The GDPR is a new comprehensive data protection law (in effect May 25, 2018) in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It updates and replaces all the national data protection laws (issued from the 1995 EU Data Protection Directive: DPD) currently in place with a single set of rules.
The key changes are the following: Expanded data privacy rights for EU individuals, data breach notification and added security requirements for organizations, as well as customer profiling and monitoring requirements. GDPR also includes binding Corporate Rules for organizations to legalize transfers of personal data outside the EU and a 4% global revenue fine for organizations that fail to adhere to the GDPR compliance obligations. Overall the GDPR provides a central point of enforcement by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
If you are processing personal data in the context of an organization established in the EU, the GDPR will apply to you, regardless of whether you are processing personal data in the EU or not. “Processing” means any operation performed on personal data, such as collection, storage, transfer, dissemination or erasure.
If you are not established in the EU, the GDPR applies to you if you are offering goods or services (whether paid or free) to EU data subjects or monitoring the behavior of EU data subjects within the EU. Monitoring can be anything from putting cookies on a website to tracking the browsing behavior of data subjects to high tech surveillance activities.
Under European data protection law, organization processing personal data are divided into “Controllers,” or the entities which control the personal data, and “Processors,” the entities that process personal data only on the instructions of the Controllers. The GDPR applies to both Controllers and Processors.
This letter is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Therefore, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
“What personal data do
“Are we transferring the personal
data outside the EU and if so, do
we have adequate protections in
“Are we ensuring we aren’t holding it for
any longer than is necessary and keeping it
“Have we obtained it fairly? Do we have
the necessary consents required and
were the data subjects informed of the
specific purpose for which we’ll use their
data? Were we clear and unambiguous
about that purpose and were they
informed of their right to withdraw
consent at any time?”
Whenever a data subject is about to submit their personal information the data controller (usually a company) has to make sure the data subject has given their consent. The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters.” Controllers will also be required to provide evidence that their processes are compliant and followed in each case. Previously, under the DPD, consent could be inferred from an action or inaction in circumstances where the action or inaction clearly signified consent. Thus, the Directive left open the possibility of “opt-out” mechanism. However, that will change under the GDPR which requires the data subject to signal agreement by "a statement or a clear affirmative action."
Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to the processing of their personal data. They must also know exactly what they are consenting to and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. This means that informing the user during the opt-in is becoming more important in the future.
New Rights for Individuals
The regulation also builds in two new rights for data subjects: a "right to be forgotten" that requires controllers to alert downstream recipients of deletion requests and a "right to data portability" that allows data subjects to demand a copy of their data in a common format. These two rights will now make it easier for users to request that any information stored should be deleted or that information that has been collected should be shared with them.
Data subjects always had a right to request access to their data. But the GDPR enhances these rights. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also drop to a 30-day period. In certain cases, organizations may refuse to grant an access request, for example where the request is deemed manifestly unfounded or excessive. However, organizations will need to have clear refusal policies and procedures in place and demonstrate why the request meets these criteria.
Privacy by Design and DPIA
There are several new principles for entities that handle personal data, including a requirement to build in data privacy "by design" when developing new systems and an obligation to perform a Data Privacy Impact Assessment (DPIA) when processing using "new technologies" or in risky ways. A DPIA is a process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals so that potential privacy issues can be identified before they arise, giving the organization time to come up with a way to mitigate them before the project is underway.
Data Privacy Officer
On the security side, the GDPR will require many businesses to have a Data Privacy Officer (DPO) to help oversee their compliance efforts. Organizations requiring DPOs include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations who process what is currently known as sensitive personal data on a large scale. While the GDPR currently preserves the DPD’s approved methods for ensuring "adequacy" when transferring personal data to third countries (including the Privacy Shield and the Model Clauses), DPOs will also be helpful in overseeing a controller’s relationships with vendors who process and store personal data, helping to review vendors’ security practices and inform vendors of data subject requests.
