General Data Protection Regulation (GDPR))
Welcome to 360 Telecom
An overview of the new privacy and data protection laws that will come into force on May 25, 2018 and some best practices for RGPD compliance The RGPD is the most significant change in the regulation of data privacy for decades. Companies are working to implement radical changes in their systems and contracts, and those that operate on compliant and privacy-friendly platforms have a head start. The purpose of this guide is to help our users understand the generalized implications of the GDPR, the opportunity it offers to improve data processing activities, and how to become and remain compliant with the GDPR.
THIS RGPD GUIDE IS FOR INFORMATIONAL PURPOSES ONLY. THIS IS NOT A LEGAL OPINION. PLEASE CONTACT YOUR LEGAL ADVISOR FOR PERSONALIZED ADVICE ON HOW THE RGPD CAN IMPACT YOUR BUSINESS.
What is RGPD?
The General Data Protection Regulation (“GDPR”) is a new European law on data protection and privacy. It requires more granular privacy safeguards in an organization’s systems, more nuanced data protection agreements, and more user-friendly, detailed disclosures about an organization’s privacy and data protection practices.
The RGPD replaces the current EU legal framework for data protection of 1995 (commonly referred to as the “Data Protection Directive”). The Data Protection Directive has required the transposition of EU Member States into national law, which has led to a fragmentation of the legal landscape of data protection in the EU. The RGPD is a European regulation that has direct legal effect in all EU Member States, ie it does not need to be transposed into the national legislation of the Member States of the EU. EU to become binding. This will enhance the coherence and the smooth application of the law in the EU. The RGPD can apply to organizations located outside the EU Unlike the Data Protection Directive, the GDPR applies to all companies operating on a global scale, not just those located in the EU. In the context of the GDPR, organizations may have a field of application if (i) the organization is established in the EU, or (ii) the organization is not established in the EU but the processing activities data relate to individuals in the EU and relate to goods and services of their own or the monitoring of their behavior.
The processing of personal data is a broad concept in the context of the GDPR The GDPR governs how personal data of individuals in the EU can be processed by organizations. “Personal data” and “treatment” are terms that are frequently used in legislation, and understanding their specific meaning in the context of the GDPR illuminates the true scope of this legislation:
Personal data is information about an identified or identifiable individual. This concept is very broad because it includes any information that can be used alone or in combination with other information to identify a person. Personal data is not just the name or e-mail address of a person. It may also include information such as financial information or even, in some cases, an IP address. In addition, certain categories of personal data enjoy a higher level of data protection because of their sensitive nature. These categories of data concern racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data,
Processing means any transaction or set of transactions carried out on personal data or sets of personal data, whether by automated means such as collection, registration, organization, structuring, storage, adaptation or alteration, recovery, consultation, use , disclosure by transmission, broadcast or otherwise made available, alignment or combination, restriction, erasure or destruction. In concrete terms, this means that any process that stores or consults personal data is considered a treatment. Key Concepts: Data Controllers and Data Processors In European data protection legislation, two types of entities can process personal data: the data controller and the data processor.
The controller (“controller”) is the entity that, alone or together with others, determines the purposes and means of the processing of personal data. The data processor (“processor”) is the entity that processes the personal data on behalf of the controller. It is important to determine whether the entity processing the personal data for each data processing activity is a controller or a processor. This mapping exercise allows an organization to understand what rights and obligations are attached to each of its data processing operations.
360 Telecom has some data processing activities for which it acts as a data controller, and others for which it acts as a data processor. A good illustration of this dual role is when 360 Telecom processes credit card transactions. The facilitation of a transaction requires the processing of personal data, such as the name of the cardholder, the credit card number, the credit card expiry date and the CVC code. The cardholder data is sent by the 360 Telecom user to 360 Telecom via the 360 Telecom API (or by another integration method, such as 360 Telecom Elements). 360 Telecom then uses the data to complete the transaction in the systems of the credit card networks, a function that 360 Telecom performs as a data processor. However, 360 Telecom also uses data to comply with its regulatory obligations (such as Know Your Customer (“KYC”) and “Anti Money Laundering” (“AML”), and in this role, 360 Telecom is a data controller.
