Verification knowledge hub
Implementing General Data Protection Regulation (GDPR), a new data privacy law from the European Union (EU), is not a one-time activity but an important process for every business that works with personal data in the EU.
For companies, GDPR means obligations for collecting, handling, or analyzing personal data with greater control over the personal data of the individuals.
Implementing organizational changes to comply with the GDPR is not an easy task. That is why our legal department made a highly detailed How-to guide for you. The guide offers a clear approach for creating and executing the GDPR compliance program — the necessary steps what to do and what to check.
Please note that our GDPR Guide has no legal force.
New, privacy and data protection law of the EU calls for more detailed privacy rules in the organizational systems, explicit data protection agreements, and consumer-oriented disclosures about privacy and data protection practices in the organisation.
GDPR applies to all companies and organisations, including freelancers, even those who store personal information in an address book. All material or digital devices and software should be checked and audited to be sure that all personal data on it is protected according to the new regulation.
GDPR is applied not just towards the organisations located in the EU, but to any globally operating company that processes data of the EU individuals, offers goods and services to them or monitors their behavior.
Under GDPR Personal data is any information related to an identified or identifiable individual. But it is not just the name or email address of a person. Financial information, an IP address, biometric data also fall within the GDPR protection.
Moreover, some categories of personal data are under a higher level of protection due to their sensitive origin. That includes information about political opinion, religious and philosophical beliefs, race and ethnic origin, trade union membership, genetic data, biometric and health data, information about a person’s sex life and orientation, criminal record information.
Processing of personal data means any operation that is conducted on personal data or on sets of personal data. Regardless if it is performed automatically, any process that stores or consults personal data is determined as processing. Most common activities are collection, recording, systemisation, structuring, storage, adaptation or alteration, retrieval, consultation, usage, disclosure by transmission, dissemination or opening information by any means, alignment or combination, restriction, erasure or destruction.
The data controller and the data processor — are two entitled bodies that can process personal data.
The data controller determines the purposes and means of the processing of personal data — alone or jointly with others. The data processor processes the information on behalf of the controller.
A decision on whether a controller or a processor will proceed the personal data should be made when designing an interaction model with the GDPR. It will help to understand what rights and obligations are entitled to each operator.
However, these roles could be dual. Sumsub is a good example. Sumsub processes personal data, such as the ICO contributor’s name, ID number, expiry date, and others, as soon as the data is sent by a user to Sumsub via Sumsub API. After that Sumsub uses the data to conduct the KYC process using the database systems and software. That is a function that Sumsub performs as a data processor.
Not all processing activities are GDPR-compliant. Under the GDPR you need to rely on a legal basis to stay compliant. There are six legal bases for processing the EU individuals’ personal data:
GDPR strict consent:
The important thing to do is to prove your legal basis by running a test based on this legal framework. A test means that you will document your compliance, your approach and the arguments that you have reviewed before.
Certain basic rights are now guaranteed to the individuals regarding their personal data:
Users have the right to know if their personal data are being processed, what and how it is being processed, and what are the data processing operations.
Users can prohibit particular data processing operations. Individuals may also object to the processing of their personal data for direct marketing purposes.
Individuals may request to complete or correct the incompleted or incorrect data to ensure that the processing of personal data is in compliance with applicable data protection rules.
Some circumstances allow users to restrict the processing of their personal data, for example when the user questions the accuracy of the data.
Users can request to erase the data when it is no longer necessary for the purposes of its collection, or if a user withdraws consent to the processing and no other legal basis allows to continue the processing.
Users can request that personal data held by one data controller can be provided to another controller.
Not so many data transfer mechanisms are available under the GDPR. Personal data flows from the EU to the United States. Privacy Shield framework is the main mechanism for this procedure. The EU-US and Swiss-US Privacy Shield is a method of ensuring that an organization provides a necessary level of data protection, by requiring that the organization should be certified and registered according to the requirements of the Privacy Shield framework.
A fine is imposed in case of non-compliance with the GDPR, and its sum might come up to 4% of global revenue or 20 million EUR.
The data protection authorities’ (“DPAs’ “) are rarely used in practice. They can impose additional measures, for example, a ban on data processing—temporarily or constantly.