GDPR is a privacy and data protection law that regulates how European Union residents' data is protected by companies and enhances the control the European Union residents have over their data shared over any platform.
The GDPR is relevant to any globally operating company which may be accessible to the European Businesses or Citizens of the European Union directly or indirectly. The customers’ data shared on our platform is important irrespective of where the customer is based out of, which is why as a responsible platform, we have implemented GDPR controls as our baseline standard for all our operations across the Globe. GDPR has taken effect from 23rd of June 2023
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behaviour of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
In keeping with our ongoing commitment to privacy and security, Reliable Photo Stores is committed to making it easier for you to comply with the GDPR.
GDPR requires that personal data be:
Further, GDPR places additional obligations on companies to document their processing activities and be able to demonstrate their compliance with the above principles.
It also codifies the requirement that companies apply data protection by design and by default when developing and designing processes, products and systems.
In addition, if a Company uses service providers to process personal data on their behalf, the Company will need to ensure that they have an appropriate contract in place that ensures that they are obligated to apply GDPR’s data processing standards.
Similarly, if a Company is transferring EU personal data outside the EU, they may only do so if it is being transferred to a country deemed by the EU Commission to have adequate data processing regulations.
For transfers to countries not deemed adequate, they must ensure appropriate alternative safeguards are in place.
Currently, under the Directive, approved transfer safeguards include the EU-US Privacy Shield and standard contractual clauses.
Personal data refers to mean data that relates to an identified or identifiable natural person (aka “data subject”). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, email id, phone number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Importantly, this is a very broad definition and can encompass data like IP addresses of a user’s personal device, their device ID, or their phone number. It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID).
What matters is that the information can be used to “pick that user out of the crowd” even if you don’t know who that user is.
It is also important to note that the definition of personal data is not tied to concerns about identity theft the way that definitions of personally identifying information (PII) are under many US data breach laws. So, even if it seems like there would be little privacy harm if someone got a hold of the users’ IP addresses, that does not mean that those IP addresses are not personal data.
It just means that this data may not require the same level of data protection as more sensitive personal data like your users’ credit card numbers.
Unless explicitly clarified in any agreement, Reliable Photo Stores will be the Processor and Customer/User will be the Controller.
New and enhanced rights for data subjects- This law gives an individual/User the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
Explicit consent- Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
Right to access- At any point in time, the data subject can ask the Processor what personal data is being stored or retained about him/her.
Right to be forgotten- The data subject can request the Processor to remove their personal information from the Processor's systems.
Obligations of the processors - GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.
Data Protection Officer - Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
Privacy Impact Assessments (PIA) - Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
Breach notification - Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
Data portability- The Processor must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.
We have covered a lot of ground toward understanding and analysing how GDPR will impact our customers and making appropriate changes to our product and processes. Below is a glimpse of our analysis and the steps we took to ensure we are compliant well in time:
We have acted on many fronts to adhere to this new regulation.
Access to personal data about subject
Under GDPR, ruling data subjects have the right to access to their personal data. You can post a request and we will provide data we store.
If you feel your personal is incorrect, you can post a request with information regarding the data to be corrected. We will process the needed changes or will notify data controllers on the subject (in case you are not our customer yet).
You can request restriction of your personal processing by mailing to us at email@example.com
Delete or object personal data
We will respect requests to delete personal data or object processing, they both will be handled by deleting your personal data from our service in 30 days.
Under GDPR, if you need to transfer data to another processor or controller, we can provide you with a copy of the personal data we have.
EU-US Privacy shield related
If you have any questions related to the topics of transfer of data between EU-Swiss and US or EU-US privacy shield regulation please post it via email and we will get back to you in timely manner.
Please feel free to ask questions and share concerns with us at firstname.lastname@example.org