NocTel Talk Documentation
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This article helps define in simpler language the most common GDPR terms and general provisions of the law to provide clearer understanding of the relationships between end users, customer organizations, and NocTel. Please carefully note there is no standard interpretation of terms and provisions of GDPR law, so the information captured here may change frequently after May 25th, 2018. When changes occur, generally expect to see changes elsewhere such as NocTel's Terms of Service and Privacy Policy.

This article does not constitute legal advice nor seeks to encourage or discourage customers and end users from seeking appropriate legal counsel. The information provided here is intended to build a basic understanding of GDPR law and is not comprehensive nor conclusive.

GDPR Law Summary

GDPR - or the General Data Protection Regulation - is an EU law that will become enforceable worldwide as of May 25th, 2018. Its basic intent is to provide personal data protections and fundamental rights for end users who provide personal data to services, applications, and companies.

Key Terms

Data Subject

A data subject is an identifiable or identified natural person. A natural person here means an actual existing or having existed human being. It does not adopt the definition of "person" in the business law sense, so corporations are not qualified as data subjects under GDPR.

Personal Data

"Personal data" under GDPR is defined as:

"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

In other words, it's almost anything relating to a natural person (see above) that can be used to identify them uniquely.

Personal data also defines a more restricted sub-classification known as sensitive personal data. Sensitive personal data is generally limited to one's biometric and genetic information as well as very personal details such as sexual orientation, political sentiment, and religious association.

Data Controller

Data controllers are defined as "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data."

In other words, they are usually entities that are requesting personal data but may not be performing any of the collection, storage, or processing of the data. Data controllers will typically have some access to personal data that is collected, stored, and processed.

Data Processor

Following off the definition of a data controller, a data processor is defined as "natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller."

In many cases, a data processor is a third party service provider of some variety to another company, service, or application. If your company uses

Data Protection Officer (DPO)

The ICO recognizes that some companies may be prone to misreport compliance activities if left to self-implement. To counteract this potential, the ICO introduces the station of Data Protection Officer who performs the following responsibilities generally:

 

Data Rights

 

Quick Bits and Questions

Who is covered under GDPR law?

EU residents. Some contention in interpretation exists as to whether this means individuals physically residing in the EU or the individual in question is just an EU resident. This means the latter interpretation would require GDPR compliance by foreign companies who do any sort of business with EU residents, typically during travel or vacation. It's the safer bet to use the latter interpretation.

When the law talks of "EU residents" it means individuals and by "individual" that is restricted to natural persons. In other words, a real, live human being and not a "person" in the business law definition. This means corporations are not considered protected under GDPR.

What is "personal data" under GDPR? Is it different from PII?

Personal data in GDPR compared to PII (Personally Identifiable Information) is much more broad and includes types of data such as geo-coordinates provided by GPS and IP address. Personally Identifiable Information is generally a US-specific term and should not be thought of as equivalent to personal data in the context of GDPR.

Do all requests invoking personal data rights need to be accommodated?

Yes and no. It depends.

The ICO sets forth some guidelines of reasons why a company may decline to accommodate a request involving personal data rights. The most common reason is legitimate use, which can take precedence in retaining and otherwise processing personal data over some requests. Legitimate use also covers obligations to other compliances and protocols the company must observe. A less often feasible reason the ICO recognizes is if accommodation of the request shows a demonstrated exorbitant time, effort, and financial cost to service.

For example, if an employee is fired from a company after making repeated verbal threats to coworkers, the company may reasonably decline the former employee's request to the right to be forgotten. The company may partially accommodate this request by agreeing to not share the conditions of the employee's departure with others, but the company itself for its own records maintains the right to keep that data as it may include relevant information such as if the employee is eligible for rehire and what position they held prior to departure.

With few reasonable exceptions, companies are otherwise expected to accommodate personal data right requests from data subjects. Additionally, dependent on the type of request the company in question must accommodate the request with all reasonable haste.

Couldn't companies and services just block anyone from the EU from access?

Technically yes, but it's generally agreed this is not an effective solution to sidestep the need for GDPR compliance. The reason blocking access from the EU would be ineffective is it does not account for the use of VPNs and/or proxy servers to reach otherwise blocked sites and services. Additionally, with the vague interpretation in the law itself of what constitutes an EU resident, the case of EU residents traveling abroad and utilizing services in person such as banks, transportation services, lodging, etc. circumvents the "protection" of blocking outside access as the EU residents are physically located outside the EU.

Currently, there is no provision in the GDPR law which recognizes simply denying or blocking services to EU residents as a legitimate means of respecting and protecting personal data. Given this, it also does not recognize the case where an EU resident falsifies point of access and other personal data to access and utilize services that otherwise explicitly want to avoid EU residents.

 

 

  • No labels

© 2023 NocTel Communications, Inc.