and implementation stages.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
Personal data refers to any piece of information directly or indirectly linked to an identifiable individual. This includes clear identifiers such as names and email addresses, but also extends to information like location data, gender, biometric data, religious beliefs, web cookies, and political opinions. Pseudonymous data also comes under this definition if it's possible to identify an individual from it relatively easily. Therefore, personal data encapsulates a wide range of information, highlighting the scope and seriousness of data protection under GDPR.
Data processing encompasses all actions, automated or manual, performed on data. The range of these actions is vast and includes activities such as collecting, recording, organizing, structuring, storing, using, and erasing data. Essentially, any interaction with data can be defined as data processing, reinforcing the breadth of responsibilities under the GDPR.
The data subject refers to the individual to whom the processed data belongs. In the context of your business, these are your customers or website visitors. Recognizing who the data subjects are is the first step in ensuring their privacy rights and upholding the principles of the GDPR.
The data controller is the entity or individual who determines the purpose and means of processing personal data. If you are an owner or employee in your organization responsible for handling data, this role applies to you. As a data controller, you are accountable for ensuring that your data processing activities comply with the GDPR's stringent requirements.
The data processor is a third party that processes personal data on behalf of the data controller. These could be other individuals or organizations that the data controller contracts. Special rules in the GDPR govern the operations of data processors, emphasizing the responsibility they carry in maintaining the integrity of personal data they handle.
The GDPR's geographic reach is also significantly expanded since it applies to any firm that does business with or processes personal data of EU people, regardless of where it is based or where the processing takes place.
Personal data is any information about a natural person (the "data subject") that identifies or may be used to identify the person directly or indirectly. This includes the person's full name, email address, online identity, bank account, IP address, social security number, and other information.
"Processing" is defined in Article 4 as "any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination." The concept is fairly wide, encompassing pretty much any activity on personal data.
It must also be as simple to withdraw permission as it is to provide it. Plain, basic language should be used, avoiding technical or legal jargon and complicated terminology (such as double negatives), so that users understand what they are consenting to. Consent should be explicit, granular (different consent for various processing processes), distinct from other things such as general terms and conditions, and freely and explicitly supplied.
No, as outlined in Article 6 of the GDPR, permission is merely one of the legal reasons for processing personal data. Processing is necessary to perform a contract to which the data subject is a party or to take steps at the data subject's request prior to entering into a contract; cases where processing is necessary to comply with a legal obligation; cases where processing is necessary to protect the vital interests of the data subject or another natural person. Where processing is required to protect the data subject's or another natural person's vital interests; where processing is required to carry out a task in the public interest; or lastly, where processing is justified by a legitimate interest that outweighs any risk to the data subject's privacy.
In circumstances where a data breach is likely to "result in a risk for the rights and freedoms of persons," GDPR will make breach reporting mandatory. The notification deadline is 72 hours from the moment you first become aware of a data breach.
The importance of privacy and legal affairs at TechClass (From 2018)
The material on this website is not intended to serve as legal advice for you or your organization in compliance with EU data privacy legislation such as the GDPR. This page's content is intended solely for educational reasons and gives you background information to better understand TechClass's efforts to comply with the regulation. Please do not hesitate to contact us if you have any questions or concerns about how we may assist you with compliance or other privacy-related issues.