The General Data Protection Regulation (GDPR) is a regulation applicable directly in the EU law on data protection and data privacy for all individuals living in the European Union and in the European Economic Area. In this article, we want to explain all the important concepts to be taken into account when implementing the GDPR in your company.
As STEL Order, we would like to give you some guidelines and show you how to safely implement GDPR based on how it has been done in our company.
1. The GDPR entered into force on May 25th, 2018.
This new regulation applies to all the companies which process personal data to carry out their business activities within the European Union.
The objective of this regulation it to guarantee the EU citizens that the use of their personal data by the companies is based on the principle of proactive responsibility.
In STEL Order, you can be sure that your data has always been handled properly. The way we process your data has not been changed. We have only had to expand information of our legal texts.
2. What has been changed?
Tactic consent is forbidden, for example pre-marked boxes on the web pages. Previously, if the company informed a user, through its privacy notice, about the fact that their data will be processed, and the user agreed, the company had the right to process their personal data. Now, it is the user that has to mark the boxes to give a conscious and clear permission for processing the data.
The user may now request that the use of their personal data be limited for certain purposes. They can select the purposes for which the company has the right to use their personal data. The user has also the right to transfer their personal data from one company to another and the right to not to be shown in the search results on the internet.
The company has to establish a protocol “security breaches” – a new concept that defines the violation of the security of personal data. A security breach will have to be reported to the Control Authority within 72 hours since its detention.
The company will have to perform a risk analysis on the processed data and evaluate this process. Any risks must be identified, solutions implemented, information flows described and the purpose, for which the data has been collected, must be clearly defined.
There has also been an increase in sanctions when the regulations are violated.
3. What legal documents are required?
1- Contracts with the managers who are in charge of processing the data and are responsible for this process.
2- Commitments and confidentiality of the employees: The employee undertakes not to disclose to third parties any information that is owned by the company.
3- Reviewing all the agreements obtained so far and regulating them.
4- Security documents.
4. How is the personal data classified according to the law?
The company must guarantee that all the data was collected legally and legitimately, in addition to fulfilling the duties of secrecy and security. Users must be informed that the data will be collected.
Data, which a company is receiving, must be treated in a proper way which depends on how sensitive it is. Sensitive data may generally be divided into three groups:
- Anonymous or indirect information: Doesn’t allow for a direct identification of the user.
- Non-sensitive personal data: Direct identification information – name, surname, telephone number etc.
- Sensitive data: It’s forbidden to process this data, except for special cases. This data has a special impact on privacy, public liberties and the fundamental rights of a person. It is any information that reveals: racial or ethnic origin, political opinion, religious or philosophical beliefs, union memberships, genetic and biometric data, sexual orientation or any data whose objective is to uniquely identify an individual.