The General Data Protection Regulation (GDPR) is the new European Union data protection law governing the use and handling of the personal data of all European citizens. The GDPR became enforceable on May 25, 2018 and applies to all organizations within the EU and all organizations globally that process the personal data of any European Union data subject.
Regardless of the country in which your company is based, if you collect or process the personal data of any European Union citizen, this law applies to you.
The three primary objectives of the GDPR are as follows:
- Give European citizens control over how their personal data is being used.
- To standardize European Union data protection regulation.
- To ensure that companies are aware of their responsibilities regarding personal data with respect to European Union citizens.
What is personal data?
As per GDPR Article 4, the GDPR provides the following definition for “personal date”:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Furthermore, the GDPR only applies to personal data processed in one of two ways:
- Personal data processed wholly or partly by automated means (or, information in electronic form); and
- Personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (or, written records in a manual filing system).
What is the difference between a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Is Eventi Express Inc. the Data Controller or a Data Processer?
Eventi Express Inc is the Data Processer.
Under GDPR Article 4 (8) “Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Eventi Express Inc processes the data on behalf of the controller (client), whereas the controller determines why and how that data is used. Eventi Express Inc does not own or control the data and only processes the personal data in accordance with our clients (controllers) explicit instruction. In all instances our clients are the ‘data controllers’ of the data they are collecting through us.
Eventi Express Inc performs the following:
- Design, create, and implement IT processes and systems that would enable the data controller to gather personal data.
- Use tools and strategies to gather personal data on behalf of the controller (client).
- Implement security measures that would safeguard personal data.
- Store personal data gathered by the data controller.
- Transfer data directly to the data controller.
As the Data Processor, Eventi Express Inc is required to:
- Only process personal data on instructions from the controller, and inform the ‘controller’ if it believes said instruction infringes on the GDPR (28.3). In other words, a data processor may not opportunistically use or mine personal data it is entrusted with for purposes not outlined by the data controller.
- Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4)
- Upon request, delete or return all personal data to the controller at the end of service contract (28.3.g)
- Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h)
- Take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1)
- Notify data controllers without undue delay upon learning of data breaches (33.2)
- Restrict personal data transfer to a third country only if legal safeguards are obtained (46)
How does Eventi Express Inc treat personal data?
Eventi Express Inc continues to inform ourselves and invest in the security of our clients to ensure we remain compliant with applicable legislation.
Will the GDPR apply when Britain leaves the European Union?
The United Kingdom legislation on data protection is derived from the European Union Directive on data protection. The new Data Protection Act 2018, which is effective from May 25, 2018, replaces the Data Protection Act 1998 and incorporates GDPR into UK law.
The purpose of the new Act is to ensure that the United Kingdom and European Union data protection regimes are aligned after the United Kingdom leaves the European Union.