"[intro_start]The General Data Protection Regulation (GDPR). Terms that everyone has probably heard of by now. But what does it actually entail? We will try to provide more clarity with the explanation below.[intro_end]
General rules:
You are probably already familiar with the general rules, including:
The same rules apply throughout the entire EU; if data from EU citizens is processed by companies outside the EU, then GDPR also applies;
The term “personal data” is expanded to include data types such as IP addresses and sensitive data like health information, and information about cultural background;
The collection of data is subjected to strict rules, so that data lists cannot simply be bought or created: the user must give explicit consent, may view their data, and demand that it be deleted (right to be forgotten);
Where violations in the past were usually treated 'so-so', there are now high fines. When the collected data is not managed correctly, a serious data breach is not reported, or the company does not conduct a risk assessment, the fine can go up to 2 percent of the annual revenue. For serious misconduct, that amount can rise to as much as 4 percent of the revenue or up to 20 million euros, whichever is higher.
Role distribution: Processor, Controller, and processor agreement
Controller = the owner of the data, the one who collects the data. As a customer of Epartment, you collect personal data (think of name, address, IP addresses, payment data of your users) and you are the Controller.
Processor = the party where the data is stored, or who processes it, in a manner determined by the Controller. Our customers ask us to make a backup of the data. In this case, Epartment is the Processor. Also, if the Processor entrusts the processing to a third party (the sub-processor), the Processor (Epartment, therefore) remains responsible for the proper compliance with the GDPR legislation. These agreements are laid down in a so-called processor agreement. This is a contract that is concluded between Epartment and its customers whose data they process.
Tasks of the Controller
Your first task is: to determine whether the processing of the data is permitted. This means that the collection and processing of data occurs because:
it is based on obligations from a contract;
explicit consent has been requested (opt-in!);
it complies with legal obligations;
it is relevant to the personal safety or health of the data subject;
it is in the public interest or in your legitimate interest (such as being able to identify those responsible for hacking, fraud, etc.)
Your second task is to ensure that the data is sufficiently protected. Lastly, you must report a breach immediately. The following applies: a breach is any violation of security (a leak, a hack…) that can destroy, lose, modify, be unlawfully accessed, or viewed by unauthorized persons. You must report the breach:
to your customers
to the authorities
For the Netherlands: the online notification of the Data Protection Authority For Belgium: the website of Privacy Commission You must make this notification within 72 hours after discovering the breach. The GDPR considers that you may not yet have all the information about the incident within that period, and requests that your first notification must already include the following information: the type of breach the number of users/customers who may be at risk the risk that the breach poses to those involved the measures you have already taken at the time of notification the measures you will further take The tasks of the Processor Epartment is the Processor of the data that you, as a Controller, have collected. Therefore, it is our task to, among other things: maintain logs of data processing that we perform with your data, such as making backups report breaches of your data to you (the Controller) check whether Sub-Processors, third parties that we hire for data processing, comply with GDPR / AVG regulations
What else do we do?
Extra protection of customer data GDPR is very much alive within Epartment and the Odalis Group, and we also notice that many of our customers are taking it seriously. We have always set very high standards for good security of (customer) data. Of course, not only the personal data of our customers in our own database, our website accompanying data, but also the software, phones, laptops, etc., that we use and how they are optimally secured. We also adopt various recurring processes and procedures regarding information security at all our companies. We are determined to ensure that all data is in order and that we also have a strict policy to safeguard this in the future. Privacy Policy We have a Privacy Statement on our website that explains how we handle data. Cookie Policy To properly handle functional, analytical, social, and marketing data, we use cookies. For this, we first ask for consent in which you can make a choice yourself. See also our cookie policy. Processor Agreement We have chosen to create and send a personalized processor agreement for each customer. Our customers were informed of this a long time ago. Our new General Agreement will also contain a reference to our Privacy Statement and Processor Agreement. Why do we not sign the processor agreements of our customers? It is not an option for us to agree to the processor agreements of our customers. The main reason is that it is not feasible for us and our overarching holding (Odalis Group) to ensure and maintain agreements that are in different contracts."