Vendasta’s GDPR Commitment

General Data Privacy Regulation (“GDPR”) An European Union (“EU”) digital privacy legislation that gives EU data subjects more control over their personal data. It came into effect on May 25, 2018. The law is applicable to all companies that process the personal data of people who live in the EU, even companies that are physically based outside of Europe.
Key Terms:
  1. Data Subject is a natural person who can be directly or indirectly identified, in particular by reference to a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. Personal Data means any information relating to an identified or identifiable natural person (“data subject”); 
  3. Processing means anything done to personal data, whether or not by automated means. Such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  4. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  5. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  6. Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  7. Pseudonymous Data is personal data that cannot be tied to a specific data subject without additional information that is stored separately, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  8. Anonymous Data is data that cannot ever be connected to an identified or identifiable person.
Pillars and Principles of GDPR
    1. Lawfulness, Fairness and Transparency. Personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject.
    2. Purpose Limitation. Personal data should be collected for specified, explicit, and legitimate purposes and not to be processed in a manner that is incompatible with those purposes. 
    3. Data Minimisation. Organizations are to collect personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
    4. Accuracy.Personal data collected should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
    5. Storage Limitation. Personal data should only be stored for a period of time necessary for processing. Storage for longer periods should be solely for archiving purposes, public interest, scientific or historical research purposes or statistical purposes.
    6. Integrity and Confidentiality. Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
    7. Accountability. A data controller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR
Significant changes in GDPR
  1. Purpose for Data Processing. GDPR requires that there must be a least one of the following legal purpose before personal data of data subjects can be processed:
    1. If the data subject has given consent to the processing of his or her personal data. Such consent must be freely given, specific, informed, and unambiguous;
    2. To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
    3. To comply with a data controller’s legal obligations;
    4. To protect the vital interests of a data subject or another individual;
    5. To perform a task in the public interest or in official authority;
    6. For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his fundamental rights (Especially where children are involved).
  2. Compliance Obligations. Direct obligations are imposed on data processors as opposed to data controllers under the previous EU law – “Data Protection Directive”. These obligations include: processing personal data only in accordance with the controller’s instructions, restrictions on data sharing without the controller’s consent, return/destruction of personal data upon cessation of relationship, and implementing appropriate security measures. Data controllers are expected to have a written agreement with data processors stipulating adherence with the above obligations.
  3. Breach Notifications. Data Controllers must report any data breach to the appropriate data protection authority as soon as possible and not later than 72 hours after becoming aware of the breach, except such breach will cause no harm to the data subject. Data subjects should be informed immediately of any breach that will cause high harm to them.
  4. Appointment of a Data Protection Officer. It is recommended of any organization that regularly processes personal data on a large scale or monitors data subject’s personal data to appoint a data protection officer who will ensure compliance with privacy laws.
  5. Enforcement. Under the Data Protection Directive, authorities were limited on punishments imposed on organizations that violated privacy law, however, under the GDPR, organizations can be fined up to €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
  6. Profiling. Restrictions are placed on automated processing of personal data with the purpose of evaluating/analyzing data subject, because of the impact it may have on the data subject which can include job denial, refusal of credit application, etc. 
  7. Data Subject Rights. GDPR provides EU data subjects with certain rights as regards to their personal data.
Your Rights under GDPR

Data subjects are granted certain rights under the GDPR regarding the control and use of their personal data. These rights are:

