The most important thing to know about GDPR

What is GDPR?

This is a new regulation in the EU, which comes into force on May 25, 2018 and contains new rules regarding the personal data of persons in the EU.

GDPR refers to the personal data of all persons in the EU.

What is related to personal data?

• Name
• Address
• Location
• Online IDs
• Health information
• Revenue Information
• Information on cultural interests
• Other information that helps identify a particular person.

Who is concerned with the GDPR and its requirements?

(1) Companies in any country in the world that:

• Offer products / services to persons in the EU or
• Monitor their behavior

(2) Companies that have a representative office / branch in the EU and process personal data
')

When can I process personal data?

• If there is user consent *: Consent
• If there is a contractual obligation with the user: Contractual obligation
• If there is an obligation under the law (EU legislation or national): Legitimate obligation
• If required in the public interest (EU or national): Public interest
• If required to secure vital human interests : Vital interests of individual
• For the legitimate interests of the company , but only after verifying that there is no serious violation of the fundamental rights and freedoms of the person whose data are being processed. Conclusions in each case can be based on specific facts of a particular situation: Legitimate interest

When collecting user data, they need to be notified that the data will be processed.

* The user's consent to the processing of his data must:

• To be free (no one and nothing forced him to agree, refusal should not cause negative consequences for the user. Providing consent cannot be a condition for concluding an agreement with the user)
• Be informed (all information must be presented to the user before he agrees) **
• Refer to the specific purposes for which data is collected.
• All reasons for processing data must be clearly stated.
• To be explicit and expressed in the user’s action (for example, putting a tick at the right place on its own, ticking in advance is not considered an explicit consent expressed in the action)
• Be clear, legible and readable.
• Explain that such consent can always be withdrawn (withdrawal of consent should not cause negative consequences for the user)

** In order for the user's consent to be considered informed, he must be provided with information about:

• The organization that processes the data
• Data processing purposes
• The type of data to be processed
• Ability to withdraw consent to data processing
• Use of data for exclusively automatic (machine) decision making, including profiling
• When transferring data to other countries - risks of data transmission to third countries for which there is no decision of the EU Commission on their security in terms of personal data protection and when there are no appropriate measures to ensure data security
• The period during which the data will be stored

Data can be processed only for those purposes for which the user has agreed.

Do I need to get a new consent after May 25, 2018?

No, if the user's consent was obtained in compliance with the requirements described above.

Can I receive and transmit user data from another organization?

Yes, if there is their consent to this, obtained according to the rules described above.

What else do you need to think about?

• Keep records of transactions with user data
• Indicate how the user can (i) obtain information about the company’s own data, (ii) withdraw consent to the processing of its data, (iii) make changes or (iv) delete the data
• Be prepared to respond to user requests
• Do not forget to find out how old the user is and ask for the consent of his parents if he is less than 16 years old