General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is rapidly approaching and will affect all organizations that process personal data, including Copernica and all its customers. As such it is important to take a close look at the rulings and to review the steps that will have to be taken.
This news article is the result of an extensive assessment of the adjustments that will need to be made to Copernica to meet the new legislation. Rewriting the processing agreement is of only one of many steps that have to be taken. We will also critically examine how our software will need to be adjusted and further investigate how we can support out customers to be compliant with the legislation. In the upcoming period we will publish additional information in this regard.
Introduction
On May 25th 2018 the new European Privacy legislation, the GDPR, will come into effect. This regulation will replace most national legislation (in The Netherlands this is the ‘Wet Bescherming Persoonsgegevens’. Although the content of both does not differ completely in regards to the rights of the concerned parties, there are important differences: Protection of individuals has been tightened, giving more obligations to organizations that process personal data; supervisory authorities will have expanded powers (guidelines on fines for infractions have been established); and more guidance will be given to organizations.
The general lessons of the GDPR for organizations is that they will have to provide insight into the following things: Which personal data is being processed, why it is being processed (on what grounds), in which way it is being processed, who is receiving the data, and how that has been justified. Article 6 of the GDPR states that processing personal data can have multiple grounds, of which 2 are relevant for Copernica users: processing to carry out a contract, and processing based on informed consent. Examples are processing a person's address data to deliver a purchased item and using a persons email address to send a newsletter they signed up for respectively.
Roles
In the GDPR, three important roles are specified: the subject of the personal data, the controller (the party responsible for processing data), and processors (parties that work for the controller, Copernica falls under this last category however we might act as controller in some cases as well).
Important articles
Now follows a list of articles the will be relevant to a typical Copernica user. In addition a sketch of the implications is given. A web shop is used as example cases.
- The term personal data should be interpreted in the most general sense of the word: any data with which a person can be identified either directly or indirectly. This includes a name, identification numbers, location, address, phone number, gender, race, sexual preference etc.
- Personal data should be processed lawfully, proportional, goal-bound (only for which they were collected), and as minimally as possible. Data should only be stored as long as it is necessary, see Article 5.
- When a processor relies on permission, proof of this permission should be available. The request for permission should be formulated in understandable language and the purpose(s) of processing should be listed and cannot conflict with the GDPR. In addition the processing should be necessary. For example, not showing a website when a visitor refuses to accept cookies will no longer be allowed in the future (Article 7)
- The following information on personal information should be provided: which organization processes it, the legal grounds, which other organizations further process it and the purpose of this (articles 13 of the information comes directly from the subject, or article 14 if this is indirect). This can for example be accomplished by creating a privacy statement on your website that is both find able and well readable. For every form that processes personal that you can then link to this statement.
- Right to access: The subject has the right to view its personal data (Article 15).
- Right to rectification: The subject has the right to correct data of the Responsible party (Article 16)
- Right to be forgotten: Personal data has to be removed if they are no longer necessary for the purpose for which they have been collected, the permission of withdrawn or the subject files a complaint (Article 17).
- The subject can temporarily limit the processing of data. This can be done in case of uncertain accuracy (Article 18). The subject can also object to profiling and automatic decision-making (Articles 21 and 22).
- Right to data portability: The subject has the right to receive its personal data in a machine-readable format to forward this to a third party. This can for example be in an XML format.
- A record should be kept of the processing activities (Article 30) by both the responsible party (section 1) and the processor (section 2). This record should include the following items: contact details of the responsible art or the processor and if applicable the Data protection officer, categories of processing, forwards to processors etc. This does not apply to organizations that employ less than 250 people unless the processing isn't incidental. In practice however this means that every organization needs to keep a record. -A Data Protection Officer (DPO) should be appointed by parties that process personal data on a large scale (almost every webshop will appoint a DPO, see the DPO guidelines of the European advisory committy(PDF download)
Privacy Policies
Altogether we recommend to include the following points in a privacy policy that is easily available (online) as well as short and easily understandable:
- contact information of the DPO;
- processing goals en grounds;
- justification of processing (clarify why this personal data should be processed instead);
- recipient (categories);
- if the data will be moved outside the EU what precautions have been taken;
- the storage duration or measures that determine the storage duration;
- the rights the subject has (right to access etc);
- description of the possibiltiy to withdraw given permission;
- the fact that complaint can be made at the supervisory body;
- the roles of different parties, if multiple parties are jointly responsible for data processing (article 26 section 2).
Processors agreement with Copernica
In addition to the points made a above each responsible party is required to have a Processors agreement with all organizations that process personal data for them (Article 28 section 3). Copernica has adjusted the existing processing agreement for the GDPR. These will soon be made available for signing via the dashboard on Copernica.com. The following compulsory items are, among others, included in this agreement.
The processor:
- is only allowed to process the personal data with written permission of the responsible party;
- honors confidentiality;
- will take security precautions;
- will ask permission to use a subprocessor;
- must make the same agreements with a subprocessor;
- after the processing service end, will remove all personal data or delivers these back to the responsible party;
- will cooperate with audits;
- will inform in case of a security breach;
Data Protection officer For questions regarding the processing of personal data by Copernica you can contact our data Protection Officer: Jonas Lodewegen