TechClass and GDPR
Here in TechClass, we have a professional, legal, and ethical responsibility to ensure the information we store and process are entirely aligned with the principles of confidentiality, integrity, privacy and availability. The GDPR comes into force on 25th of May 2018, and since the day one, we considered the GDPR concerns throughout the analysis, design, and implementation of the MVP of our platform that we released on February 2019.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.
The person whose data is processed. These are your customers or site visitors.
The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations.
The GDPR Compliance Features
Terms and Conditions
Request to download all user data
Users Authorization for Data Use and Management
The GDPR's geographic reach is also significantly expanded since it applies to any firm that does business with or processes personal data of EU people, regardless of where it is based or where the processing takes place.
Personal data is any information about a natural person (the "data subject") that identifies or may be used to identify the person directly or indirectly. This includes the person's full name, email address, online identity, bank account, IP address, social security number, and other information.
"Processing" is defined in Article 4 as "any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination." The concept is fairly wide, encompassing pretty much any activity on personal data.
It must also be as simple to withdraw permission as it is to provide it. Plain, basic language should be used, avoiding technical or legal jargon and complicated terminology (such as double negatives), so that users understand what they are consenting to. Consent should be explicit, granular (different consent for various processing processes), distinct from other things such as general terms and conditions, and freely and explicitly supplied.
No, as outlined in Article 6 of the GDPR, permission is merely one of the legal reasons for processing personal data. Processing is necessary to perform a contract to which the data subject is a party or to take steps at the data subject's request prior to entering into a contract; cases where processing is necessary to comply with a legal obligation; cases where processing is necessary to protect the vital interests of the data subject or another natural person. Where processing is required to protect the data subject's or another natural person's vital interests; where processing is required to carry out a task in the public interest; or lastly, where processing is justified by a legitimate interest that outweighs any risk to the data subject's privacy.
In circumstances where a data breach is likely to "result in a risk for the rights and freedoms of persons," GDPR will make breach reporting mandatory. The notification deadline is 72 hours from the moment you first become aware of a data breach.
The material on this website is not intended to serve as legal advice for you or your organization in compliance with EU data privacy legislation such as the GDPR. This page's content is intended solely for educational reasons and gives you background information to better understand TechClass's efforts to comply with the regulation. Please do not hesitate to contact us if you have any questions or concerns about how we may assist you with compliance or other privacy-related issues.