General Data Protection Regulation (GDPR)
Last modified: January 17, 2022
This page is regularly updated to reflect continued monitoring, accuracy and comprehensiveness.
The GDPR outlines certain obligations organizations must follow which limit how personal data can be used. It also defines eight data subject rights that guarantee specific entitlements for an individual’s personal data. Ultimately giving individuals more autonomy over their personal information and how it is used.
What is the GDPR?
General Data Privacy Regulation (“GDPR”) is the European Union (“EU”) privacy legislation, which took effect on May 25, 2018, replacing the 1995 EU Data Protection Directive.
A binding regulation that is written directly into Member States’ laws designed to regulate how organizations collect, handle, and protect personal data of EU residents. The GDPR is to strengthen privacy rights by giving data subjects control of how their personal data is obtained, used, and shared.
It is the strongest global privacy law in effect today. The GDPR set out with three main goals in mind:
- Establish and protect the fundamental privacy rights of individuals.
- Unify privacy laws across the EU by replacing the 28 individual EU member state laws and the previous 1995 Data Protection Directive.
- Adapt privacy laws that reflect the change the technology landscape has made on personal data over the last 25 years.
- Data Subject is a natural person who can be directly or indirectly identified, in particular by reference to a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Personal Data means any information (objective and/or subjective) relating to an identified or identifiable natural person (“data subject”); such as information relating to their private, professional, or public life, including a name, email address, photos, bank statements, online identifiers etc.
- Processing means anything done to personal data, whether or not by automated means. It involves any automated or manual operation or set of operations performed on personal data or sets of personal data, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval or accessing or viewing, consultation, use, analyzing, combining, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, deletion or destruction and so on.
- Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes, lawful basis and means of the processing of personal data;
- Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- Consent refers to any “freely given, specific, informed and unambiguous indication” that the data subject agrees to the processing of personal data related to them. Data subjects can provide consent with either a statement or explicit affirmative action.
- Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- Pseudonymous Data is personal data that cannot be tied to a specific data subject without additional information that is stored separately, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- Anonymous Data is data that cannot ever be connected to an identified or identifiable person.
Does the GDPR apply to me?
The GDPR has broad reach, including extra-territorial reach. The GDPR applies to organizations (data controllers and data processors) that handle the PI of data subjects in the EU, whether the organizations are EU-based or not. The GDPR applies to organizations that are based in the EU, even if the PI is being stored or used outside of the EU, and to organizations that are not in the EU if:
- the organization offers goods or services to individuals in the EU; or
- the organization monitors their online behavior.
To decide whether we are covered under the GDPR, we need to consider both the ‘territorial scope’ and the ‘material scope’.
What are the GDPR’s key principles?
There are seven key principles under the GDPR that provide guidance on how Personal Information must be handled by data controllers and data processors. The GDPR requires implementation of appropriate technical and organizational measures to implement these data protection principles effectively to safeguard data subject rights:
Lawfulness, fairness, and transparency
Processing must be lawful, fair, and transparent to the data subject. There should be a lawful basis for each processing activity. The data processing is not in a way that is unexpected, and the data subject is informed of the processing.
Personal Information may be processed for the legitimate purposes specified to the data subject when it was collected. Be clear about your purposes for processing and record and specify them in the privacy notice to individuals. Limit the processing to those identified purposes.
Personal Information should only be collected and processed to the extent as necessary for the specified purposes.
Personal Information must be accurate and up to date. Ensure the personal data that you processed is accurate and up to date. Correct or erase inaccurate personal data as soon as possible.
Personal Information may be stored only for as long as necessary for the specified purpose. Only keep personal Information if you need it.
Integrity and confidentiality
Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality. Have appropriate security measures in place to protect the personal data from unauthorized or unlawful processing and accidental loss, destruction, or damage.
The data controller and data processor must take responsibility for what they do with personal data and have appropriate measures and records in place to demonstrate their compliance with the data processing principles.
