What is GDPR?
The General Data Protection Regulation (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive. The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”). It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data. In summary, here are some of the key changes to come into effect with the upcoming GDPR:
- Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
- Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
- Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
If you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organization has a physical presence in the EU. If you have any questions, please don’t hesitate to contact us at firstname.lastname@example.org.
What do W2P Customers need to do?
There are two things that you might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using W2P:
- If you are in the European Union you’ll likely want to sign a Data Processing Agreement with W2P. We’re happy to do so.
Companies using Racad Tech’s W2P Solutions such as GOePOWER, W2P Cloud, W2P Shop, GoPrint2 and uDRAW etc. are considered to be a controller – ‘a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. Racad Tech is the processor – ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
GDPR responsibilities as a Controller
As a Controller, you need to share GDPR-related information with your customers. If a store is created for a specific business customer, the sales contract should cover your and their GDPR responsibilities. You also need to have certain processes in place to be compliant. When the text below refers to W2P users, it refers to store users as well as company and printer administrators.
Storage of personal data
W2P stores personal data of all users. Some fields are mandatory, such as the user’s full name, email address, salutation/gender (if known) and preferred language. Users can see these fields and modify them. Optionally, you can define additional fields and hide these from users. The order history of users is also stored. Stores should include a privacy statement, which you can make available to users using one of the information pages. This privacy statement should provide answers to the following questions:
- What personal information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Data confidentiality and security
It is important that all personal data are transferred and stored in a secure fashion.
- All sensitive data communication between the user’s browser and W2P uses the encrypted HTTPS protocol.
- When users access a store and leave their browser window open, W2P will automatically close the session after a set amount of time. This minimizes the risk of other people tampering with the account data of the user.
- When a security breach leads to a data leak, the local supervisory authority must be informed of this within 72 hours. All affected users must also be warned. An example of such a leak could be a disloyal employee who exports a list of all the users to make it available to a competitor. To minimize such risks, immediately deactivate the account of employees with admin level access rights who leave the company. When a data breach occurs, you must not only report this but also document which measures were taken to avoid that such a breach can reoccur in the future.
- If you share or sell user data to other parties, users must be aware of this.
Accuracy of personal data
Data retention policy
Personal data should not be retained for longer than necessary. If a store for a business customer is no longer in use, you are expected to delete the user profile data it contains within a reasonable time frame. How long personal data are retained is up to you to decide. It is acceptable to do this after a few years only, since customers sometimes switch between suppliers and having the store data at hand if they become a customer again after a year is perfectly fine.
- You are allowed to archive user profile data, prior to deleting them. This can be done using Export.
- Other legislation may take precedence over this rule. For example: in most countries, invoices should be kept for several years. We recommend to export all invoices prior to deleting accounts.
Right to be forgotten
Consent must be freely given
The GDPR legislation puts certain restrictions on your ability to subscribe customers to a newsletter. This is especially important if you operate public stores. E-mail marketing is a powerful way to reach out to customers, but you cannot add users to your mailing list without their explicit consent or legitimate interest.
W2P’s GDPR responsibilities as a processor
W2P is hosted by Racad Tech, who acts as a processor of the personal data you manage. RACAD commits to complying with the GDPR legislation. Below are key responsibilities as a processor:
- Processor’s obligation of confidentiality. Processors must ensure that the personal data that they process are kept confidential.
- Records of processing activities In order to ensure compliance, EU data protection law requires processors to ensure that they keep records of their data processing activities, and that the information in those records is provided to (or is available on request by) Data Processing Agreements.
- Data security EU data protection law obliges processors to ensure the security of personal data that they process.
- Data breach reporting – One of the key issues in maintaining the security of personal data is ensuring that the relevant decision makers are aware of any data breaches and are able to react accordingly.
- Liability of processors EU data protection law recognizes the possibility that processors may be liable for breaches of their legal or contractual obligations. Processor duties include, but are not limited to:
- Processing data only as instructed by the controller
- Using appropriate technical and organizational measures to protect personal data
- Assisting the controller with data subject requests
- Only appointing sub-processors with the permission of the controller
- Ensuring sub-processors it engages meet these requirements
Specifically with regard to W2P, the following points are important:
- Each W2P account has a main administrator or producer. This is the person who is the first to get access to the Back End administration and has the ability to add other administrators. In instances when this user account (containing a first name, last name, salutation and e-mail address) is managed solely by Racad. To have this producer account updated, please contact Racad support team.
- The W2P License and Service Agreement has been updated to accommodate GDPR requirements.
- If you prefer to establish a separate Data Processing Agreement with W2P, please provide such a document to your W2P account representative and/or email email@example.com.
Here’s a condensed version of our GDPR Roadmap and steps taken to comply with GDPR:
- Research the areas of our product and our business impacted by GDPR – COMPLETE
- Appoint an internal Data Protection Officer – COMPLETE – Users to contact firstname.lastname@example.org or Racad Tech Support.
- Develop a strategy and requirements for how to address the areas of our product impacted by GDPR – COMPLETE
- Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – COMPLETE