Effective May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will provide new global data protection rights for individuals in the European Union. The GDPR is intended to strengthen individuals’ data privacy rights. The GDPR applies to any size EU or non-EU organization that provides goods or services to the EU or monitors EU users’ behavior and processes or controls data subjects’ personal data.
Personal Data under the GDPR
Under the GDPR, personal data is defined to be any personally identifiable information (PII) —including, a person’s name, passport number, birth date, etc. It may also include data that is non-PII — like IP addresses or device IDs — if other available information paired with the non-PII makes an individual personally identifiable.
Reorg Research and the GDPR
Reorg Research and its affiliates (collectively, “Reorg”) believe the GDPR is a significant step forward in data privacy and support the GDPR’s emphasis on strong data privacy protections and security principles. Reorg is committed to ensuring that it is GDPR compliant when the law becomes enforceable on May 25, 2018 and is dedicated to helping our customers become GDPR compliant.
Reorg Research’s steps to ensure it is GDPR-ready include:
- Providing a GDPR-compliant Customer Data Processing Agreement for Reorg’s processing of personal data under the GDPR on behalf of its customers and its authorized users. As a customer of Reorg, you are a data controller and Reorg is acting as a data processor for your users. If you are a customer of Reorg and you and/or your authorized users are in the EU, please ask your sales contact for Reorg’s Data Processing Addendum.
- Vendor agreements review: To ensure that our customers’ personal data is protected all the way down the sub-processing chain, we are reviewing our vendor agreements and putting GDPR-compliant terms in place with vendors and service providers who process GDPR personal data on our behalf.
- Ensuring that the Reorg platform and services are GDPR compliant and support GDPR rights: Including implementing changes focusing on access controls, account and record deletion, security, storage, and audits. Reorg is also internally working with our engineering, product, and security teams to ensure that we are able to help our customers to respond to any data subject requests that they may receive and proactively ensuring GDPR compliance for every new product or enhancement.
- Evaluating our Privacy and Cookie Notices and making any updates as necessary.
Does the GDPR require EU personal data to stay within the EU?
- No, the GDPR does not require EU personal data to stay in the EU. However, the GDPR does require that a valid transfer mechanism is in place to protect the data before it leaves the EU. Reorg has developed model contractual clauses to permit the transfer of data amongst itself and its affiliates and subcontractors.
Does processing EU personal data always require the data subject’s consent?
- Consent is only one of the legal bases that can be used for the processing of personal data. For example, personal data can also be processed:
- When necessary for the performance of a contract to which the data subject is a party;
- When an organization has a legal obligation to do so (such as the submission of employee data to a tax authority); and
- Under an organization’s legitimate interests, which may include commercial and marketing goals. The legitimate interest must not, however, override the data subject’s rights and interests.
Do EU data subjects have an absolute right to have their personal data deleted upon request?
- A data subject’s right to have his or her data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if further processing to comply with a legal obligation.