Lawfulness, fairness, and transparency — Processing must be lawful, fair, and transparent to the data subject.

Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.

Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.

Accuracy — You must keep personal data accurate and up to date.

Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.

Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).

Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

The GDPR protects:

Basic identity information such as name, address and ID numbers

• Web data such as location, IP address, cookie data, and RFID tags

• Health and genetic data

• Biometric data

• Racial or ethnic data

• Political opinions

• Sexual orientation

• Any company that stores or processes personal information about EU citizens:

• A presence in an EU country.

• No presence in the EU, but it processes personal data of European residents.

The GDPR places equal liability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data). A third-party processor not in compliance means your organization is not in compliance. The new regulation also has strict rules for reporting breaches that everyone in the chain must be able to comply with. Organizations must also inform customers of their rights under GDPR.

What this means is that all existing contracts with processors (e.g., cloud providers, SaaS vendors, or payroll service providers) and customers need to spell out responsibilities. The revised contracts also need to define consistent processes for how data is managed and protected, and how breaches are reported.

The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. As a data processor organization, we are liable to provide these rights to data subject and to data controller to ensure GDPR compliance.

Below is a rundown of data subjects’ privacy rights:

The right to be informed

The right of access

The right to rectification

The right to erasure

The right to restrict processing

The right to data portability

The right to object

There are strict new rules about what constitutes consent from a data subject to process their information.

• Consent must be “freely given, specific, informed and unambiguous.”

• Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”

• Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.

• Children under 13 can only give consent with permission from their parent.

• You need to keep documentary evidence of consent.

Data Privacy Policy allows the data subject direct right to prevent processing data if the subject feels :

• The subject no longer consents to our processing of his/her personal data.

•The subject feels his/her personal data is no longer necessary for the purposes for which it was originally collected.

•The subject objects to our processing of his/her personal data as is his/her right under Article 21 of the GDPR.

•The subject feels his/her personal data has been unlawfully processed.

Data of minors should not be processed