Legal basis for the processing of personal data in the GDPR The next consideration is to determine whether a particular processing activity is consistent with RGPD. In the context of the RGPD, any data processing activity, performed as a controller or processor, must have a legal basis. The RGPD recognizes a total of six legal bases for the processing of personal data of individuals in the EU (in the RGPD, EU persons are called “persons concerned”). These six legal bases, in the order of art. 6 (1) (a) to (f) RGPD, are: The data subject has given his CONSENT to the processing of his personal data for one or more specific purposes;
Le traitement est NÉCESSAIRE POUR L’EXÉCUTION D’UN CONTRAT auquel la personne concernée est partie ou pour prendre des mesures à la demande de la personne concernée avant la conclusion d’un contrat;
The processing is NECESSARY FOR THE EXECUTION OF A CONTRACT to which the data subject is party or to take measures at the request of the data subject before the conclusion of a contract;
The processing is necessary for the COMPLIANCE OF LEGAL OBLIGATION to which the controller is subject;
TREATMENT IS NECESSARY TO PROTECT A VITAL INTEREST OF THE PERSON CONCERNED.
THE PROCESSING OF THE DATA IS NECESSARY FOR THE PERFORMANCE OF A TASK PERFORMED IN THE PUBLIC INTEREST OR IN THE PRACTICE OF THE PUBLIC AUTHORITY;
or the processing is necessary for the LEGITIMATE INTERESTS pursued by the entity, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data.
There are similarities between the RGPD authorized treatment list and the list contained in the Data Protection Directive. However, there are also significant differences. The change most frequently mentioned by the RGPD, in relation to the Data Protection Directive, is the tightening of the consent requirements (element 1 of the list above). The RGPD consent requirements include such things as (i) the requirement that consent be verifiable, (ii) the consent request must be clearly distinguishable from other matters, and (iii) the data subjects must be informed of their right to withdraw their consent. It is also important to keep in mind that
Another important element to emphasize is the element of legitimate interest (element 6 of the list above). When relying on a “legitimate interest” to support the processing of personal data, an organization must be aware of the balancing test requirement associated with that legal basis. To meet the liability principle under the GDPR, an organization must document its compliance with the balancing test, which includes its approach and the arguments it has reviewed before concluding that the balancing criterion was met.
Individual rights in the context of the GDPR Under the Data Protection Directive, individuals were guaranteed certain fundamental rights with regard to their personal data. The rights of individuals continue to apply under the GDPR, subject to certain explanatory amendments. The table below compares the rights of individuals under the Data Protection Directive and the GDPR.
THE RIGHT OF THE INDIVIDUAL DIRECTIVE ON DATA PROTECTION GDPR REQUEST FOR ACCESS TO A DATA SUBJECT Individuals have the right to know if their personal data are processed, what and how their personal data are processed and what are data processing operations. The scope of this right has been extended under the GDPR. For example, when requesting access, individuals should be provided with additional information, including information on their additional RGPD data protection rights that did not previously exist, such as the right to privacy. portability of data. OPPOSITION RIGHTS An individual may prohibit certain data processing operations when he has compelling legitimate reasons. Individuals may also object to the processing of their personal data for direct marketing purposes. The RGPD has extended the scope of this right in relation to the Data Protection Directive. RIGHT OF CORRECTION OR DELETION Individuals may request that incomplete data be completed or that incorrect data be corrected to ensure that the processing of personal data complies with the applicable data protection principles. The RGPD’s position is materially the same as that of the Data Protection Directive, but some procedural protections are reinforced under the GDPR. RIGHT TO RESTRICTION No right to restrict treatment. However, the Data Protection Directive gives individuals the right to request the blocking of their personal data when processing operations do not comply with data protection principles, for example when data are incomplete or inaccurate. The RGPD offers individuals the right to request the restriction of the processing of their personal data in certain circumstances, including when the individual disputes the accuracy of the data. RIGHT OF ERASURE (“RIGHT TO BE FORGOTTEN”) Individuals have the right to request the erasure of their personal data if the processing operations did not comply with the principles of data protection. Therefore, this right is very narrow. The RGPD has significantly expanded this right. For example, the right of cancellation may be exercised when personal data are no longer necessary for the purposes for which they were collected, or the individual withdraws his consent to treatment and no other legal basis justifies further processing. RIGHT TO PORTABILITY OF DATA The Data Protection Directive does not explicitly refer to “data portability” as a right of the data subject. EU Member State laws may have implemented additional rights similar to a data portability right at the national level. Individuals may request that personal data held by a controller be provided to themselves or to another controller. International Data Transfers The subject of international data flows has been a hot topic in recent years, and there has been considerable debate and law reform in this area. It is also certain that the laws surrounding international data flows will continue to evolve in the years to come. Today, according to the European data protection legislation, certain requirements must be met before the personal data of European citizens can be transferred outside the EU, unless the organization receiving the personal data is located in a location. Whitelist zone. It is also certain that the laws surrounding international data flows will continue to evolve in the years to come. Today, according to the European data protection legislation, certain requirements must be met before the personal data of European citizens can be transferred outside the EU, unless the organization receiving the personal data is located in a location. Whitelist zone. It is also certain that the laws surrounding international data flows will continue to evolve in the years to come. Today, according to the European data protection legislation, certain requirements must be met before the personal data of European citizens can be transferred outside the EU, unless the organization receiving the personal data is located in a location. Whitelist zone.