  1. Right to be Informed: Organizations must inform data subjects what personal data of theirs is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties
  2. Right of Access: On demand by the data subject, controllers must provide information in a concise, transparent, intelligible and easily accessible form on categories of personal data being processed, the purpose for such processing, any third party with whom the data is being shared, envisaged period of storage or criteria for determining the duration, and any automated decision-making as regards the use of their personal data like profiling.
  3. Right to Object: Data subjects can at any time object to the processing of their personal data especially if the processing is for marketing purposes including profiling.
  4. Right to Rectification: Data subjects have the right to without undue delay to the rectification of inaccurate or incomplete personal data concerning him or her. 
  5. Right to Erasure (“right to be forgotten”): This right enables the data subject to demand complete deletion and removal of personal data without undue delay in the following circumstances:
    1. The data is no longer needed for the purpose it was collected or processed for;
    2. Withdrawal of consent to process by data subject and where there is no other legal ground to continue with processing;
    3. Data subject exercises right to object to processing and there is no overriding legal/legitimate ground for processing;
    4. Unlawful processing of personal data;
    5. Personal data has to be erased to comply with a legal obligation;
    6. If the personal data relates to a child.
  6. Right to Restriction of Processing: Data subjects have the right to request the Controller to stop processing (access and modification) of personal data if:
    1. Accuracy of personal data is contested by data subject;
    2. Continuous processing will be unlawful and the data subject opts for restriction instead of erasure;
    3. Controller no longer needs personal data for processing purposes, but still required by the data subject to establish or maintain legal claims;
    4. Data subject has exercised his right to object but its enforcement is pending the verification of the Controller’s legitimate grounds over that of the data subject.
  7. Right to Data Portability: In certain cases, data subjects have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format. Data subjects also have the right to transmit those data to another controller without any hindrance. 
  8. Rights Related to Automated Individual Decision-Making: This is a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects data subjects.
How to exercise your GDPR Rights

You can exercise your rights yourself or you can designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Information, we will verify your identity or that of your agent by a method appropriate to the type of request you are making. Additionally, we may also request that your authorized agent has a written confirmation from you to make requests on your behalf.

Please use the contact information below if you would like to:

  1. Exercise your rights;
  2. Learn more about your rights or about our Privacy Policy; and
  3. Designate an authorized agent to make a request on your behalf.

By mail to: privacy@vendasta.com

Learn more about GDPR https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

California Privacy Rights

Following the passage of the European Union’s General Data Protection Regulations (“GDPR”), the State of California passed The California Consumer Protection Act of 2018 (“CCPA”) which gives California residents unparalleled data privacy rights. The law took effect on January 1, 2020. The law applies to businesses that collect and sell consumer “personal information” or discloses personal data for a business purpose. CCPA gives California residents/consumers the right and control over the use of their personal information collected by businesses. 

CCPA applies to whom

  • All for profit businesses carrying on business in California who meets any of the following criteria:
    • Have a gross annual revenue of over $25 Million;
    • Buys, receives or sells personal information of over 50,000 or more California residents, households, or devices; or
    • Derives 50% or more of their annual revenue from selling personal information of California residents.
  • CCPA does not apply to not-for-profit businesses or government agencies.

How We Collect, Use, and Share your Personal Information

The personal information we collect are described in Section 1 of this Privacy Policy. The business and commercial purpose for such collection are stated in Section 2 of this Privacy Policy; while the category of businesses with whom we share this Personal Information with are described in Section 3 of this Privacy Policy.

Your rights under the CCPA

You have certain rights and control over the Personal Information we collect from you as a business under the CCPA. These rights are not absolute and are subject to certain exceptions. These rights include:

  1. The right to know: This means that you have the right to request access to personal information that we collected about you, what it is used for and how we shared for the past 12 months;
  2. The right to delete: This means that you have the right to request deletion of the personal information collected subject to certain exceptions;
  3. The right to opt-out:  You have a right to request to opt-out from the sale of your personal information. At Vendasta, we are not in the business of selling your information to any third party;
  4. The right to non-discrimination: This means that you have right not to be refused goods or services or to receive any discriminatory treatment for the exercise of your privacy rights.

How to exercise your rights under CCPA

You can exercise your rights yourself or you can designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Information, we will verify your identity or that of your agent by a method appropriate to the type of request you are making. Additionally, we may also request that your authorized agent has a written confirmation from you to make requests on your behalf.

Please use the contact information below if you would like to:

  1. Exercise your rights;
  2. Learn more about your rights or about our Privacy Policy; and
  3. Designate an authorized agent to make a request on your behalf.

 By mail to: privacy@vendasta.com

Pin It on Pinterest