What is the General Data Protection Regulation (GDPR)
The General Regulation represents a new European regulation on the protection of personal data, which is effective from 25 May 2018 and replaces Act No. 101/2000 Coll., on the Protection of Personal Data. The GDPR sets out the rules for the processing of personal data, which also govern FreshFlow Systems s.r.o.
Who has to comply with GDPR?
In particular, the General Regulation must govern all entities that carry out the processing of personal data, i.e. the Gdpr. personal data controllers, these are mostly FreshFlow users, or. Headquarters. Furthermore, they must also be followed by entities that process personal data for the controller, ie. processors – this is especially the case. o FreshFlow Systems s.r.o. The rights arising from the General Regulation then accrue to natural persons or data subjects, which are in particular. Your clients.
What is personal data and processing of personal data?
Personal data is any information about an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular. a reference to an identifier (name, number, network identifier, etc.) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Processing means any operation or set of operations that is carried out on personal data, whether or not by automated means, such as in particular. collecting, recording, arranging, structuring, storing, adapting or altering, retrieving, consulting, using, making available by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. It follows that within FreshFlow, personal data may be processed within the meaning of the GDPR.
What principles to follow during processing?
The following principles constitute the basis of legal processing and must be observed when processing personal data by you:
- lawfulness, fairness, transparency – you can only process personal data on the basis of at least one legal reason (title) and you must act transparently and fairly towards clients as data subjects;
- purpose limitation – you may only collect personal data for clearly defined purposes about which you must inform your clients;
- data minimization – you can process client data only to the extent necessary to fulfill the given purpose;
- accuracy – the personal data you process should be accurate and up-to-date;
- limitation of storage – you may process personal data only for the time necessary for the given purpose;
- integrity and confidentiality – personal data should be technically and organisationally secured to prevent unauthorised access, copying, disclosure, alteration or destruction by breaching security measures.
What do the legal grounds (titles) for the processing of personal data mean?
Legal reasons (titles) are understood to be the controller’s right to process personal data. It is a processing based on (i) consent; (ii) performance of the contract; (iii) legal obligations; (iv) the protection of the vital interests of the data subject, (v) the performance of a task carried out in the public interest or in the exercise of official authority; or (vi) the legitimate interest of the controller or a third party. Legal grounds (titles) are a basic prerequisite for processing in accordance with the GDPR, and therefore if you do not have any of the above legal grounds for processing personal data, you cannot legally process personal data.
The legal ground is always determined according to the purpose for which you carry out the processing. In the case of the processing of personal data of your clients that you store in FreshFlow, it will most often be processing based on the consent granted to you by the client, or the processing of data that you need for the performance of a contract concluded with a client or for the fulfillment of an obligation imposed on you by law.
What should consent to the processing of personal data look like?
The consent to the processing of personal data given by your clients must be free, specific, informed and unambiguous. This is an active and voluntary expression of the will of your clients as data subjects, which they must not be forced to do. It is provided for a specific purpose of processing, of which your clients must be informed.
Consent is always revocable. In the event of withdrawal of consent, you are obliged to stop processing (or destroying) personal data for the purposes specified in the consent, but you may alternatively. at the same time, continue to process the personal data for other purposes for which you use legal grounds for processing other than consent.
What is sensitive data?
Sensitive data (or special categories of personal data) are personal data that reveal a natural person’s racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health or sex life or sexual orientation, and genetic and biometric data that are processed for the purpose of uniquely identifying a natural person.
If you process sensitive data, you must have the explicit consent of your clients as data subjects or comply with another exception provided for by the GDPR.
What are the rights of data subjects?
All your clients have the right to certain information about the processing of their personal data. This is primarily information about the purpose of processing, legal reason, processing time, etc. A full list of the information you must provide to clients when collecting their personal data can be found in Art. 13 and 14 GDPR (information obligation).
In addition, your clients (usually if other conditions are met) also have other rights based on their activity (requests):
- the right of access to personal data;
- the right to rectification, respectively. replenishment;
- the right to erasure;
- the right to restriction of processing;
- the right to data portability;
- the right to object,
- the right not to be subject to automated individual decision-making, including profiling.
In the event that they exercise these rights against you, you are obliged to deal with their request and to process it free of charge without undue delay (within 1 month at the latest).
How is personal data secured?
As controllers or processors of personal data, you are obliged under the GDPR to take adequate technical and organizational security measures, taking into account the nature, scope and purposes of the processing.
Personal data stored in FreshFlow are technically and organizationally secured with regard to the current state of technology. Regular checks are performed on the software for vulnerabilities, security breaches, or attacks. FreshFlow uses such security measures so that, as far as possible, there is no unauthorized access to personal data, no access to it by a third party, it is not copied, published, altered or destroyed by breaching security measures. The measures taken are also regularly updated.
What is meant by a personal data breach?
A personal data breach is considered to be a breach of security that leads to the accidental or unlawful destruction, loss, alteration or unauthorised provision or disclosure of personal data transmitted, stored or otherwise processed.
If a security breach occurs, you are obliged to report the breach to the Office for Personal Data Protection (and, in the case of a high risk, to the data subjects themselves) without undue delay and, if possible, within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
If there is a security breach on the part of FreshFlow, it will report it to you.
Are there other obligations arising from the GDPR?
Among other obligations that the GDPR brings for some controllers and processors, in particular. belongs:
- keeping records of processing activities;
- conducting a Data Protection Impact Assessment (DPIA);
- prior consultation with the Office for Personal Data Protection ;
- the appointment of a Data Protection Officer (DPO);
- obligations related to the transfer of personal data to third countries outside the EU.
GDPR and FreshFlow
FreshFlow Systems s.r.o. is governed by the Privacy And Personal Data Processing Policy when processing personal data. The data of your clients FreshFlow Systems s.r.o. is processed as a processor, while always having concluded a processing contract with you and/or with your headquarters in accordance with Art. 28 GDPR.
If you perform certain actions, FreshFlow will automatically notify you of the need to comply with certain obligations set out in the General Regulation.
If you have any further questions regarding the protection of privacy and the processing of personal data, please do not hesitate to contact info@freshflow.cz.