GDPR Compliance Information

Referins is committed to safeguarding the privacy of your personal data. This article provides an overview of our role in GDPR compliance, how we handle personal data, and what steps we take to protect it. By understanding the key concepts of GDPR, businesses can navigate data protection more effectively and responsibly.

Scope of the law:

The GDPR applies to you even if you/your organization are not based in the EU. Whether you process the personal data of EU citizens or residents, or you offer goods or services to citizens or residents of EU, it applies.

Privacy Rights of the People:

People, referred to as “data subjects” in the GDPR, are protected by privacy rights when using the Internet. The 8 rights include:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights about automated decision making and profiling.

Key definitions:

While the GDPR defines several legal terms, below are some of the most important ones for quick reference.

• Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. 
• Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… and basically anything.
• Data subject — The person whose data is processed. These are your customers or site visitors.
• Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
• Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like ProtonMail.

NOTE: Definitions taken directly from https://gdpr.eu/

Data protection principles:

If you/your business process data, you must follow the seven protection and accountability principles, described below (and outlined in Article 5.1-2 of the full law).

1. Lawfulness, fairness, and transparency — Processing must be lawful, fair, and transparent to the data subject.
2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
3. Data minimization — You should collect and process only as much data as necessary for the purposes specified.
4. Accuracy — You must keep personal data accurate and up to date.
5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

NOTE: Definitions taken directly from https://gdpr.eu/

Conclusion:

GDPR compliance is important to take seriously. By understanding the privacy rights of the people and the data protection principles, you can ensure you are doing your part to keep your business compliant. The Key Definitions can help you have an overall understanding of the various aspects, and roles, of who/what is covered under the GDPR.

Please note, the full GDPR is over 80 pages in length. This brief overview provides a summary of key points for consideration when managing data collection for your business. The purpose of this article is to provide general information and an overview. It is in no way an exhaustive list of all details or relevant facts. This article is NOT legal advice on how to implement appropriate GDPR compliance. We strongly encourage you to consult with your HR, business support/legal team, etc. to ensure you and your business comply. For more information, please visit: https://gdpr.eu/

FAQ:

1. What are the penalties for non-compliance with GDPR?
Organizations that fail to comply with GDPR can face fines of up to €20 million or 4% of their global annual revenue, whichever is higher.

2. How does GDPR affect marketing activities like email campaigns?
GDPR requires explicit consent from individuals before you can send them marketing emails. Consent must be freely given, specific, informed, and unambiguous.

3. How does GDPR impact small businesses?
Even small businesses are required to comply with GDPR if they handle the personal data of EU citizens or residents. The regulations apply regardless of the size of the organization.

4. What steps should my organization take to comply with GDPR?
Key steps include conducting a data audit, ensuring you have a lawful basis for processing data, updating privacy policies, obtaining explicit consent, and implementing data protection measures like encryption.

5. Can individuals withdraw their consent under GDPR?
Yes, individuals have the right to withdraw their consent at any time, and businesses must respect this decision and stop processing their data.

6. What is "data portability" under GDPR?
Data portability allows individuals to request a copy of their data in a structured, commonly used format, so they can move it to another service provider.

7. What is the difference between the "right to be forgotten" and the "right to restrict processing"?

• Right to be forgotten: Individuals can request that their data be deleted entirely.
• Right to restrict processing: Individuals can request that their data be used only for specific purposes without full deletion.

8. How does GDPR affect automated decision-making and profiling?
Individuals have rights regarding decisions made solely by automated processes, including the right to object or request human intervention if the decision significantly affects them.

9. What are the documentation requirements under GDPR?
Organizations must maintain detailed records of data processing activities, including the purpose, data categories, and security measures, especially if they process large volumes of personal data.

10. How should a business respond to a data breach under GDPR?
If a data breach occurs, the organization must report it to the relevant supervisory authority within 72 hours and notify affected individuals if the breach poses a high risk to their rights and freedoms.