Significant changes in GDPR
- The purpose for Data Processing: GDPR requires that there must be a least one of the following legal purposes before personal data of data subjects can be processed: Consent, Contract, Legal obligation, Vital interests, Public interest, Legitimate interests
- Compliance Obligations: Both, data controllers and also data processors are responsible for demonstrating compliance not just to the regulator; also to data subjects if necessary.
- Breach Notifications: Data Controllers must report any data breach to the appropriate data protection authority as soon as possible and not later than 72 hours after becoming aware of the breach. Data subjects should be informed immediately of any breach that will cause high harm to them.
- Privacy by Design: Companies must follow Privacy by Design principles and implement appropriate technical and organizational measures in an effective way to meet the requirements of the GDPR and protect the rights of data subjects.
- Data Privacy Impact Assessment (DPIA): There is an obligation to perform a Data Privacy Impact Assessment (DPIA) when data processing may use “new technologies” or is risky, so that potential privacy issues can be identified before they arise, giving time to come up with a way to mitigate them before the project is underway.
- Profiling: Restrictions are placed on automated processing of personal data with the purpose of evaluating/analyzing data subject, because of the impact it may have on the data subject which can include job denial, refusal of credit application, etc.
- Data Subject Rights: The “right of portability” and the “right to be forgotten” are two new privacy rights granted to individuals under the GDPR. The right of portability affords residents easier access to their own data. Upon request, individuals will be able to transfer all data from one provider of goods or services to another; this provision was created to foster healthy competition and increase accountability among providers. Under the “right to be forgotten,” individuals can have their personal data erased upon request in certain circumstances.
- One-Stop Shop: The GDPR’s new “one-stop-shop” provision, under which organizations with offices in multiple EU countries will have a “lead supervisory authority” to act as a central point of enforcement so they don’t struggle with inconsistent directions from multiple supervisory authorities.
- Appointment of a Data Protection/Privacy Officer: Based on the EU Commission’s writings on the topic, a DPO is required for any enterprise with over 250 employees or for any enterprise processing the personal data of over 5,000 data subjects in any 12-month period. It is recommended that any organization that regularly processes personal data on a large scale or monitors data subject’s personal data appoint a data protection officer who will ensure compliance with privacy laws.
- Enforcement: Under the GDPR, organizations can be fined up to €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
Data Subject Rights under GDPR?
The GDPR outlines eight fundamental data subject rights, plus the right to withdraw consent:
Right to be informed: Data subjects have the right to be informed about the collection and use of their personal data.
Right to access: Data subjects have the right to view and request copies of their personal data.
Right to rectification: Data subjects have the right to request inaccurate or outdated personal information be updated or corrected.
Right to be forgotten / Right to erasure: Data subjects have the right to request their personal data be deleted. Note that this is not an absolute right and may be subject to exemptions based on certain laws.
Right for data portability: Data subjects have the right to ask for their data to be transferred to another controller or provided to them. The data must be provided in a machine-readable electronic format.
Right to restrict Processing: Data subjects have the right to request the restriction or suppression of their personal data.
Right to withdraw consent: Data subjects have the right to withdraw previously given consent to process their personal data.
Right to object: Data subjects have the right to object to the processing of their personal data.
Right to object to automated processing: Data subjects have the right to object to decisions being made with their data solely based on automated decision making or profiling.
Safeguarding the privacy and security of personal information is a priority for Vendasta. We have invested time and resources in preparation for the European General Data Protection Regulation (GDPR). At Vendasta we understand that GDPR is an ongoing governance commitment and as such, we will ensure that Vendasta is and remains fully compliant.
For additional information please contact us at: firstname.lastname@example.org.
What is Vendasta doing to comply with GDPR?
As part of this GDPR program, we are reviewing and enhancing our platform, products, solutions and services so as to address our obligations as processors.
Vendasta processes personal data to the extent necessary and in accordance with applicable regional privacy laws including GDPR. Vendasta ensures that there is an applicable lawful basis for any and all processing of personal data.
Data protection and privacy awareness, education and training
Vendasta has ongoing educational, training and awareness programs for its personnel and employees with regards to the data security, risks, and privacy regulations including GDPR.
