What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). Article 5 of the GDPR sets out the six principles of data protection. These principles are the foundation of the GDPR and require that personal data is:
- processed lawfully, fairly and in a transparent manner;
- used for the purpose for which it was collected (and that purpose is expressly specified and legitimate);
- relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- stored for no longer than is necessary for the purpose for which the personal data is processed; and
- processed in a manner than protects the security and confidentiality of the personal data.
We operate within this framework, where the controller of the personal data is responsible to comply with the above six principles. Furthermore, the controller of the personal data will be required to demonstrate compliance with these principles, so it is important that appropriate policies are in place.
Privacy By Design & Privacy By Default
We implement technical and organisational measures at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). We ensure that personal data is processed with the highest privacy protection (for example only the data necessary is processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons (‘data protection by default’).
Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built in to a system during the whole life cycle of the system or process.
Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user. In addition, any personal data provided by the user to enable a product’s optimal use should only be kept for the amount of time necessary to provide the product or service. If more information than necessary to provide the service is processed, then “privacy by default” has been breached.
Data Controller / Data Processor Relation
The data controller determines the purposes for which and the means by which personal data is processed. So, if your company decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.
Your company is a joint controller when together with one or more organisations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.
The data processor processes personal data only on behalf of the controller.
Specific to our solutions, the activities we undertake are legally framed as data processing for Omnichannel CRM, Location Based Marketing and Loyalty App and as joint controller for Ecosystem Analytics. The duties of the processor towards the controller and the joint controller role must be specified in a contract or another legal act. We propose specific Data Processing Agreements that clarifies the role of every company involved.
Data processing for marketing purposes
For the purposes of direct marketing, personal data are often gathered from the data subject (customer). For instance, when shopping for some items, an individual leaves his/her contact details and wishes to be notified about new merchandises.
Personal data must be processed legally and fairly, in an amount which is necessary to achieve the purpose of direct marketing. GDPR states that processed data must be adequate to the purpose and must be proportionate. Authenticity and accuracy of the data must be ensured. Data must be kept for a term which is required for achieving direct marketing purposes.
Direct marketing provider (the controller) is obliged to:
- Provide complete information to the customer about the sources of data;
- Provide the customer with its contact information;
- Provide the customer with the opportunity to request termination of the use of data in a form, which is used for direct marketing and/or define available and adequate means for such a request (e.g. when sending a commercial notification, indicate telephone number or a website, where one can refuse to receive such notifications);
- Take organizational or technical measures, which allow for protection of data from accidental or illegal destruction, amendment, disclosure, obtaining, any other form of illegal use or accidental or illegal loss.
- Cease processing of customer’s personal data for direct marketing purposes at request (cease data processing even in case when direct marketing is carried out via advertising agencies), which includes deletion of data from the database and termination of notifications.
What is personal data?
Personal data is defined in the GDPR as: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The GDPR covers the processing of personal data in two ways:
- personal data processed wholly or partly by automated means (information in electronic form) – that is our case
- personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (manual information in a filing system).
Examples of types of personal data collected in an electronic form by our tools:
- Classic Data: Name, Surname, Date/Place of Birth, Address, Telephone, Profession, CNP, etc
- Digital Data: Email, Social Media Profiles, etc
- Sensible Data: Biometric Data (Photos of the user)
Legal ground for processing
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason. If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
Processing of personal is lawful if it is based on one of a limited the following legal grounds:
- necessary for the purposes of legitimate interest pursued by the controller;
- consent of the data subject;
- processing is necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract;
- necessary for compliance with a legal obligation
- necessary to protect the vital interests of a data subject or another person;
- necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
For processing activities relating to special categories of data, different grounds are applicable. Processing of special categories of personal data must be based on one of a limited set of legal grounds:
- explicit consent of the data subject;
- necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement;
- necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent;
- processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members;
- personal data manifestly made public by the data subject;
- necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity;
- necessary for reasons of substantial public interest;
- necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services or a contract with a health professional;
- necessary for reasons of public interest in the area of public health;
- necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes.
Sharing the data with third party apps
At this moment we use three types of integrations:
- Integration with client owned digital properties (websites, loyalty apps, other data collectors)
- Integration with direct marketing apps that are delivering emails and SMS messages to clients (BizPack & Campaign Monitor)
- Integration for remarketing and reporting purposes with Facebook, Google and LinkedIn services (through Footprints for Retail App or API).