Concepts & definitions
The following information are treated as concepts and are defined and customized as below:
1. Introduction
Within the processing activity performed on the Company`s website, a variety of personal data is used, such as:
- Customer`s data
- Data from users of the website
- Data from monthly/ annually subscribers
The processing activity of these personal records is governed by General Data Protection Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR", "GDPR legislation") which explicitly covers the processing activities of personal data, to what extends do entities process personal data and their roles and responsibilities.
2. Data protection policy
2.1. The General Data Protection Regulation ("GDPR")
General Data Protection Regulation (GDPR) is the most important piece of legislation which directly affects the means by which the Company is processing personal data.
The present policy includes the main rules and procedures used by the Company in its processing activities developed within the website. It governs all the processing activities done on the website and provides a clear image of all GDPR requirements applied.
2.2. Definitions
"GDPR Legislation" means
Any legislation, decree, decision, resolution, regulation or secondary legislation from the European/National authorities and/or National Supervisory Authority concerning the processing, confidentiality and use of personal data, including:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Legislation provided by the National Supervisory Activity.
- Any European and/or local piece of legislation mentioned above, any guidelines, codes of conduct, certification mechanism approved by The National Supervisory Authority throughout the period in which they are in force and also any legislative act which amend or replace them over the time.
- Any judicial or administrative interpretation of any piece of legislation mentioned above.
"Controller" means
"The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law".
"Processor" means
"A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".
"Personal data" means
"Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
"Processing" means
"Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".
"Personal data breach" means
"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed".
"Supervisory Authority" means
"An independent public authority which is established by a Member State".
2.3. Principles on processing personal data
The personal data principles impose that the processing of personal data shall be made accordingly.
These principles are:
- Lawfulness, fairness and transparency. The processing of personal data shall be lawfully, fairly and in a transparent manner in relation to the data subject;
- Purpose limitation. Personal data shall be collected for specified, explicit and legitimate purposes;
- Data minimization. Personal data shall be adequate, relevant and limited to what is necessary;
- Accuracy. Personal data shall be accurate and, where necessary, kept up to date;
- Storage limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Integrity and confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data;
- Accountability. The controller shall be responsible for, and be able to demonstrate compliance with GDPR principles.
2.4. Data subject`s rights
The data subject whose personal data the Company is processing under the GDPR has the following rights:
- The right to be informed
Under the GDPR personal data subjects have the right to be informed about: the identity and contact details of the Controller and Processor and Personal Data Officer, if applicable, hence the entities which are processing the personal data, how the Company collects and uses his/her data, for how long will they retain the data and with whom they will share their information. - The right of access
Implies that data subjects know which of their personal information is processed by the Company, for which purposes and how it is stored and used. - The right to rectification
Data subjects can modify their shared data, complete it and correct it, if necessary. - The right to erasure (right to be forgotten)
This means that a data subject can at any time request the Company to permanently delete they information, without any further inconveniences. However, this right isn`t applicable if the processing activity is based on the compliance with a Company’s legal obligation. - The right to restrict processing
The data subject has the legal right to forbid the Company to share his/her personal data in certain circumstances. In this way the data subject may restrict the processing only to the minimum mandatory information in order for the Controller to fulfil its tasks. - The right to data portability
Data subjects can request their personal data transfer to another entity, therefor they can legally request the Company to share their information to a third party in specific conditions and applying strong security safeguards. - The right to object
Individuals can disagree to the processing of their personal data for different activities, such as direct marketing. - Rights in relation to automated decision making and profiling.
This right implies that data subjects can request the processing of their data to be made by a living persona, rather than an automated generated decision. In this case, the Company has the obligation to inform the data subject that his/her.
All the above rights are supported by distinct procedures elaborated within the Company in compliance with the GDPR`s strict requirements and deadlines.
The deadlines set out by GDPR within the Company gives effect to data subjects’ requests or to answer can vary consequently:
Data subject`s rights | Timescale for providing an answer to data subjects’ requests regarding their rights |
---|---|
The right to be informed | When the data is collected |
The right of access to personal data | It can be exercised by data subject anytime within the processing period; the Company should follow up the request immediately; the Company has to provide an answer to the data subject within 30 calendar days from the request receipt date |
The right to rectification personal data | It can be exercised by data subject anytime within the processing period; the Company should follow up the request immediately; the Company has to provide an answer to the data subject within 30 calendar days from the request receipt date |
The right to erasure/delete personal data ("right to be forgotten") | It can be exercised by data subject anytime within the processing period; the Company should follow up the request immediately; the Company has to provide an answer to the data subject within 30 calendar days from the request receipt date |
The right to restrict processing of personal data | It can be exercised by data subject anytime within the processing period; the Company should follow up the request immediately; the Company has to provide an answer to the data subject within 30 calendar days from the request receipt date |
The right to data portability | It can be exercised by data subject anytime within the processing period and the Company has to provide an answer or a solution/option to implement and follow up the request in a reasonable period of time (as soon as possible) |
The right to object | It can be exercised anytime within the processing and it`s implemented by the Company immediately |
Rights in relation to automated decision making and profiling | Timing and procedures to be followed up - no specific mandatory timing |
2.5. Lawfulness of processing
The Company may process a person`s data within its website only if the processing falls under one of the following legal grounds provided by GDPR in art.6:
- "the data subject has given consent to the processing of his or her personal data for one or more specific purposes";
- "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract";
- "processing is necessary for compliance with a legal obligation to which the controller is subject";
- "processing is necessary in order to protect the vital interests of the data subject or of another natural person";
- "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller";
- "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child".