Technical, organizational and security standards
Vendasta is committed to continuously improving the security of our platform and protecting the privacy of our users. We take all reasonable precautions, technical and organizational security measures to safeguard and protect personal data.
As a part of this effort, we also run a vulnerability disclosure program (VDP) through HackerOne. The goal of this program is to provide security researchers with an opportunity to test our platform’s security and responsibly disclose vulnerabilities to us.
For additional information please contact us at: email@example.com
Consent: marketing email campaigns
We are committed to making continual improvements to the email experience for both our partners and their customers. On one hand, we work diligently to ensure emails are delivered to customers quickly and reliably. On the other hand, we know it is important to respect the wishes of email recipients and only deliver mail that they have consented to receive. For this reason we provide end users the ability to unsubscribe from marketing campaign emails and allow users to adjust notification preferences within the platform.
Going forward, we have prioritized work to give recipients even finer-grained control over what kinds of emails they receive. This benefits the recipient and partner alike because it reduces the amount of unwanted emails that the customer is unlikely to engage with and is inline with the intentions of the GDPR. Our vision includes a platform where consent to receive email communication is both transparent and easy to understand.
Data breach response procedure
To mitigate the risks to data subjects from any data breach and to implement GDPR breach notification to the extent required under the applicable laws, Vendasta has implemented a Data Breach Incident response procedure.
Data subject rights (DSR) request handling procedure
To ensure that all DSR requests are handled in a correct and timely manner, Vendasta has implemented a set of DSR request handling procedure.
Data Subject Rights
In accordance with GDPR, data subjects may exercise the following rights:
(i) request to access Personal Data; (ii) request the rectification of Personal Data; (iii) object to processing of Personal Data; (iv) right to withdraw consent (to the extent applicable); (v) request to exercise right of data portability; (vi) request the erasure of Personal Data; and (vii) request to restrict processing of Personal Data
Vendasta understands how important and complicated these requests can be and manual processes are prone to human error. We have committed ourselves to provide self-serve access to our partners and users so that they can manage their requests conveniently and efficiently.
We already have the provision for automating the right to access and right to rectification for the users of our platform. Users can exercise these rights from the user profile provided through the platform and for the other rights, the work is in progress.
Alternatively, in order to exercise any of the above rights please contact us at firstname.lastname@example.org. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection law. We may ask you to verify your identity in order to help us respond efficiently to your request.
We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to email@example.com We will look into and respond to any complaints we receive.
You also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work or the country in which an alleged infringement of data protection law has occurred within the EU.
At nearly 100 pages, and the subject of innumerable articles and analyses since its first draft debuted in 2012, the GDPR can be overwhelming. Here’s a high-level look at the GDPR requirements.
What you as a data-subject, consumer or a user can do
- Provide consent and also withdraw consent for processing
- Request a copy of all of your data
- Request the ability to move your data to a different organization
- Request to delete your information you consider no longer relevant
- Object to automated decision-making processes, including profiling
What data protection authorities can do
- Data protection authorities have investigatory, corrective, authorisation and advisory powers
What can we as controllers and processors do
- Implement “Privacy by Default” and “Privacy by Design”
- Maintain appropriate data security
- Notify data protection agencies and consumers of data breaches
- Get appropriate consent for most personal data collection and provide notification of personal data processing activities
- Keep records of all processing of personal information
- Appoint a Data Protection and Privacy Officer
- Take responsibility for the security and processing activities of third-party vendors
- Conduct Data Protection Impact Assessments on new processing activities
- Institute safeguards for cross-border data transfers
- Consult with regulators before certain processing activities
- Be able to demonstrate compliance on demand
- Provide appropriate data protection training to personnel having permanent or regular access to personal data
Email us at firstname.lastname@example.org.
Official site of EU’s GDPR
Guide to the EU’s General Data Protection Regulation, is available, and every organization that collects personal data from customers should become familiar with its provisions.
This website is neither legal advice for your company in complying with GDPR/other data privacy laws nor a magnum opus on EU/EEA data privacy. What we are providing is background information to help you better understand how we, at Vendasta, have addressed some important legal points. This legal content is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. You may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.