Message-ID: <649905511.10603.1711727039569.JavaMail.confluence1@kb0.noctel.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_10602_511107357.1711727039512" ------=_Part_10602_511107357.1711727039512 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This article helps define in simpler language the most common GD= PR terms and general provisions of the law to provide clearer understanding= of the relationships between end users, customer organizations, and NocTel= . Please carefully note there is no standard interpretation of terms and provisions of GDPR law, so the information captured her= e may change frequently after May 25th, 2018. When ch= anges occur, generally expect to see changes elsewhere such as NocTel's Ter= ms of Service and Privacy Policy.
This article does not constitute legal advice nor seeks to encourage or = discourage customers and end users from seeking appropriate legal counsel. = The information provided here is intended to build a basic understanding of= GDPR law and is not comprehensive nor conclusive.
GDPR - or the General Data Protection Regulation -= is an EU law that will become enforceable worldwide as of May= 25th, 2018. Its basic intent is to provide personal data protecti= ons and fundamental rights for end users who provide personal data to servi= ces, applications, and companies whether they are aware of the data collect= ion and processing or not.
A data subject is an identifiable or identified natural person<= /em>. A natural person here means an actual existing or having existed huma= n being. It does not adopt the definition of "person" in the business law s= ense, so corporations are not qualified as data subjects under GDPR.
"Personal data" under GDPR is defined as:
"any informatio= n relating to an identified or identifiable natural person (=E2=80=98data subject=E2=80=99); an id= entifiable natural person is one who can be identified, directly or indirec= tly, in particular by reference to an identifier such as a name, an identif= ication number, location data, an online identifier or to one or more facto= rs specific to the physical, physiological, genetic, mental, economic, cult= ural or social identity of that natural person;"
In other words, it's almost anything relating to a natural pers= on (see above) that can be used to identify them uniquely.
Personal data also defines a more restricted sub-classification known as= sensitive personal data. Sensitive personal data is generall= y limited to one's biometric and genetic information as well as very person= al details such as sexual orientation, political sentiment, and religious a= ssociation.
Data controllers are defined as "<= em>the natural or legal person, public authority, agency or any other body = which alone or jointly with others determines the purposes and means of the= processing of personal data."
In other words, they are usually e= ntities that are requesting personal data but may not be performing any of = the collection, storage, or processing of the data. Data controllers will t= ypically have some access to personal data that is collected, stored, and p= rocessed.
Following off the definition of a data controller, a data processor is d= efined as "natural or legal perso= n, public authority, agency or any other body which processes personal data= on behalf of the controller."
In many cases, a data processor is a third party service provider of som= e variety to another company, service, or application. If your company uses=
The ICO recognizes that some companies may be prone to misreport complia= nce activities if left to self-implement. To counteract this potential, the= ICO introduces the station of Data Protection Officer who is generally res= ponsible for the following:
Not every organization that acts as a data controller and/or data proces= sor needs to instate a DPO, but generally these are the guidelines for when= a DPO is necessary:
Unfortunately, where the line is drawn on what volume of processing of p= ersonal data constitutes "large scale" is highly subjective, but should be = erred on the side of caution.
GDPR defines the following broad data rights of data subjects:
Bear in mind that while complaints and requests made invoking personal d= ata rights under GDPR are generally accommodated, there do exist certain ci= rcumstances in which a data controller or processor can legitimately deny t= he complaint or request.
EU residents. Some contention in interpretation exists as to whether thi= s means individuals physically residing in the EU or the individual in ques= tion is just an EU resident. This means the latter interpretation would req= uire GDPR compliance by foreign companies who do any sort of business with = EU residents, typically during travel or vacation. It's the safer bet to us= e the latter interpretation.
When the law talks of "EU residents" it means individuals and by "indivi= dual" that is restricted to natural persons. In other words, = a real, live human being and not a "person" in the business law definition.= This means corporations are not considered protected under GDPR.
