General Data Protection Regulation

EU General Data Protection Regulation
THE EU GENERAL DATA PROTECTION REGULATION (GDPR) REPLACES THE DATA PROTECTION DIRECTIVE 95/46/EC AND WAS DESIGNED TO HARMONIZE DATA PRIVACY LAWS ACROSS EUROPE, TO PROTECT AND EMPOWER ALL EU CITIZENS DATA PRIVACY AND TO RESHAPE THE WAY ORGANIZATIONS ACROSS THE REGION APPROACH DATA PRIVACY. THE KEY ARTICLES OF THE GDPR, AS WELL AS INFORMATION ON ITS BUSINESS IMPACT, CAN BE FOUND THROUGHOUT THIS SITE.

1. DEFINITIONS

The GDPR creates an EU-wide set of standards for the protection of digital personal data relating to online or real-world behavior for EU internet users. Importantly, these standards apply to the personal data of EU internet users regardless of the location of the entity holding their data. In this sense, the standards have significant extraterritorial reach. This regulation replaces Directive 95/46/EC, commonly referred to as the Data Policy Directive, which had established a goal for all EU countries. Individual member states separately enacted national legislation implementing the directive’s goals, creating an unwieldy regulatory patchwork. The GDPR was intended to harmonize those standards but allows individual member states discretion on a number of provisions. On data processing, for example, there is flexibility over means by which entities can demonstrate GDPR compliance, data transfer outside the EU and freedom of expression in the media.

The GDPR defines personal data as “information relating to an identified or identifiable natural person.” This understanding of personal data includes IP address, device ID and customer reference number. Importantly, these protections apply to all corporate entities that process the personal data of EU citizens, even if the processing of relevant data does not take place within the EU. The new regulation also imposes restrictions on transferring personal data outside of the EU. Personal data may be transferred outside the EU only if the European Commission determines that the receiving jurisdiction “ensures an adequate level of protection” consistent with the GDPR; the processing entity has provided “appropriate safeguards”; or the individual has provided specific consent for the transfer. Furthermore, the GDPR guarantees a number of privacy rights to EU internet users, including mandatory, prompt notification of data breaches likely to “result in a risk for the rights and freedoms of individuals,” access to one’s personal data, the ability to instruct an entity to erase one’s personal data (consistent with the “right to be forgotten”), and the ability to move one’s personal data from one processing entity to another. Together, these rights are at the heart of the regulation’s purpose—“to give citizens back control over their personal data.”

These objectives are advanced through several mechanisms. First, organizations that breach their obligations can be fined as much as 4 percent of their annual global turnover or 20 million euros (whichever is greater). This fine applies primarily to breaches of the GDPR’s consent requirements—which is related to the second point: Under the GDPR, consent must always be unambiguous. For special categories of personal data (e.g., race or ethnicity, political opinion, genetic data, union membership) affirmative, explicit consent is required. Third, the GDPR requires that entities monitoring data subjects “on a large scale” or, again, processing special categories of personal data appoint a data protection officer. Such officers advise their organization on GDPR compliance, serve as a point of contact for subjects inquiring into their data, and liaise with EU supervisory authorities. Fourth, the GDPR encourages the creation of data protection certification mechanisms, such that entities can clearly demonstrate compliance with the regulations. Individual EU member states as well as entities within the European Commission are empowered to enforce the provisions.

Read more: eugdpr.org

2. COLLECTED DATA

This service collects information, which could include personal information, such as:

First name
Last name
Company name
Address
Email address – for register new users and login process
Phone
IP address – for security reasons and fraud control
Statistical data – for better user experience
Please note that there is no hidden data collection except in some cases your IP address. All other data are explicitly entered by you through a form.

3. HOW TO DELETE MY PERSONAL INFORMATION

If you want us to delete all your personal information you gave us please write to hi@pinatabags.com and include your the email address to identify your account.

Your opt-out request will be processed in 5 business days.

4. OUR RESPONSIBILITIES

GDPR compliance adds security responsibilities and obligations:

To notify clients of data breaches within 72 hours of awareness
To provide transparent information to data subjects
To demonstrate data subject’s consent to processing of personal data
To quickly respond and action data subjects requesting erasure of personal data