share

BUSINESS

4min read

GDPR Data Protection. Things to Remember for US Companies

What is GDPR?

GDPR—General Data Protection Regulation—is a unified system of personal data protection, introduced in the whole European Union and active since May 25, 2018. Although particular member states have some freedom in adjusting their national laws, it is safe to assume that personal data processing rules are substantially the same in all EU states. It’s also important to remember that the GDPR protects the rights and freedoms of EU residents, not necessarily EU citizens.

What does GDPR mean for US companies operating in the EU?

Acting at the intersection of European and American market, we are close to the clients whose products or services are available to customers from the EU territory. GDPR has already become one of the top subjects—it impacts a variety of business aspects but also the processes of services and product design. We’ve invited Krzysztof Muciak, an advocate from JSLegal, to analyze the most important aspects of GDPR that have to be taken into consideration by US companies acting in the EU.

a pair of glasses on the notepad.

In what cases a company from outside the EU is required to comply with GDPR?

  1. If the companies offer goods or services to persons, whom the personal data concerns, who are in the territory of the EU

Legal note: In order to determine if this applies to your business, the intention of the data controller (entrepreneur) is reconstructed; the mere accessibility of the controller’s website in the EU, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention. The factors such as the use of a language or a currency generally used in one or more EU member states with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the EU, may make it apparent that the controller envisages offering goods or services to data subjects in the EU.

  1. If the companies monitor behavior of such persons, when their behavior takes place within the EU

Legal note: The processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU should also be subject to the GDPR when it is related to the monitoring of the behavior of such data subjects in so far as their behavior takes place within the EU. In order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors, and attitudes.

A laptop on the office desk.

What are the GDPR requirements for such companies? Things to remember!

The GDPR requirements for data controllers (entities deciding on the purpose and means of personal data processing) are broad and consist of those regarding (in particular):

  • keeping the data secure
  • always having a valid legal basis for processing, such as consent, necessity to perform a contract or comply with a legal obligation, as well as justified interest of the controller
  • informing the data subject about details of the processing of their data, including purposes of the processing, recipients of the data, retention periods and the possibility to use any of data subject’s rights encompassed by the GDPR
  • collecting only the categories of data which are necessary to fulfill a particular purpose of processing, and storing them for no longer than necessary for those purposes
  • promptly responding to data subjects’ requests, resulting from exercising their rights encompassed by the GDPR
  • informing the relevant personal data protection authority about any data security breaches (in some cases it is also necessary to inform the data subjects themselves)

Privacy by Design and Privacy by Default

As Polidea delivers software services and our core is mobile development, we’ve looked through the requirements for developers of apps and solutions that process personal data. Two rules are of the biggest importance:

  • Privacy by design rule - implementing appropriate technical and organizational measures such as pseudonymization, data minimisation to integrate the necessary safeguards into the processing.

Legal note: Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures. These measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.

  • Privacy by default rule - implementing appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are actually processed.

Legal note: The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

Office desk

What happens when the GDPR requirements are not met?

The failure to comply with the GDPR requirements may result in a personal data protection authority’s intervention. It may be a recommendation to take or refrain from certain actions, a warning and/or a fine. The maximum amount of the fine may be up to 20 000 000 EUR, or in the case of a company, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

share


JoannaCommunication Lead
Krzysztof MuciakAdvocate, Associate at JSLegal

POLIDEA NEWSLETTER

Sign in and expect sharp insights, recommendations, ebooks and fascinating project stories delivered to your inbox

The controller of the personal data that you are about to provide in the above form will be Polidea sp. z o.o. with its registered office in Warsaw at ul. Przeskok 2, 00-032 Warsaw, KRS number: 0000330954, tel.: 0048 795 536 436, email: hello@polidea.com (“Polidea”). We will process your personal data based on our legitimate interest and/or your consent. Providing your personal data is not obligatory, but necessary for Polidea to respond to you in relation to your question and/or request. If you gave us consent to call you on the telephone, you may revoke the consent at any time by contacting Polidea via telephone or email. You can find detailed information about the processing of your personal data in relation to the above contact form, including your rights relating to the processing, HERE.

Data controller:

The controller of your personal data is Polidea sp. z o.o. with its registered office in Warsaw at ul. Przeskok 2, 00-032 Warsaw, KRS number: 0000330954, tel.: [0048795536436], email: [hello@polidea.com] (“Polidea”)

Purpose and legal bases for processing:

 

Used abbreviations:

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

ARES – Polish Act on Rendering Electronic Services dated 18 July 2002

TL – Polish Telecommunications Law dated 16 July 2004

1)        sending to the given email address a newsletter including information on Polidea’s new projects, products, services, organised events and/or general insights from the mobile app business world |art. 6.1 a) GDPR, art. 10.2 ARES and art. 172.1 TL (upon your consent)

Personal data:name, email address

2)       statistical, analytical and reporting purposes |art. 6. 1 f) GDPR (based on legitimate interests pursued by Polidea, consisting in analysing the way our services are used and adjusting them to our clients’ needs, as well as developing new services)

Personal data:name, email address

Withdrawal of consent:

You may withdraw your consent to process your personal data at any time.

Withdrawal of the consent is possible solely in the scope of processing performed based on the consent. Polidea is authorised to process your personal data after you withdraw your consent if it has another legal basis for the processing, for the purposes covered by that legal basis.

Categories of recipients:

Your personal data may be shared with:

1)       authorised employees and/or contractors of Polidea

2)       persons or entities providing particular services to Polidea (accounting, legal, IT, marketing and advertising services) – in the scope required for those persons or entities to provide those services to Polidea

 

Retention period:

1)       For the purpose of sending newsletter to the given email address – for as long as the relevant consent is not withdrawn

2)       For statistical, analytical and reporting purposes – for as long as the relevant consent is not withdrawn

Your rights:

 

Used abbreviation:

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

According to GDPR, you have the following rights relating to the processing of your personal data, exercised by contacting Polidea via [e-mail, phone].

1)       to access to your personal data (art. 15 GDPR) by requesting sharing and/or sending a copy of all your personal data processed by Polidea

2)       to request rectification of inaccurate personal data
(art. 16 GDPR) by indicating the data requiring rectification

3)       to request erasure of your persona data (art. 17 GDPR); Polidea has the rights to refuse erasing the personal data in specific circumstances provided by law

4)       to request restriction of processing of your personal data (art. 18 GDPR) by indicating the data which should be restricted

5)       to move your personal data (art. 20 GDPR) by requesting preparation and transfer by Polidea of the personal data that you provided to Polidea to you or another controller in a structured, commonly used machine-readable format

6)       to object to processing your personal data conducted based on art. 6.1 e) or f) GDPR, on grounds relating to your particular situation (art. 21 GDPR)

7)       to lodge a complaint with a supervisory authority,
in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing
of personal data relating to you infringes the GDPR
(art. 77.1 GDPR)

No obligation to provide data:

Providing your personal data is not obligatory, but necessary for Polidea to provide you the newsletter service

Refusal to provide the above data will result in inability to receive the newsletter service.

Profiling

In the process of providing the newsletter service, we make decisions in an automated way, including profiling, based on the data you provide.

 

“Profiling” means automated processing of personal data consisting of the use of your personal data to evaluate certain personal aspects relating to you, in particular to analyze or predict aspects concerning your personal preferences and interests.

 

The automated decisions are taken based on the analysis of clicked and viewed content. They affect the targeting of specific newsletter content to selected users registered to receive the newsletter service, based on the anticipated interests of the recipient.