The EU General Data Protection Regulation has been implemented to increase protection of personal data for individuals in the European Union. This new policy takes effect on May 25, 2018.
Follow to the GDPR Features to see how our platform supports GDPR.
The GDPR applies to anyone in the EU who processes personal data as well as any organization outside of the EU that processes personal data of individuals in the EU.
If you manage personal data of any type, including email addresses, the GDPR will most likely affect your organization.
Consent is initially defined in Article 4 and is addressed throughout the GDPR.
Consent needs to be informed. Organizations are required to present information about data usage “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12). Organizations will need explicit consent from individuals and need to be able to prove that individuals have given consent (Article 7).
When an organization collects personal data, it is required to provide information in accordance with Article 13.
Articles 12-23 present the individual rights covered by the GDPR. GDPR increases individual rights to their personal data.
Article 15, the right of access, grants individuals the ability to request information about how their data is being utilized and the right to request a copy of the data being used.
Article 16 grants individuals the right to contact a controller to correct inaccurate personal data.
Article 17 allows individuals to request that their data be erased under certain circumstances, such as: If the data no longer needs to be processed for it’s originally intended purpose If the individual no longer consents to data use. If the data was processed unlawfully
Article 18 gives individuals the right to restrict how their data is processed in specific circumstances.
Article 20 grants individuals the right to receive their personal data for the purpose of using it elsewhere.
Article 21 grants people the right to object to the processing of their data, "unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject for the establishment, exercise or defence of legal claims."
The GDPR contains a variety of requirements around the processing of personal data. In this section we will outline the most important data processing requirements and provide links to the applicable sections of the GDPR
A Controller is the organization that controls how personal data will be used. A Processor is the organization that processes personal data as instructed by the Controller. Each of these parties responsibilities are laid out in Articles 24-43.
Generally ExpressPigeon is a Processor and users of ExpressPigeon are Controllers. It is possible for one to be BOTH a Processor and a Controller.
Article 28 states that Controllers must have clearly documented contracts with Processors that define the requirements of processing. These contracts are required to be “in writing, including in electronic form.” Processing contract requirements can be found in this same article.
Article 37 states that many organizations will be required to name a data protection officer. The data protection officers responsibilities are outlined in Article 39. Transfer of personal data to third countries or international organizations
Articles 44-50 address the specific requirements for transferring personal data to third parties or international organizations. The GDPR doesn’t require the personal data of EU citizens to stay in the EU, but does have requirements for these kinds of transfers.
By no means, this page is not a legal document. We encourage you to seek legal councel in case you have further questions.