European Union Privacy Law
NOTE: The information included on this page is meant to guide you through the process of understanding GDPR and is not a substitute for legal advice. We advise everyone to seek their own legal opinion from a qualified lawyer.
The GDPR changes that came into force in May 2018 have an impact on businesses both in and outside of the EU, with businesses that fail to comply with GDPR potentially facing heavy fines.
What is GDPR?
GDPR is short for the General Data Protection Regulation and took effect on May 25 2018. European lawmakers are trying to create a harmonized data privacy law across all the EU member states. Its stated purpose is to:
- Support privacy as a fundamental human right
- Require companies that handle personal data to be accountable for managing that data appropriately
- Give individuals rights over how their personal data is processed or otherwise used
So how is personal data defined?
GDPR defines personal data as “any information relating to an identified or identifiable natural person.”
Alright, so what does that actually mean?
Personal data refers to more than just the kinds of information you would naturally think about: name, address, email address, identification numbers, financial information, contact information, etc. It also can include information related to your digital life, like an IP address, browsing history, geolocation, cookies, or any other digital identifiers.
It can also mean information about a person’s identity, including things such as their physical, mental, social, economic or cultural identities.
So if information could be traced back to or related in some way to an identifiable person, it is highly likely to be considered “personal data” under GDPR.
What rights does the GDPR provide to individuals?
There are several rights an individual may exercise under the GDPR, including:
- Right of access: Individuals can ask for a copy of the personal data retained about them and an explanation of how it is being used.
- Right to rectification: Individuals have the right to correct, revise or remove any of the personal data retained about them at any time.
- Right to be forgotten: Individuals can ask to delete their personal data.
- Right to restrict processing: If an individual believes, for example, that their personal data is inaccurate or collected unlawfully, the individual may request limited use of their personal data.
- Right of portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format.
- Right to object: Where an individual decides that they no longer wish to allow their personal data to be included in analytics or to receive direct marketing emails or other personalized (targeted) marketing content at any time, the individual may opt out of use of their data for these purposes.
Please note: these rights are not absolute, and limitations/exceptions may apply in some cases.
Controllers and Processors
There are two types of parties that have a responsibility regarding the handling of data: the Controller and the Processor. It is important to determine if you are acting as a controller or a processor and understand your responsibilities accordingly.
- A Controller determines the purposes and means of the use of personal data.
- A Processor on the other hand, only acts on the instructions of the Controller and processes personal data on their behalf.
FortressDB and GDPR – Who is the Controller?
FortressDB can be either a Controller or a Processor. If you create an account on FortressDB.com, the personal data that you provide, falls under the remit of Controller. I.e. we collect data about you in order to transact business with you. Typically this is your name and email address. For paying clients we use PayPal, so never store your credit or debit card details. For more information see out Terms and Conditions.
If you use FortressDB to store personal information about your clients, then you are the Controller. In this instance we are the Processor. An example would be a contact form. You are the Controller for this. FortressDB provides a service for you to manage your users personal information.
FortressDB enables you to create your own data structures. You might decide to store information that is personal to you, your family, friends or colleagues. If this is in a table that you have created, then you are the Controller. In other words, this is not data we need to carry out business with you, but data you have decided you want to store. So in this instance you are the Controller and FortressDB is the Processor.
FortressDB is only the Controller for data we have asked you to provide. We only ask for what we believe is the minimum data to be able to work with you.
We strongly recommend you take the time to review how this applies to you.
Access to personal data may be granted when such access is necessary for technical reasons such as the resolution of an issue, or for law enforcement when it is legally entitled to such access.
How does the GDPR affect my business?
Individuals, companies, or businesses that that need to comply with the GDPR law are:
- have a presence in the EU
- or, if no presence, offer goods or services to/monitor the behaviour of, individuals in the EU
We have reviewed and updated, as necessary, our agreements with our subcontractors to ensure they comply with GDPR and any agreements include the necessary GDPR terms.
Please consult with your own legal counsel about whether GDPR applies to you and your business and what actions you need to take to ensure that you comply with the GDPR.
What do I need to do differently to comply with GDPR?
If GDPR applies to you, there are various obligations you will need to comply with in order to continue doing business with your customers from the EU. Not all of these obligations are new, so you should be complying with many of them already.
If relevant to you, the most important differences to pre-May2018 are:
- More information about your use of personal data must be communicated to your customers. You should make sure that if you have privacy notices/policies these are updated to reflect the new requirements of the GDPR, including setting out the purposes of your processing personal data, how long you are retaining such data, and what legal basis for use of personal data are you relying on.
- You need to determine the legal basis for your use of personal data: If you are relying on consent to use your customers’ data you should ensure that the consent you have meets the new requirements of GDPR . Please note that sending marketing emails or showing promotional content in any form to your customers may require, in certain circumstances, prior opt-in consent from them..
- You will also need to comply with the rights provided to individuals by the GDPR. See section above “What rights does the GDPR provide to individuals?” for details.
You should consult with your legal counsel on the above and your other obligations under GDPR.
What if you have more questions about GDPR?
If you have specific questions about GDPR, you should refer to the GDPR website.
The rules contained in the EU Directive on Privacy and Electronic Communications is under review and we are expecting a new ePrivacy Regulation to be finalized soon.
Once these new rules are finalized, we will be reviewing our forms and features again to ensure compliance.