New Rules for Handling Personal Data – The General Data Protection Regulation (GDRP) in the EU

In the spring of 2016 the General Data Protection Regulation (GDPR)[1] (2016/679) was passed at EU level. While the regulation officially came into force on 25 May 2016, it will not apply until 25 May 2018. An EU regulation such as the General Data Protection Regulation applies directly and immediately to all member states on the same level as each individual state’s national legislation. This is in order to ensure identical and harmonious legislation within personal data protection across all EU member states.

The General Data Protection Regulation replaces the personal data directive[1] , which forms the basis of the current Danish legislation on personal data.

The purpose of the new regulation is to strengthen and harmonize the rights of registered citizens, as well as to protect the free exchange of personal data in the EU.

Basically, the General Data Protection Regulation imposes higher requirements on organisations processing personal data (organisations responsible for data, data controllers, as well as data processors), whereas registered persons whose personal data is handled will benefit from extended rights.

In this blog, I will explain Xink’s initiatives in relation to the General Data Protection Regulation. And of course take the opportunity to announce that Xink already is completely prepared to provide support when it becomes effective in 2018.

Data controller/data processor

The persons or organisations collecting and processing personal data are obliged to ensure that all registered data will be processed in accordance with the General Data Protection Regulation. Essentially, the General Data Protection Regulation imposes an obligation on the data controllers/data processors to ensure that the processing of personal data is legal and characterized by transparency. It must also ensure that data is properly stored. Legal processing means that it must be performed under the authority of the law. In practice typically by obtaining consent from the registered person or as a part of the compliance of a contract to which the registered person is a party.

The processing of personal data must be sufficient, but at the same time limited to the extent necessary. Both in terms of the nature of the stored personal data and the storage time.

An essential part of the General Data Protection Regulation is the processing of information about persons, which is defined as any type of information about an identifiable person. The term “personal data” is very broad and can relate to everything from a person’s name, gender, address and phone number to income, illnesses, employment and education.

Is data in an email signature sensitive data?

Data in an email signature is rarely sensitive data. This is data, which everyone can get hold of without much hassle, and there is nothing sensitive even in a mobile phone number. However, Xink processes all data as if it was personal data and therefore we offer the best possible security when processing data.

Who can access the registered data?

Registered persons can access their registered data to a larger extent than earlier. The registered persons will benefit from an extended right of access in the data processing, including the right to access the information that is being processed about the person. Also the right to know for what purpose the information is processed, for how long the information is stored and the identity of the recipient of the registered person’s data etc. However, the right of access of the registered persons is limited partly by the data controller’s right to specify to which data access is required. In certain cases to demand a fair charge from the registered person when providing the access.

Among other things, the registered persons also have the right to retract consent to processing of personal data at any given time. If consent is retracted, the data controller has an obligation to delete the stored personal data, unless such processing is performed under other legal authority.

Xink’s preparation in relation to the implementation of the GDPR

Apart from the extended rights granted to the registered persons, and the obligations involved for persons processing data, the GDPR introduces new and significant provisions. This have extensive consequences for the data controllers/data processors. For example, there are new requirements to the relation between the data controller and the data processor. A data processor is a physical or legal person processing data on behalf of a data controller. In future, much greater responsibility for the processing of personal data will be placed with the data controller, than under the current regulation. In addition, there are significantly increased requirements to the written agreement between the data controller and the data processor (the Data Processing Agreement). Also the division of roles and responsibilities between the parties described therein.

As Xink very often processes data, we are aware of the requirements to the processing of other companies’ personal data. Already now, well before the GDPR becomes effective on 25 May 2018, Xink has prepared data processing agreements to meet the high requirements of the GDPR. This applies to the processing of data in order to continue to be able to serve our clients with the best possible data protection.

Data Protection Agreement

When the GDPR becomes effective, we offer, as a data processor, to sign a DPA (Data Protection Agreement) with our clients.

The GDPR also stipulates significant requirements to the data processor’s implementation of security measures related to storage of personal data. The data processor must secure its data from attacks. It must also be secure from accidental destruction, by establishing digital and physical measures to protect the integrity of the stored data. Examples hereof involves encryption and pseudonymisation of data files, physical locking and fireproofing of server facilities and ensuring a proper policy for transfer of data. Xink already meets these requirements as all data is hosted by Microsoft Azure’s ISO27001 certified data centres in the US and in the EU. As such, we can make sure that data never leaves the EU (until the client sends data in a signature in an email).

Xink works proactively and continuously to secure the best possible protection of our users’ personal data. We do so by keeping up to date on developments in the personal data rights and on how to secure safe storage and processing of user information.

Your company’s data is completely safe with Xink.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)