Q: What is Gelato’s position on GDPR?
A: Gelato takes data protection seriously and we comply with data protection laws that apply to us. We will ensure that our services align with the GDPR. We've built tools to help people manage their data and understand their choices with respect to how we use their personal data. We appreciate that the GDPR requires our printers and business partners, acting as the data processors, has the appropriate safeguards in place.
Q: When is the GDPR coming into effect?
A: The GDPR will be in force 25th May 2018.
Q: Is the regulation new?
A: There has been privacy protection directives before, but this time EU made it into a regulation, meaning it is direct law in all EU countries simultaneously. Rights of the individuals are strengthened, and companies need to show transparency and accountability to how they comply to the regulation. This means we need to disclose what data we gather and why, we also need to go through our processes and make sure they are water tight.
Q: What constitutes personal data?
A: Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Q: Why is Gelato affected?
A: Since we are a company in EU and we are handling data for EU citizens in order to provide our services, we need to comply to the regulation.
Q: How are we affected?
A: Gelato is a Data Controller of personal data (decides the purpose and means of the handling) and we ask our Printers to process the data on our behalf.
Q: What about our Suppliers and Printers?
A: Our Printers and Suppliers can handle personal data but they need to sign a Data Processing Agreement with us if they are considered a Data Processors. (Applies to all printers and some suppliers. Not all suppliers process personal data).
Q: Can we transfer data out of the EU?
A: Yes, we can transfer data out of the EU (e.g to printers and to suppliers who assist us), but we need to sign a Data Processing Agreement with them and add Standard Contractual Clauses which EU requires (for EU companies) and a so called “Privacy Shield” certificate requirement (from US companies).
Q: What are the penalties for non-compliance to the GDPR?
A: Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million whichever is the highest.
Q: What is the difference between a data processor and a data controller?
A: A controller is the entity that determines the purposes, conditions and means of the processing of personal data (Globe Customer and Gelato), while the processor is an entity which processes personal data on behalf of the controller (Printer).
Q: Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference?
A: The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Q: What about Data Subjects under the age of 16?
A: Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
Q: What is the difference between a regulation and a directive?
A: A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast to the previous legislation, which is a directive.
Q: What do we need to do in case of any infringement or data breach?
A: Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
Due to our preparations, we believe our customers and partners can feel confident continuing working with Gelato. We are happy to address any questions or concerns submitted to firstname.lastname@example.org.