In the context of the GDPR, international data transfers are a difficult subject to manage because the law is evolving and there are only a small number of data transfer mechanisms available. Despite the challenge, organizations need to stay abreast of developments as the proper flow of personal data is the backbone of any technology company. A particularly important mechanism for the flow of personal data from the EU to the United States is the Privacy Shield framework. The EU-US and Switzerland-US Privacy Shield is a method that ensures that an organization provides an adequate level of data protection by requiring an organization to certify and register in accordance with the requirements of the Privacy Shield Framework. 360 Telecom has been certified in accordance with the EU-USA and Switzerland-USA Privacy Shield standard for this reason. The Privacy Shield certification of 360 Telecom is here, and our privacy policy Privacy here. For more information, please visit the 360 Telecom EU data transfer support page here.
More generally, 360 Telecom has international data transfer compliance measures that govern Transipe’s entire processing of personal data of individuals in the EU. These measures are based on standard EU contract terms. As noted above, international data flows continue to be an area for potential legislative reform. For this reason, we closely follow the legal developments related to international data transfer compliance measures and we take every measure at our disposal to ensure a proper international transfer of personal data of the data subjects. It also means that we have integrated redundancies into our data transfer compliance program as much as possible and are looking to expand them with the tools available for 360 Telecom as part of the RGPD. Non-compliance The most noted consequence of non-compliance with the GDPR is the maximum fine that may be imposed on a non-compliant organization. The maximum fine that can be levied is 4% of the overall turnover or EUR 20 million, whichever is greater. Certain other types of offenses carry a maximum fine of 2% of the overall turnover, ie EUR 10 million, whichever is the higher. The maximum fine that can be collected is 4% of the overall turnover or EUR 20 million, whichever is the higher. Certain other types of offenses carry a maximum fine of 2% of the overall turnover, ie EUR 10 million, whichever is the higher. The maximum fine that can be collected is 4% of the overall turnover or EUR 20 million, whichever is the higher. Certain other types of offenses carry a maximum fine of 2% of the overall turnover, ie EUR 10 million, whichever is the higher.
The powers of Data Protection Authorities (“DPAs”) under Art. 58 of the RGPD. These powers include the possibility for ODA to impose corrective measures, such as temporary or permanent limitation of data processing activities, including a complete ban on data processing, or to order the suspension of data flows. to a recipient in a third country.
360 Telecom and RGPD At 360 Telecom, privacy, data protection and data security are at the heart of everything we do. We are continually working to re-establish the bar for ourselves in the area of data security and privacy, and see the GDPR as an opportunity for the entire industry to come together and improve. 360 Telecom has started its efforts towards RGPD compliance in 2016, and we are working to ensure that our services comply with the RGPD by the effective date of May 25, 2018. RGPD compliance includes many elements. Among other things, we are updating our documentation and agreements to align them with the requirements of the RGPD. We are also reviewing our internal policies and procedures to ensure that they comply with the RGPD standard. Most of the RGPD compliance elements take place “under the hood” of an organization with respect to updates on how an organization processes personal data. Here are some of the steps that platforms like 360 Telecom perform for their users (and themselves) in preparation for the RGPD:
Carry out a gap analysis between the requirements of the Data Protection Directive and the GDPR, applicable to the business activities of the company.
Review and update internal tools, procedures and policies as required.
Review data mapping and data inventory practices and update them as needed to comply with the document retention requirements under the GDPR. Perform a dedicated deviation analysis of the Privacy and Data Protection Tool to meet the requirements of the Data Protection Impact Assessment. Update the approach of international data transfers.
Update contracts to reflect Art. 28 obligations of the RGPD with respect to the contracting parties of the company.
