GDPR 101: The Basics
What is GDPR?
GDPR stands for General Data Protection Regulation, Europe’s new framework for data protection laws. GDPR emphasizes on responsible handling of personal data by companies and authorities in order to protect citizens’ privacy and personal data from misuse or exploitation. It replaces the previous 1995 Data Protection Directive. The Data Protection Directive wasn’t written with the contemporary uses of data enabled by the internet and services – such as Facebook and Google – in mind, therefore it is now replaced by GDPR. GDPR emphasizes on the handling of personal data, and focuses on designs that center around data subjects.
It will cover all EU and non-EU companies, organisation that process European citizens’ data.
What comes under Personal Data?
Any information relating to an identified or identifiable natural person (data subject).
An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Who are “Controllers”, “Processors” and “Subjects”?
When it comes to the data processing flow, we have three entities playing the GDPR game:
- Data Controllers (your company, you’re controlling, reviewing, and aggregating data about your customers).
- Data Processors (the company delivering the tools, to collect data), and the party doing the actual processing of the data on behalf of the controller.
- Data Subjects (every person is considered a data subject) dealing with personal data (any information relating to an identified or identifiable natural person).
The GDPR consists of 99 articles divided into 12 chapters. The crux of the most important articles:
Extended Jurisdiction: Applies to all companies processing the personal data of subjects residing in the EU, regardless of the company’s location.
Penalties: Up to 20 million EUR, or in the case of an undertaking, up to 4 % of its total worldwide annual turnover of the preceding financial year, whichever is higher.
Consent: Consent must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw consent as it is to give it. It must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs. The Data Controller must reach the Data Subjects and let him/her review new consent request and correct his/her decision if he’d like to. Companies will not be able to use vague or confusing statements to get you to agree to give them data. Firms won’t be able to bundle consent for different things together either.
Information of Children: Under GDPR, a company may not collect personal data of anyone under 16 without parental consent. A process to verify age and to obtain parental consent when necessary needs to be implemented.
Mandatory Breach Notification: 72-hour breach notification obligation – all breaches must be reported to regulators within 72-hours of the organization becoming aware of it; customers, controllers and other stakeholders must be also notified.
Right to Access: The data subjects have the right to ask the data controller if personal data concerning them is being processed, where and for what purpose and access to that data without any charge. As an organisation, you have 30 days to complete the request and disclose the information.
Right to Be Forgotten: The data subject has the right to ask the data controller to erase his/her personal data, which he or she has provided to the controller, in a structured, commonly used
and machine-readable format.
Data Portability: The right of a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format’ and have the right to transmit that data to another controller.
One-Stop-Shop: For organisations active in multiple EU countries, the GDPR provides a central point of enforcement through a system of co-operation and consistent procedures that has been coined the ‘one stop shop’ mechanism.
Data Protection Officers (DPOs): In certain circumstances, data controllers and processors must designate a Data Protection Officer (as part of their accountability programme). A DPO directs and oversees all data protection activities within a company.
Where does Celerispay stand?
Is Celerispay a data processor or a data controller?
When it comes to use of our payment gateway portal, Celerispay is a processor while the merchants are the controllers who are using Celerispay services to process payments for their customers. The customers are the data subjects. Celerispay will follow the instructions of its merchants when it comes to the processing of personal data on their behalf. However, Celerispay is the controller when it comes to personal data that it collects from EU citizens who visit the Celerispay website or the EU citizens who are our clients.
Does Celerispay have data centers in Europe?
Yes. Celerispay uses Microsoft Azure as its hosting provider, and store the data of EU citizens only in EEA(Europe Economic Area). The data is hosted on data centers based in Netherlands, with back-ups in Ireland. In case one of our sub processors who are based outside EU need to store your data, we will take formal written consent before engaging them.
How will Celerispay ensure that clients are able to comply with a data subject’s right of rectification, right to be forgotten, and right of access under GDPR?
As a data processor, Celerispay has already updated its portal so that clients can respond to requests of individual data subjects. We are trying to make the ability of its clients to comply with the rights of EU citizens via the Celerispay Portal a straightforward process.
How will Celerispay enable clients to stop collecting personal data from an EU data subject who has either not given consent to the processing of their personal data, or who has withdrawn consent?
Under GDPR, when an individual withdraws consent or objects the controller to collect or use their data, in most circumstances the controller is legally required to delete (or “forget”) all the personal data it has on them. It is possible via Celerispay’s portal to configure stopping the collection of personal data from someone who hasn’t given consent for data processing (or who has withdrawn consent). With that said, it’s the merchant’s responsibility under GDPR to obtain and document consent, or to determine another legally adequate justification under GDPR, before processing personal data from any EU citizen.
Will Celerispay be making updates to restrict personal data from being available to employees who don’t need it in their role?
It’s already the case that only Celerispay’s employees who need to access personal data in order to support the portal’s operations, to comply with applicable law, or as directed by clients, are allowed to access or process personal data of our clients.
Will Celerispay be making updates to allow for the deletion all personal data about a consumer upon request?
Yes. By May 25, 2018, Celerispay clients will have the ability to export or delete all personal data about specific individuals from the Celerispay portal, in compliance with GDPR requirements.
Will Celerispay be making updates to record the dates on which marketing consents were changed?
Actually, under GDPR, Celerispay clients are responsible for all record keeping related to when EU data subjects provided or revoked their consent, as part of their obligations as data controllers.
Will Celerispay ensure that its sub-processors are also in compliance with GDPR?
Because Celerispay is responsible for the acts and omissions of its sub-processors and for ensuring that they comply with GDPR, we’ve required all of our sub-processors to enter into contractual agreements mandating compliance with GDPR.
Does Celerispay have any other public-facing documentation about its GDPR compliance activities?
Definitely! Check out more GDPR information including the Celerispay Privacy Policies. These documents are updated as necessary to enable our clients to understand and track Celerispay’s GDPR compliance activities. These documents are continuously updated to allow our clients to understand and track the Celerispay GDPR compliance program.