Personal data in GDPR compared to PII (Personally Identifiable = Information) is much more broad and includes types of data such as geo-coor= dinates provided by GPS and IP address. Personally Identifiable Information= is generally a US-specific term and should not be thought of as equivalent= to personal data in the context of GDPR.
Yes and no. It depends.
The ICO sets forth some guidelines of reasons why a company may decline = to accommodate a request involving personal data rights. The most common re= ason is legitimate use, which can take precedence in = retaining and otherwise processing personal data over some requests. Legiti= mate use also covers obligations to other compliances and protocols the com= pany must observe. A less often feasible reason the ICO recognizes is if ac= commodation of the request shows a demonstrated exorbitant time, effort, an= d financial cost to service.
For example, if an employee is fired from a company after making repeate= d verbal threats to coworkers, the company may reasonably decline the forme= r employee's request to the right to be forgotten. The company may partiall= y accommodate this request by agreeing to not share the conditions of the e= mployee's departure with others, but the company itself for its own records= maintains the right to keep that data as it may include relevant informati= on such as if the employee is eligible for rehire and what position they he= ld prior to departure.
With few reasonable exceptions, companies are otherwise expected to acco= mmodate personal data right requests from data subjects. Additionally, depe= ndent on the type of request the company in question must accommodate the r= equest with all reasonable haste.
Technically yes, but it's generally agreed this is not an effective solu= tion to sidestep the need for GDPR compliance. The reason blocking access f= rom the EU would be ineffective is it does not account for the use of VPNs = and/or proxy servers to reach otherwise blocked sites and services. Additio= nally, with the vague interpretation in the law itself of what constitutes = an EU resident, the case of EU residents traveling abroad and utilizing ser= vices in person such as banks, transportation services, lodging, etc. circu= mvents the "protection" of blocking outside access as the EU residents are = physically located outside the EU.
Currently, there is no provision in the GDPR law which recognizes simply= denying or blocking services to EU residents as a legitimate means of resp= ecting and protecting personal data. Given this, it also does not recognize= the case where an EU resident falsifies point of access and other personal= data to access and utilize services that otherwise explicitly want to avoi= d EU residents.
Is NocTel seeking GDPR compliance?
It's something that's very much on the radar, but various internal chall= enges exist that have caused efforts toward legitimate GDPR compliance to b= e slower than would be preferred. Until NocTel is able to attain GDPR compl= iance, we intend to make operations in relation to personal data and privac= y as transparent and straightforward as possible so you know we're on the r= ight track.
Given the size of NocTel and the vast majority of customer organizations= not having normal contact with EU residents, NocTel at this time has deter= mined it is not reasonable to instate a DPO.
Will NocTel process personal data requests that come from non-EU= residents?
NocTel will do its best to treat all personal data requests equally as G= DPR represents valuing and respecting personal data.
Can NocTel accommodate my personal data request directly?
While NocTel will exert due diligence to honor personal data requests th= at are determined to be valid, it is not recommended to submit these reques= ts directly to NocTel. Our basis is our customers are organizations and sub= scribe to NocTel for business services. Accommodating any data requests wit= hout the awareness and agreement of the organization the requesting data su= bject is part of may cause disruption of services and manageability of the = data subject by account administrators.
NocTel recommends that any personal data right related requests be submi= tted to your organization first and then is received by NocTel with the aff= irmation that some features and manageability could possibly change in rela= tion to you.
What are examples of personal data requests NocTel will not acco= mmodate?
Here are some examples and the reasoning why the request will not be acc= ommodated:
What is NocTel's policy for storing and processing personal data= ?
See our Privacy Policy for information on personal data ret= ention.
Generally, NocTel only keeps personal data for as long as it's valid and= needed. For example, a setting that stores personal data for a feature wil= l overwrite and consequently forget the previous value if it changed. Likew= ise, for personal data such as voicemail, NocTel implements an automatic da= ta retention policy that will delete old voicemails that have not already b= een deleted by the end user themselves.