Revise and, if necessary, revise the relationship with suppliers to meet the requirements of the GDPR to ensure that such third parties receive and process personal data in a lawful manner. Update the company’s privacy compliance program with ongoing employee training to reflect the changes to be implemented for the RGPD.
The Principle of Responsibility 360 Telecom users should consult their legal professionals to understand the extent of their compliance obligations under the GDPR. In general, if you are an EU-based organization or if your organization processes personal data from individuals in the EU, the RGPD will apply to you.
A primary principle of RGPD to keep in mind is the principle of accountability. The liability principle states that the controller must be able to demonstrate that its processing activities comply with the data protection principles set out in the GDPR. The easiest way to demonstrate compliance is to document and communicate your RGPD compliance approach.
At 360 Telecom, compliance has been the result of collaboration among many people within our organization, including user operations, sales, engineering, security and law. In our experience, inter-functional partnerships and easy-to-read documentation are extremely useful for the overall RGPD compliance process.
A RGPD checklist for your business There are only a few weeks left until May 25, 2018 for small and medium-sized businesses to face unique challenges in preparing for the RGPD. With this in mind, we have gathered some of the key elements of a RGPD compliance program into a checklist for users.
✓ On the same page: Get together with your technical, customer support and legal colleagues and learn about the RGPD and its impact on your organization.
✓ Obtain a clear picture of what is happening with personal data in your organization:
A data mapping exercise can help you discover how personal data is stored and processed by your systems. The following questions may guide you: What are the categories of personal data you are processing? (eg financial information, health information, marketing information, etc.) For which categories of people do you process personal data? (eg, cardholders, children, patients, etc.) What is the reason for processing this information? How and why did you collect this information? How do you secure this data? Do third parties receive this information? If so, do you disclose these third-party recipients in your privacy policy or in your privacy policy? other forms of notification? Do you know who these third parties are? How long do you keep information about individuals? ✓Cartography of the legal bases: Consult the 6 legal bases mentioned above. For each processing operation identified in your data card, link it to a legal basis. This connection will give you the legal base card.
✓ Have respect to a person exercising his rights:
Have the ability to use data mapping information to respond to a data subject access request. From the data card, know where the personal data is in your system (and if you cross-reference with other systems) to comply with requests for exclusion, modification and deletion. Know which data formats your systems use and how you will respond to requests for data portability. ✓Data and Incident Response: When talking to your colleagues about the technical / security side of the organization, make sure you know your incident response plan. Perform a few tabletop exercises so that everyone involved in incident response knows what to do in the event of a security incident. Ideally, your Incident Response Team is a refined machine, ready to execute incident response plans when the situation arises.
There are many other things that could be added to this checklist, and you will need to work with your internal experts and external advisors to find a customized list for your needs. For example, you may need to perform data protection impact assessments, appoint a data protection officer, manage and review the company’s marketing practices and other communications, and review your business processes. providers.
If you have a solid foundation in mapping your data processing activities, you are giving yourself a big advantage for any subsequent RGPD compliance issues you encounter. Below are additional resources that we have consulted and found useful, and we hope you will find them useful as well.
Additional Resources The RGPD is mentioned in many different places, and it is difficult to keep track of the good resources available online. Here are some resources that we consult to stay abreast of developments in the RGPD: It all starts with the legal text: the complete legal text of the GDPR is here and the Data Protection Directive is linked here.
The Supervisory Authority: There is a Data Protection Authority (DPA) in each EU Member State, and many of them have published useful guidelines on the implementation of the GDPR. You will find a list of DPAs here.
Article 29 Working Party (WP29), which will soon become the European Data Protection Board (EDPB): WP29 is an advisory body composed of a representative of the DPA of each EU Member State, the Controller European Data Protection Agency and the European Commission. As of May 25, 2018, WP29 will become the EDPB. The EDPB will include the head of a DPA of each EU Member State and the European Data Protection Supervisor. WP29 has published hundreds of guidelines and opinions and has opened several topics for consultation. The most recent guidelines and opinions focus on how best to implement RGPD elements in an organization’s compliance structure. The WP29 press room is here.
The former Working Group 29 website had a lot of additional resources that are unfortunately no longer as easily accessible with the new layout of the site. The archived website with additional materials is available here. Some DPAs, law firms, privacy organizations such as IAPP, and many other organizations, NGOs, and companies are hosting events related to the GDPR. It is very likely that other organizations have very similar questions to yours regarding the implementation of the GDPR. These are great opportunities to reach the RGPD community and work together on issues.