What is GPDR?
GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
Who does GDPR apply to?
Primarily, with the personal data protection and privacy, it affects European based companies. As Europeans may make use of websites outside of Europe, this has resulted in non-European companies needing to apply GDPR data protection and privacy regulations to their websites.
When is the effective date?
GPDR’s effective date started on May 25, 2018.
- Communication: Clear plain language explaining who you are when requesting the data, why processing their data, data storage duration, and who receives it.
- Consent: Clear affirmative action related to legal grounds for processing data (together with contract, legitimate interest, legal obligations, etc.)
- Access and portability: Allowing people to access their data and provide it to another company.
- Warnings: In the event of data breaches, informing people should there be a risk to them.
- Erase data: Giving people the ‘right to be forgotten’ to erase their data.
- Profiling: For companies that make use of profiling to process applications for legal binding agreements must:
- inform your customers;
- Make sure you have a person, not a machine, checking the process if the application ends in a refusal;
- Offer the applicate the right to contest the decision;
- Ensure an appropriate legal basis to carry out such profiling.
- Marketing: Give people the right to opt-out of direct marketing using their data.
- Safeguarding sensitive data: Use extra safeguards to the product information on:
- sexual orientation;
- religion; and
- political beliefs.
- Children’s data: Collecting data from children under the age of 16 requires parental consent. Some states can lower the threshold between 13 and 16-year-olds.
- Data transfer outside the EU: Check availability of transfer tools like contract clauses when there is no adequacy for the country of destination.
Websites that do not meet the compliance regulations go through different phases before being fined.
- Suspension of data processing
- Up to €20 million; or
- 4% of global annual turnover.