Since May 25th in Greece and other European Union countries, the new European General Data Protection Regulation (GDPR), which deals with the collection, use and storage of personal data, is being implemented. The most important thing, however, is that GDPR strictly lays down the obligations of operators and companies around the collection, use and storage of personal data and the rights of citizens and users.
The aim of the EU is to apply stricter rules so that 250 million internet users in Europe and citizens in general can better and more easily control their online personal data that others (businesses, organizations, social media) collect, processed and shared with third parties.
Companies that process personal data now have to provide clear information on what purposes they use them, how long they store them, to whom they are reporting and whether the data will be transmitted outside the EU.
Companies must provide contact details for those responsible for data processing and protection. All this information should be worded with utmost clarity.
At the same time, any company (or carrier) that uses, processes or stores such data should be ready to deliver or modify or erase any user’s personal data when requested.
To understand the implementation of GDPR, we studied:
- The detailed presentation of the GDPR rules on the EU website,
- ESET Hellas’s Overview of General Data Protection Regulation (GDPR) on How to Impact Your Business,
- The relative analysis of the Panhellenic Federation of Tax Freelance Professionals (PFFEE)
And we briefly inform, especially companies that have web sites, e-shops, web applications or mobile applications and use personal user data, what they need to watch out for and how to comply to the GDPR rules.
The basic rules of the GDPR
- Consent of using personal data
(a) Scope of application:
Personal data should be collected only for specific,
explicit and legitimate purposes and should not be further processed
in a manner incompatible with these purposes.
(b) Principle of minimizing personal data:
Only the personal data necessary for the original purposes should be processed.
- Right of objection and right to delete data
It concerns the user’s right to request the deletion or modification of his / her personal data
- Right to transfer data
It concerns the right of the user to request transfer of his data whenever the user wishes.
- Update the Data Protection Authority within 72 hours if a data breach is detected.
It concerns the obligation of each company or organization to inform within 72 hours the Personal Data Protection Authority if a violation of the Data File is detected either through hacking or in any other way.
- Increased compliance obligations for controllers who should check whether the operations of the company or organization comply with the GDPR regulations.
Examples of personal data:
- name and surname
- e-mail address, e.g. firstname.lastname@example.org (not type email@example.com)
- identification document number (e.g. identity number, passport, driving license, etc.)
- location data (e.g., location data function on a mobile phone)
- IP address
- web browser ID (e.g., cookie)
- your phone’s ad ID
- data stored by a hospital or doctor, which could be a symbol identifying only one person (belonging to the category of sensitive personal data).
What you need to do to adapt to GDPR
Adaptation to data protection from the design of the website, e-shop or application..
Develop all online tools to implement privacy measures on your products, services, or files from the early stages of developing your website, e-shop, or app.
You should be able to respond immediately and free of charge to requests for:
- Consent to keep data or to inform users
- Revocation of consent
- Access to data (where possible)
- Correction of data
- Delete the data
- Restriction of processing
- Delivery of data in electronic form
- Transferring data to another carrier
You should also take care of:
Ensure strict security measures for the online protection of personal data.
If you are requesting personal information, the recipients of the request must be clear about who you are. Why do you need the specific data? If you edit them, why you edit their data, how long you will save them and who gets them.
Access and transferability
Give individuals access (directly or indirectly) to their data and let them give it to another company.
Give them the “right to oblivion”. Delete their personal data if requested, but only if freedom of expression is not undermined by the GDPR.
Give individuals the right to opt out of direct marketing practices using their data.
Transmission of data outside the EU
Make legal agreements when it comes to transmitting data to countries that have not been approved by the EU authorities.
Obtain explicit consent to data processing or transmission anywhere.
Tell people about data breaches if they pose a serious risk to them.
Create a profile
If you use profiles to process individuals’ requests for legally binding agreements, you must:
- Inform your customers
- Define a person rather than a machine to control the process if the application is ultimately rejected
- Grant the applicant the right to challenge the decision or request a justification.
Protection of sensitive personal data
Use additional increased protection measures if you categorize, process or otherwise use information about your health, race, sexual orientation, religion or political beliefs.
Access to third parties
You grant access to third parties’ personal data to your associates only under certain circumstances and provided they demonstrate their compliance with the GDPR.