EU General Data Protection Regulation
THE EU GENERAL DATA PROTECTION REGULATION (GDPR) REPLACES THE DATA PROTECTION DIRECTIVE 95/46/EC AND WAS DESIGNED TO HARMONIZE DATA PRIVACY LAWS ACROSS EUROPE, TO PROTECT AND EMPOWER ALL EU CITIZENS DATA PRIVACY AND TO RESHAPE THE WAY ORGANIZATIONS ACROSS THE REGION APPROACH DATA PRIVACY. THE KEY ARTICLES OF THE GDPR, AS WELL AS INFORMATION ON ITS BUSINESS IMPACT, CAN BE FOUND THROUGHOUT THIS SITE.
The GDPR creates an EU-wide set of standards for the protection of digital personal data relating to online or real-world behavior for EU internet users. Importantly, these standards apply to the personal data of EU internet users regardless of the location of the entity holding their data. In this sense, the standards have significant extraterritorial reach. This regulation replaces Directive 95/46/EC, commonly referred to as the Data Policy Directive, which had established a goal for all EU countries. Individual member states separately enacted national legislation implementing the directive’s goals, creating an unwieldy regulatory patchwork. The GDPR was intended to harmonize those standards but allows individual member states discretion on a number of provisions. On data processing, for example, there is flexibility over means by which entities can demonstrate GDPR compliance, data transfer outside the EU and freedom of expression in the media.
The GDPR defines personal data as “information relating to an identified or identifiable natural person.” This understanding of personal data includes IP address, device ID and customer reference number. Importantly, these protections apply to all corporate entities that process the personal data of EU citizens, even if the processing of relevant data does not take place within the EU. The new regulation also imposes restrictions on transferring personal data outside of the EU. Personal data may be transferred outside the EU only if the European Commission determines that the receiving jurisdiction “ensures an adequate level of protection” consistent with the GDPR; the processing entity has provided “appropriate safeguards”; or the individual has provided specific consent for the transfer. Furthermore, the GDPR guarantees a number of privacy rights to EU internet users, including mandatory, prompt notification of data breaches likely to “result in a risk for the rights and freedoms of individuals,” access to one’s personal data, the ability to instruct an entity to erase one’s personal data (consistent with the “right to be forgotten”), and the ability to move one’s personal data from one processing entity to another. Together, these rights are at the heart of the regulation’s purpose—“to give citizens back control over their personal data.”
These objectives are advanced through several mechanisms. First, organizations that breach their obligations can be fined as much as 4 percent of their annual global turnover or 20 million euros (whichever is greater). This fine applies primarily to breaches of the GDPR’s consent requirements—which is related to the second point: Under the GDPR, consent must always be unambiguous. For special categories of personal data (e.g., race or ethnicity, political opinion, genetic data, union membership) affirmative, explicit consent is required. Third, the GDPR requires that entities monitoring data subjects “on a large scale” or, again, processing special categories of personal data appoint a data protection officer. Such officers advise their organization on GDPR compliance, serve as a point of contact for subjects inquiring into their data, and liaise with EU supervisory authorities. Fourth, the GDPR encourages the creation of data protection certification mechanisms, such that entities can clearly demonstrate compliance with the regulations. Individual EU member states as well as entities within the European Commission are empowered to enforce the provisions.
2. COLLECTED DATA IN EDITION DIGITAL
Edition Digital collects information from registered users, which include personal information, at different points on our web administration site and through our software as follows:
- [required] Email address - for register new users and login process
- [required] Password - for login process
- [optional] First name, Last name and gender - for better teamwork within administration
- [required] Role - for access level within administration
- [optional] Phone number - for Customer Service Support
- [required] Time zone - for localized statistics
- [optional] Billing address - for payment process through recurly.com payment gateway
- [required] Logged-in IP address - for security reasons and fraud control
- [required] Statistical data - for better user experience within administration
- Please note that we do NOT store credit/debit card information
- Please note that we do NOT share personal information with any third party
3. HOW TO DELETE MY PERSONAL INFORMATION
If you want to close your Edition Digital account go to Administration tab, choose My Account area and confirm the deletion by pressing "Delete my account".
Your opt-out request will be processed within 10 business days of the date it was received. You will be notified immediately after the deletion of your personal information from our Records in your registered email address.
4. OUR RESPONSIBILITIES
GDPR compliance adds security responsibilities and obligations:
- To notify clients of data breaches within 72 hours of awareness
- To provide transparent information to data subjects
- To demonstrate data subject’s consent to processing of personal data
- To quickly respond and action data subjects requesting erasure of personal data