The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation became effective and enforceable on the 25th of May 2018.
Our commitment: Oitchau has undertaken the required business and technology steps to operate in a manner compliant with GDPR.
At Oitchau, maintaining the security of our products and the security of your data are our primary concerns. We understand the responsibility that comes with looking after your data and we use best-practices to ensure it is safely stored and securely managed.
We’ve also created the following FAQ’s to help our customers stay informed about the GDPR and the changes Oitchau has made.
We store all data in the EU and compliance with and to international law and regulations is very important to us.
What changes did Oitchau make to prepare for the GDPR?
We took many steps across the entire company to ensure our compliance with the GDPR. We improved our user management, updated internal policies, and made changes to allow you to tailor how you request consent within our tools.
Based on the research conducted by both our inside and outside counsels we are confident these changes address the requirements of the GDPR.
We built new features to enable our customers to easily meet their GDPR obligations. Oitchau helps you meet your data portability requirements; you can request an export all of your data linked to an individual and permanently delete all data linked to an individual user.
What is the GDPR?
The GDPR is a comprehensive data protection law that replaces existing European privacy laws and strengthens the protection of personal data in an increasingly data-driven world. The GDPR is enforceable in each EU member state and gives the providers of personal data greater control over that data.
What is personal data?
Any information related to a natural person (individual) that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, medical information, or a computer IP address.
Who does it affect?
The GDPR applies to any organization that processes personal data of EU individuals, regardless of whether the organization has a physical presence in the EU. For Oitchau customers, that’s any organization with one or more employees in the European Union.
What are the main rights of Data Subjects?
Anonymisation/pseudonymization: Personal data should be anonymized when possible. To ensure an anonymisation/pseudonymisation, all information that can identify an individual should be encrypted or removed when possible.
Right to be forgotten: Entitles individuals to have the data controller delete their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for deletion include the data no longer being relevant to original purposes for processing, or an individual withdrawing consent.
Right of access: Entitles individuals to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Furthermore, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
Data portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services. On request, data controllers must give individuals their data in an easy to read format or pass it directly to the new provider.
Data breach notifications: Data breaches that may pose a risk to individuals must be notified to the relevant Data Protection Agency (DPA) within 72 hours and to affected individuals without undue delay.
Privacy by design: Under GDPR, it is a legal requirement to design products and services with data protection measures in mind. Privacy settings must also be set at a high level by default, and personal data is not processed unless necessary for specific purposes.
What is the difference between a data processor and a data controller? How do I know what my business is?
A “Data Controller” is an organization that collects personal data from EU residents. A “Data Processor” is an organization that processes EU resident personal data on behalf of a data controller.
In the case of Oitchau, our customers are “data controllers” as they collect information from their employees (name, contact details, emails, photos). Because we hold and process this data in the Olachau Application under instruction, we (Oitchau) are the “data processor”.
Where is my personal data stored?
All personal data collected from EU residents is stored in Belgium.
As an employee, how do I request that Oitchau delete my data?
Because your data is held by both Oitchau account and your current or previous employer (your company employee account), the process to delete your data in Deputy requires two steps.
Delete your employee account
To delete the information your current or previous employer holds about you, you need to send a request directly to this employer asking them to delete your employee account. They can then delete your employee account in Oitchau. If you have worked for multiple employers, you will need to contact each employer individually.
As an employer, how do I delete an employee account?
To delete an employee account and its associated personal information the employee account must first be deactivated.
Who can delete an employee account?
Only System Administrators can delete accounts.
When I delete an account, how much data is deleted?
All data associated with that account. Including contact details, previous timesheets, schedules, and employment terms.
Can I recover a deleted account?
No, once an account is deleted it cannot be recovered.
What are the penalties for non-compliance with the GDPR?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
Given the uncertainty around Brexit, what does this mean for companies operating in the UK?
If you process and hold the personal data of citizens in the EU then you need to comply with the regulations regardless of what country you operate in. The UK is currently within the EU and accordingly, the GDPR applies. If your activities are limited to the UK, then your exact requirements post-Brexit is not yet clear.
The UK Government has indicated it will implement equivalent or alternative regulations. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.
Further questions and information sources
If you have more detailed questions about how Oitchau is GDPR compliant or what it means for your business, please contact [email protected]
For extensive information about the GDPR please visit https://www.eugdpr.org/eugdpr.org.html