GDPR (General Data Protection Regulation) is an update to the European regulations that came into effect on 25 May 2018. It ensures that businesses are collecting and handling personal data in a way that protects the privacy of EU citizens.
Our responsibilities as a ‘controller’ under the GDPR
Controllers are defined by the GDPR as natural or legal persons, a public authority, agency, or other bodies to which personal information or personal data has been disclosed, whether via a third party or not, and who determines the purposes and means of processing personal information. We are a controller under the GDPR as we collect, use, and store your personal information to enable us to provide you with our goods and/or services. As a controller, we have certain obligations under the GDPR when collecting, storing, and using the personal information of EU citizens. If you are an EU citizen, your personal data will:
- be processed lawfully, fairly and in a transparent manner by us;
- only be collected for the specific purposes we have identified in the ‘collection and use of personal information’ clause above and personal information will not be further processed in a manner that is incompatible with the purposes we have identified;
- be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
- be kept up to date, where it is possible and within our control to do so (please let us know if you would like us to correct any of your personal information);
- be kept in a form which permits us to identify you, but only for so long as necessary for the purposes for which the personal data was collected;
- be processed securely and in a way that protects against unauthorized or unlawful processing and against accidental loss, destruction or damage.
We also apply these principles to the way we collect, store, and use the personal information of our Australian customers or clients. Specifically, we have the following measures in place, in accordance with the GDPR:
- Data protection policies: We have internal policies in place which set out where and how we collect personal information, how it is stored, and where it goes after we get it, in order to protect your personal information.
- Right to ask us to erase your personal information: You may ask us to erase the personal information we hold about you.
- Right to ask us to restrict data processing: You may ask us to limit the processing of your personal information where you believe that the personal information we hold about you is wrong (to give us enough time to verify if the information needs to be changed), or where processing data is unlawful and you request us to restrict the processing of personal information rather than it being erased.
- Notification of data breaches: We will comply with the GDPR in respect of any data breach.
Our responsibilities as a ‘processor’ under the GDPR
Where we are a processor, we have contracts containing certain prescribed terms in our contracts with controllers. Depending on circumstances, we can be a controller or processor or controller and processor. In addition to:
- our contractual obligations with controllers (where we are solely a processor); and
- our legal obligations under the GDPR as a controller (where we are both a controller and processor) as a processor we also have the following responsibilities under the GDPR:
- not to use a sub-processor without the prior written authorization of the data controller;
- to co-operate with supervisory authorities;
- to ensure the security of its processing;
- to keep records of processing activities;
- to notify any personal data breaches to the data controller; and
- to employ a data protection officer and appoint (in writing) a representative within the European Union if required by the GDPR. (These are not required for the company at the present time).
GDPR Best Practices for Email Marketing
To help you make sure your email marketing is compliant with the GDPR, we have put together these resources.