GDPR: General Data Protection Regulation
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR), which went into effect May 25, 2018, creates consistent data protection rules across Europe. It applies to organizations who are based in the EU and global organizations who processes personal data about individuals in the EU.
While many of the principles are similar to prior EU data protection rules, the GDPR has a wider scope, more prescriptive standards, and substantial fines.
What is FLUICS’ position on the GDPR?
Key Legal Bases
Under the GDPR, there are a number of approved reasons (or “legal bases”) a company might legitimately process a person’s data. Below, we’ve outlined the most relevant legal bases under the GDPR.
Data processed must be necessary for the Service and defined in the contract with the individual
Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
People have a right to withdraw consent, which must be brought to their attention
Must be from a person over the age of consent specified in that Member State, otherwise given by or authorised by a parent / guardian
Explicit consent is required for some processing (e.g., special categories of personal data)
If a business or a third party has legitimate interests which are not overridden by individuals’ rights or interests
Processing must be paused if objection is raised by an individual
Is FLUICS a data controller or a data processor?
“Data controller” and “data processor” are important concepts in understanding a company’s responsibilities under the GDPR. Depending on the scenario, a company may be a data controller, data processor or both — and has specific responsibilities as a result:
A company is the data controller when it decides upon the ‘purposes’ and ‘means’ of any processing of personal data.
Data controllers have to adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure people have a right to access the data held about them.
A company is the data processor when it processes personal data on behalf of a data controller. Certain obligations apply directly to data processors, and controllers must bind them to certain contractual commitments to ensure data is processed safely and legally.
While FLUICS operates the majority of our services as a data controller, there are some circumstances in which we operate as a data processor. When working with organizations that run FLUICS CONNECT on an on-premise installation, FLUICS processes data on an organization’s behalf, the organization must have an appropriate legal basis for FLUICS to process this data. For some data points (usage information) FLUICS may also be considered the data controller.
Services as data processor
Where FLUICS provides services to our EU partners as a data processor on their behalf, we’ll ensure that we comply with the specific requirements for data processors.
Where we appoint parties to act as data processor on our behalf, we’ll also ensure that we have appropriate terms in place to comply with our requirements under GDPR and safeguard our data.
Where we act as a data processor on an organization’s behalf, we will be relying on our customer’s legal basis as data controller for our processing of such data.