Contracts & Privacy Documentation
Since the GDPR is all about transparency and fairness, Controllers and Processors will need to review their Privacy Notices, Privacy Statements, and any internal data policies to ensure they meet the requirements under the GDPR. If a Controller engages third party vendors to process the personal data under their control, they will need to ensure their contracts with those Processors are updated to include the new, mandatory Processor provisions set out in Article 28 of the Regulation. Similarly, Processors should consider what changes they’ll need to make to their customer contracts to be GDPR ready by May 2018.
One particular item in the GDPR should serve to make the lives of these DPOs easier: the GDPR’s new "one-stop shop" provision, under which organizations with offices in multiple EU countries will have a "lead supervisory authority" to act as a central point of enforcement, so they don’t struggle with inconsistent directions from multiple supervisory authorities.
The GDPR contains a new requirement that controllers must notify their country’s supervisory authority (or Data Protection Controller: DPC) of a personal data breach within 72 hours of learning of it unless the data was anonymized or encrypted. In practice, this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.
While the current legislation, the 1995 EU Data Protection Directive, governs entities within the EU, the territorial scope of the GDPR is far wider, in that it will also apply to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
This new concept will require Controllers and Processors to be able to demonstrate their compliance with the GDPR to their local supervisory authority or DPC. Processes should be recorded, implemented and reviewed on a regular basis. Staff should be trained, and appropriate technical and organizational measures should be taken to ensure and demonstrate compliance.
The importance of the GDPR’s new provisions is underscored by the new penalties it imposes for violations. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater).
Trackforce is dedicated to helping our customers comply with the GDPR. We have closely analyzed the
requirements of the GDPR, and are working to make enhancements to our products, contracts, and
documentation to support compliance with the GDPR.
You may need to clear customer data history in order to comply with data protection and privacy regulations.
Trackforce will offer you retention period options that can be applied to:
|Personal Data Type||Max. Retention Period||Action Post Retention Period|
|Personal media (photos
|Up to 3 months after
|Visitor data||Up to 3 months after the
|The GPS data history||Up to 6 months after
|Training data||Up to 12 months after
|All reports||Up to 5 years after creation||Deleted|
|The different activity
|Up to 5 years after creation||Anonymized|
Here is how to set-up your GDPR parameters:
On your end, after termination of the business relationship with a client, you can keep his personal data for up to 5 years and his personal media (photos & videos) for up to 3 months.
You can use the Trackforce Platform to help you honor your customers’ requests to export their data. Data can be extracted upon request.
Trackforce has security built into every layer of the platform. The infrastructure layer comes with replication, backup, encryption, and Disaster Recovery. Network services has encryption in transit and advanced threat detection with IPS/IDS. Our application services implement identity, authentication with two factors, and user permissions.
Trackforce is enhancing its products so that the Controllers or Processors can technically restrict the personal data usage (for instance by limiting reports access or by allocating a data subject personal data to specific account sites).
A disclaimer will also be printed on any PDF or email sent by the application, requesting the deletion of the document by the end of the retention period (the exact date will be indicated).
We have also created the email firstname.lastname@example.org for all GDPR related questions and requests.
You should email our DPO email@example.com for all GDPR related questions.
You should provide any document proving your identity.
Yes, at any time.
Each client defines his preferred retention period within the GDPR law limitations
You can create exceptions on the set-up page
Anonymization, as defined by the GDPR, is irreversible.
This depends on your security firm, kindly refer to them or their DPO if they have one.
Media with personal data, GPS history, visitor data, employee data, personal data fields in activity templates (it is up to each client to define the data that he needs to protect).
It is the responsibility of the customer to download any required report before the end of the retention period. Upon expiry of this period, Trackforce will not be able to recover your data.
A disclaimer will be printed into any PDF or email sent by the application. The document’s recipient is responsible for complying with the GDPR requirements.
No; personal data are siloed and segmented from one subsidiary to another one. Each subsidiary can only access its own data.
No; however, as of May 25th, 2018, Trackforce will only call on subcontractors who present sufficient guarantees as for the compliance with the GDPR.
In order to remain GDPR compliant, Trackforce will conduct a Privacy Impact Assessment (PIA) for any new product launch.