GDPR – How do we comply
What is GDPR
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.
What is the Scope of GDPR
GPDR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens and the monitoring of behaviour that takes place within the EU.
What is Privacy by Design
Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. In other words: the controller shall implement appropriate technical and organisational measures in order to meet the requirements of the GDPR regulation and the project the rights of data subjects.
GDPR calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
How did we improve the Consent?
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. We have made a redesign of our consent to make it more clear and user friendly for our users.
How do we handle Right to Access?
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. We have developed a new feature where users of our platform can download their personal data.
How do we handle Right to be forgotten?
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests. We have developed a new feature where users can remove their profile.
How long do we store data?
We will only store any personal data necessary and keep storage periods to a minimum, storing your personal data only for such a length of time as its purpose requires us to. To be compliant the set data storage periods are subjected to a quarterly internal review by our Chief Privacy.
Where do we store data?
We have teamed up with our reliable IT suppliers, Linode and Tilaa in the hosting of our platform. We will be concluding written arrangements with these suppliers in order to ensure that your rights to data protection are protected. We will also ensure that your personal data will not leave the European Economic Area (EEA) and will also be concluding arrangements with our suppliers in that respect.
How do we make sure we stay GDPR compliant?
The Chief Information Security Officer (CISO) at GoodUp is entrusted with monitoring how we treat personal data at our organisation. The CISO will check whether our organisation operates in accordance with the applicable rules and regulations.
We will regularly (once a quarter) subject our organisation to an internal privacy review. Such a review will be conducted in order to determine why, in what way, and for how long personal data are being processed by us. This will see us map any potential risks this may be exposed and take any such measures as may be required to prevent these from materialising.
Breach notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.
In the event that, despite all the precautions we are taking, a data leak were to occur and adversely impact you, we will notify you of such an eventuality as soon as possible (within 72 hours). If required, we will also notify the respective supervisory authorities of such an eventuality as soon as possible (within 72 hours).