COMPLIANCE WITH THE GDPR
As the InStream Group, we were aware of the challenge we would have to face following the entry into force of the Regulation on the protection of natural persons with regard to the processing of personal data (“GDPR”). We have been conducting various activities related to the support of sales processes at our customers’ sites for several years and we know perfectly well how important the protection of personal data is in the development of sales processes. We found that preparation of our services for the GDPR, which consisted of auditing and adjusting measures, requires an adequate amount of time and reliability. Therefore, we have decided to deal with this issue several months before the regulation entered into force and involve legal firms specialising in the protection of personal data.
WHAT IS THE GDPR?
The GDPR is nothing else than an EU regulation which does not require the implementation of the internal legislation of the Member States in order to be legally effective and apply simultaneously in every EU country.
WHO IS PROTECTED BY THE GDPR?
The GDPR concerns the protection of personal data of natural persons. Therefore, the regulation does not deal with the protection of data of companies or organisations.
WHAT ARE PERSONAL DATA WITHIN THE MEANING OF THE GDPR?
Is the phrase “John Smith” personal data? Article 4(1) of the GDPR states that “personal data means any information relating to an identified or identifiable natural person”. Therefore, IDENTIFICATION is a key element of the presented definition. This means that, depending on the circumstances, a given piece of information may or may not be considered personal data. Thus, the answer to the question posed at the beginning – whether the phrase “John Smith” is personal data, is: it depends😊.
– Let’s imagine a situation where the expression “John Smith” is published on a company website in the “our team” tab along with the “Project Manager” label – then there is no doubt that identification of such a person is possible. In this case, we will be dealing with personal data.
– We can also easily imagine a situation where we see the expression “firstname.lastname@example.org” without any additional information, written on a sheet of paper attached to a poster pillar on the street. Then, neither at the time of finding this sheet of paper nor in the near future can we clearly state which John Smith it is – so this is not personal data.
WHAT IS DATA PROCESSING?
The GDPR contains a very broad definition of data processing. This is referred to as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
WHO MUST COMPLY WITH THE GDPR?
The GDPR applies to all entrepreneurs, and it is irrelevant whether business activity is carried out in the form of a sole proprietorship or a commercial law partnership.
WHAT IS THE TERRITORIAL SCOPE OF THE GDPR?
Data processing as an activity is sometimes difficult to grasp. Typically, it takes place online, in computing clouds, or on disks, so it is difficult to determine when the processing takes place within the EU and when it is already outside the EU territory. However, in order to regulate this issue, the legislator pointed out that the GDPR also applies to situations where:
a) The entrepreneur is established outside the EU but carries out activities related to the business activity within the EU;
b) The entrepreneur offers its services to customers outside the EU but is established within the EU;
c) The entrepreneur processes data through cloud computing. This applies both where the server itself is located in the EU and where the data processing device itself is located in the EU.
BEFORE 25 MAY 2018, WE TOOK THE FOLLOWING STEPS TO ACHIEVE FULL COMPLIANCE OF OUR ACTIVITIES WITH THE GDPR (CHECKLIST):
Lawfulness, fairness, transparency
The basis for the processing of personal data of recipients of marketing campaigns is their freely given consent, expressed by contacting us (Article 6(1)(a) of the GDPR) or by obtaining by us information which was made available voluntarily by a company, e.g. through announcements or cooperation proposals published in the public domain (Internet, press), which is justified by the specific needs of the controller as an entity having a database of entities interested in commercial cooperation in the area covered by the announcement or cooperation offer (Article 6(1)(f) of the GDPR).
We have clearly defined the purposes of processing personal data of recipients of marketing campaigns, which include:
a) the execution of joint business undertakings and the performance of contracts or cooperation agreements;
b) the marketing of the services offered by the controller’s partners; (as further authorised by recital 47 of the GDPR);
c) the search for optimal offers and solutions for business services based on information about the activities of prospective recipients of the campaign.
We limited our data processing activities solely to the purposes indicated above.
The scope of data we process is limited to the data necessary in relation to the purposes for which they are processed. Data subjects include representatives and agents of companies and legal entities, employees responsible for purchases and cooperation in companies and legal entities or their designated contact persons, company owners, members of statutory bodies in companies and legal entities. The categories being processed include the name, surname, contact details (e-mail, telephone number), position of the contact person.
Data accuracy and storage limitation
We generate the data for each campaign organically “from scratch”, which gives us a high level of up-to-dateness. In addition, individual data are verified manually by our employees to further validate their accuracy. As part of our communications during marketing campaigns, we each time enable the recipients to easily access them, rectify them, restrict their processing or erase them.
Integrity and confidentiality
We have implemented an internal personal data security policy in which we have regulated in detail the procedures regarding:
– the rules for accessing data,
– the rules for entrusting data,
– the rules for making data available,
– data set safeguards,
– personal data breaches.
Processing of children’s data and sensitive data
As the InStream Group, we process neither children’s personal data nor the so-called sensitive data as part of our activities.
Obligation to provide information
As part of our marketing campaigns, we fulfil a full obligation to provide information to every data subject whose data are processed. Along with the business communications we send, we include all information required by Article 13 or Article 14 of the GDPR, respectively.
In the course of our business, we neither profile personal data of representatives of our trading partners nor make automated profiling-based decisions.
„Privacy by design”
We have analysed the impact of our projects on the rights and freedoms of natural persons and the risk of violating them. On the basis of the analyses performed, we were able to implement adequate systems aimed at securing the data processed.
„Privacy by default”
We have implemented mechanisms in our personal data processing processes that limit the scope of the data processed to a certain minimum which is necessary to achieve our purposes of the processing. When designing new services, we take a default approach to the protection of personal data privacy.
WHICH THIRD PARTY PROVIDERS DO WE USE WHEN PROCESSING PERSONAL DATA?