This article does not constitute legal advice nor seeks to encourage or discourage customers and end users from seeking appropriate legal counsel. The information provided here is intended to build a basic understanding of GDPR law and is not comprehensive nor conclusive.
GDPR - or the General Data Protection Regulation - is an EU law that will become enforceable worldwide as of May 25th, 2018. Its basic intent is to provide personal data protections and fundamental rights for end users who provide personal data to services, applications, and companies whether they are aware of the data collection and processing or not.
A data subject is an identifiable or identified natural person. A natural person here means an actual existing or having existed human being. It does not adopt the definition of "person" in the business law sense, so corporations are not qualified as data subjects under GDPR.
"Personal data" under GDPR is defined as:
"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
In other words, it's almost anything relating to a natural person (see above) that can be used to identify them uniquely.
Personal data also defines a more restricted sub-classification known as sensitive personal data. Sensitive personal data is generally limited to one's biometric and genetic information as well as very personal details such as sexual orientation, political sentiment, and religious association.
Data controllers are defined as "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data."
In other words, they are usually entities that are requesting personal data but may not be performing any of the collection, storage, or processing of the data. Data controllers will typically have some access to personal data that is collected, stored, and processed.
Following off the definition of a data controller, a data processor is defined as "natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller."
In many cases, a data processor is a third party service provider of some variety to another company, service, or application. If your company uses
The ICO recognizes that some companies may be prone to misreport compliance activities if left to self-implement. To counteract this potential, the ICO introduces the station of Data Protection Officer who is generally responsible for the following:
Not every organization that acts as a data controller and/or data processor needs to instate a DPO, but generally these are the guidelines for when a DPO is necessary:
Unfortunately, where the line is drawn on what volume of processing of personal data constitutes "large scale" is highly subjective, but should be erred on the side of caution.
GDPR defines the following broad data rights of data subjects:
Bear in mind that while complaints and requests made invoking personal data rights under GDPR are generally accommodated, there do exist certain circumstances in which a data controller or processor can legitimately deny the complaint or request.
EU residents. Some contention in interpretation exists as to whether this means individuals physically residing in the EU or the individual in question is just an EU resident. This means the latter interpretation would require GDPR compliance by foreign companies who do any sort of business with EU residents, typically during travel or vacation. It's the safer bet to use the latter interpretation.
When the law talks of "EU residents" it means individuals and by "individual" that is restricted to natural persons. In other words, a real, live human being and not a "person" in the business law definition. This means corporations are not considered protected under GDPR.
Personal data in GDPR compared to PII (Personally Identifiable Information) is much more broad and includes types of data such as geo-coordinates provided by GPS and IP address. Personally Identifiable Information is generally a US-specific term and should not be thought of as equivalent to personal data in the context of GDPR.
Yes and no. It depends.
The ICO sets forth some guidelines of reasons why a company may decline to accommodate a request involving personal data rights. The most common reason is legitimate use, which can take precedence in retaining and otherwise processing personal data over some requests. Legitimate use also covers obligations to other compliances and protocols the company must observe. A less often feasible reason the ICO recognizes is if accommodation of the request shows a demonstrated exorbitant time, effort, and financial cost to service.
For example, if an employee is fired from a company after making repeated verbal threats to coworkers, the company may reasonably decline the former employee's request to the right to be forgotten. The company may partially accommodate this request by agreeing to not share the conditions of the employee's departure with others, but the company itself for its own records maintains the right to keep that data as it may include relevant information such as if the employee is eligible for rehire and what position they held prior to departure.
With few reasonable exceptions, companies are otherwise expected to accommodate personal data right requests from data subjects. Additionally, dependent on the type of request the company in question must accommodate the request with all reasonable haste.
Technically yes, but it's generally agreed this is not an effective solution to sidestep the need for GDPR compliance. The reason blocking access from the EU would be ineffective is it does not account for the use of VPNs and/or proxy servers to reach otherwise blocked sites and services. Additionally, with the vague interpretation in the law itself of what constitutes an EU resident, the case of EU residents traveling abroad and utilizing services in person such as banks, transportation services, lodging, etc. circumvents the "protection" of blocking outside access as the EU residents are physically located outside the EU.
Currently, there is no provision in the GDPR law which recognizes simply denying or blocking services to EU residents as a legitimate means of respecting and protecting personal data. Given this, it also does not recognize the case where an EU resident falsifies point of access and other personal data to access and utilize services that otherwise explicitly want to avoid EU residents.
Is NocTel seeking GDPR compliance?
It's something that's very much on the radar, but various internal challenges exist that have caused efforts toward legitimate GDPR compliance to be slower than would be preferred. Until NocTel is able to attain GDPR compliance, we intend to make operations in relation to personal data and privacy as transparent and straightforward as possible so you know we're on the right track.
Given the size of NocTel and the vast majority of customer organizations not having normal contact with EU residents, NocTel at this time has determined it is not reasonable to instate a DPO.
Will NocTel process personal data requests that come from non-EU residents?
NocTel will do its best to treat all personal data requests equally as GDPR represents valuing and respecting personal data.
Can NocTel accommodate my personal data request directly?
While NocTel will exert due diligence to honor personal data requests that are determined to be valid, it is not recommended to submit these requests directly to NocTel. Our basis is our customers are organizations and subscribe to NocTel for business services. Accommodating any data requests without the awareness and agreement of the organization the requesting data subject is part of may cause disruption of services and manageability of the data subject by account administrators.
NocTel recommends that any personal data right related requests be submitted to your organization first and then is received by NocTel with the affirmation that some features and manageability could possibly change in relation to you.
What are examples of personal data requests NocTel will not accommodate?
Here are some examples and the reasoning why the request will not be accommodated:
What is NocTel's policy for storing and processing personal data?
Generally, NocTel only keeps personal data for as long as it's valid and needed. For example, a setting that stores personal data for a feature will overwrite and consequently forget the previous value if it changed. Likewise, for personal data such as voicemail, NocTel implements an automatic data retention policy that will delete old voicemails that have not already been deleted by the end user themselves.