2.6. Controllers & Processors
If data processing is made by the Company through or together with a third-party, the Company will ensure at any moment that all the operations that target personal data processing are subject to a written contract between the Company and the third-party in scope.
From GDPR perspective, based on roles and responsibilities, the contractual relationship between the parties can have different forms, as follows:
- Independent Controllers
Where two or more controllers process personal data from the same data subject within a common activity, but for different purposes with possible different legal grounds and different means of processing; - Controller and Processor
Where two or more controllers jointly determine the purposes and means of processing; they shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation; - Joint Controllers
The relationship in which the Processor shall not process personal data except on instructions from the controller, unless required to do so by Union or Member State law.
Processor (or processors) or joint controllers, where appropriate. All the above-mentioned contracts will comply with the appropriate requirements and express imposed terms laid down by GDPR.
2.7. Data protection officer ("DPO")
"Data protection officer" is an appointed expert in data protection whose purpose is to monitor internal compliance with the GDPR, inform and advise the Company regarding its obligations, provide guidance upon Data Protection Impact Assessment and represent the Company in relation with The National Supervisory Authority.
It is mandatory to appoint a DPO in the following scenarios:
- The processing is made by a public authority or a public body, excepting courts that act in their judicial capacity;
- The main activities performed by the Controller or the Processor consist of processing operations which by nature, field of application and/ or their purposes require regular or systematic monitoring of data subjects on a large scale;
- The main activities performed by the Controller or the processor consist of large-scale processing of special categories of data as mentioned at Article 9 GDPR or other data regarding criminal convictions or criminal offences as laid down in Article 10 GDPR. If the Company will appoint a Data Protection Officer, in compliance with GDPR, it will have the roles and responsibilities laid down by the Regulation. Furthermore, its name and contact details will be explicitly communicated to National Supervisory Authority and its contact details shall also be included within the Company`s website.
In order to contact the DPO and obtain any information on personal data processing, a data subject can send an email at the above mention address, or sent a letter to the company`s head-office.
2.8. Security incidents/breaches
Personal data breach means "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Even if GDPR does not include a specific definition and distinction between incidents and breaches, it is very important to understand that any infringement of data security registered/suffered by the Company should be treated and managed as a data security incident.
But if the incident, by his consequences and losses, falls under GDPR provisions regarding data breaches, the Company have to duly comply with GDPR requirements regarding data breaches investigation and notifications.
In case of a security incident or breach, the Company:
- Will investigate the occurred security incident immediately;
- Will take appropriate actions in order to minimize the impact and consequences and any prejudice that may occur, as well as the reasonable measures to prevent this sort of incidents in the future;
- Will develop and implement a reaction plan in order to counter the security incident;
- Will minimize the react time, therefore the period of time between the incident and the detection has to be as short as possible in order to have a response as efficient as possible;
- Will realize an Impact Assessment Procedure in order to detect de level of intrusion, the gravity of the incident and the possible risk that may occur;
- Will appoint a team composed of at least one member from each department of interest, including Legal and IT;
- If the incident is a data breach (according to GDPR rules) and it falls under GDPR requirements for notification, the Company will notify the breach to the appropriate Authority within 72 hours from the moment it found out about the occurrence of the incident.
If the data breach is liable to create a high risk for the freedoms and rights of the data subjects, the controller informs him/her upon the breach, in clear and simple language upon the following:
- the nature of the personal data breach;
- the name and contact details of controller's data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
2.9. Requirements in compliance to GDPR
The following actions will be used by the Company in order to be in compliance with GDPR. All of them will be frequently reviewed in order to meet the GDPR requirements:
- The Company will frequently ensure that a justified legal basis is always used within the processing activities;
- A DPO is appointed if it’s required by GDPR;
- All the Company`s employees must comply with the GDPR principles;
- The Company will develop constantly training sessions for its employees and/or third-parties involved in Company’s data processing activities;
- All the Company`s employees have been instructed and are constantly instructed on personal data processing activities;
- Explicit consent must be obtained from the consumer regarding his/her personal data processing, when consent is used as legal ground for data processing activity;
- All compliance policies will be frequently audited in order to be updated to GDPR requirements;
-
The following elements are well documented within the processing of personal data activities:
- - Organization`s name as Controller;
- - The purposes on which personal data are collected;
- - The personal data categories that are collected;
- - The retention periods within personal data are kept;
- - Protection and security policies regarding the use of personal data.