How GDPR affects you
We at ARH welcome the new regulations: we believe that GDPR is a major and timely set of measures that provides the common legislative frame of reference throughout the EU. The new GDPR legislation forces corporations to minimize the storage of personal data in terms of both time period and data scope – as well as create the necessary means to guarantee data security.
This guideline has mainly been written for system integrators, value added resellers and distributors.
What is GDPR
General Data Protection Regulation contains provisions concerning the personal data of EU citizens (PII - Personally Identifiable Information) in particular about the collection, processing, storage and transfer of such data.
The main objective of the regulation is to unify and improve personal data protection rights of EU citizens. GDPR allows EU citizens – called data subjects in the GDPR – to exercise their right to access and erase their own personally identifiable information (PII) data, and it sets new requirements for organizations in case of breach of personal data stored by them.
What is personally identifiable information (PII)?
Personally Identifiable Information (PII) has been defined as any information that can directly or indirectly be used to identify an individual. This includes:
- the person’s name or username
- home address and email address
- Data collected by IoT (Internet of Things) e.g. mobile payment and localization
- financial information e.g. income, bank account
- video recordings
- activity of and information about the card holder
- license plate
How GDPR affects you
GDPR affects all organizations that collect and store the personal data of EU citizens. GDPR applies to companies registered within the EU as well as to multinational corporations that conduct business in the territory of the EU. Furthermore, company websites have to conform to GDPR provisions if the websites are visited by EU citizens.
Organizations have to be GDPR conform even if the organization does not use personal data for tracking. Organizations have to comply with the provisions of the new regulations in order to protect the data and guarantee the rights of data subjects.
The new provisions define 2 types of organizations:
- Data controllers
- Data processors
Any organization that collects PII data about EU citizens. In the case of physical security systems, if a company collects card holder information or video recordings, then the company is a data controller.
The data controller can be an integrator company that determines the means and purpose of data collection, or a 3rd-party company acting as data controller on behalf of the system integrator company. Data control can be any operation (query, alteration, collection, recording, storage etc.).
Any organization that handles or processes PII data on behalf of data controllers, for instance cloud computing providers or companies that offer security services for their customers.
The activities of data processors have to be more transparent for data subjects.
Rights of data subjects
According to GDPR, individuals – called data subjects in the GDPR – have multiple new rights including the right to be forgotten, which means all personal data have to be erased from the system of the organization. Individuals have the right to ban the processing of their personal data for marketing purposes.
In order to increase transparency, the new regulation obliges personal data breach notification: the data controller shall notify the supervisory authority about the personal data breach within 72 hours. GDPR defines new administrative requirements for controlling, modifying, storing and analyzing PII data.
Right of access by the data subject: The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information listed in the regulation.
Right to rectification: The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasing personal data: A data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay, under certain well-defined conditions.
Right to be forgotten: Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to restriction of processing: The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing; in this case restrictions are valid pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability: The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Right to object: The data subject has the right to object to processing their personal data, on grounds relating to their own particular situation, at any time, if data processing took place in rightful interest of data controller or for the performance of a task carried out for reasons of public interest.
- The right to object to direct marketing If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of his/her personal data, including the right to object to profiling if it is done with the purpose of direct marketing. If the data subject objects to the processing of his/her personal data with the purpose of direct marketing, then the personal data of the data subject cannot be processed for this purpose.
- Right to object to automatic processing: The data subject has the right not to be subject to a decision based solely on automatic processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him.
Your GDPR compliant system – as easy as ABC
ARH products are the firm foundation when you build your GDPR-compatible systems. We have done the bulk of the work: our products allow fully GDPR compliant handling of PII data. Since ARH products are components rather than entire systems, you as ARH’s direct client – and system integrator – will only need to design and implement a system from components that meet effective GDPR requirements.
More on GDPR: EU Data Protection page.