GDPR

The General Data Protection Regulation (GDPR) is the most stringent privacy and security law ever formed globally. However, the European Union (EU) has established it, it applies to any organization worldwide that targets or collects data from EU citizens. It was enforced from May 25, 2018. This regulation introduced the provisions of imposing severe fines, reaching tens of millions of euros, for those who breach data privacy and security standards.

Eminenture abides by this significant regulation, as its protocols signify our commitment to data privacy and security. Maintaining this security is crucial as more people rely on cloud services. Also, data breaches are becoming increasingly common.

This page will help all users understand how we are committed to complying with GDPR. Although not a substitute for legal counsel, it offers advice on privacy tools and risk mitigation strategies. As the GDPR is continuously interpreted, we will update you on emerging best practices.

GDPR applies to Eminenture services, as we offer services to global customers, including EU residents.

Considering the penalties, the violation of the GDPR will lead to paying hefty penalties. There are two tiers of these penalties, whose maximum limit is €20 million or 4% of global revenue (whichever is higher). Also, data subjects can seek compensation for damages separately.

Here are the components on which GDPR is applied.

1. Personal information

Personal information can be any data that pertains to the identity of individuals, either directly or indirectly. The obvious identifiers include names, email IDs, with location details, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions. Even pseudonymous data is classified under it if it can reasonably identify someone.

2. Data handling

Data handling or management refers to the practice of handling data, which Eminenture does, whether automatically or manually. It is applicable to collecting, recording, organizing, structuring, storing, utilizing, deleting, and essentially manipulating.

3. Data subject

A data subject is considered the one whose information is being processed, they can be our customers or customers’ customers, website visitors, etc.

4. Data controller

It is the entity that determines the purposes and methods of processing personal information. Eminenture is an owner, handling data within your organization, as the data controller.

5. Data processor

It can be a third-party aligned with processing personal data on behalf of a data controller. GDPR imposes specific regulations on them.

Principles to Abide By

We abide by these principles that are outlined in Articles 5.1-2 of the EU.

1. Lawfulness, fairness, and transparency: We are engaged in lawful, fair, and transparent data processing of the data subject.
2. Purpose limitation: We process data for the explicit purposes that we communicate to the data subject during collection.
3. Data minimization: We collect and process only the necessary data for the specified purposes.
4. Accuracy: We keep personal data accurate and up-to-date.
5. Storage limitation: We store personally identifiable data only for the duration required for the specified purpose.
6. Integrity and confidentiality: We ensure appropriate security, integrity, and confidentiality during data processing.
7. Accountability: As a data controller, we are responsible for demonstrating GDPR compliance with these principles.

Accountability

As the GDPR mandates, Eminenture as a data controller, demonstrates GDPR compliance. This entails:

1. Aligning data protection responsibilities within our team.
2. Maintaining detailed documentation of data collection, usage, storage, and responsible personnel.
3. Training staff and implementing security measures.
4. Establishing Data Processing Agreement contracts with third-party data processors.
5. Optionally, appoint a Data Protection Officer (DPO) to oversee compliance.

Data Security

We handle data securely by taking appropriate technical and organizational measures, such as:

1. Two-factor authentication for accessing personal data
2. Server providers using end-to-end encryption
3. Staff training and privacy policy integration

Data protection by design and by default

We consider data protection principles during the design of new products or activities to minimize risks and ensure compliance. Here is how:

1. Legal grounds for data processing

We ensure that all data processing is legally justified according to one of the bases outlined in Article 6 of the GDPR:

1. Get clear consent from the data subject.
2. Necessity to meet contractual agreements.
3. Comply with legal obligations.
4. Vital interests of the data subject.
5. Public interest or official authority.
6. Legitimate interests of the data controller, balanced with data subject rights.

2. Consent

We abide by strict rules regarding consent, which are given below:

1. Data subjects can withdraw consent at any time.
2. Children under 13 require parental consent.
3. Maintain documented evidence of consent.
4. Consent must be freely provided, specific, informed, and unambiguous.
5. Requests for consent should be clearly presented in plain language for comprehensibility.

3. Data Protection Officers

We've appointed a Data Protection Officer (DPO) to proactively ensure GDPR compliance. His duties include providing guidance, conducting audits, and acting as a liaison with regulatory bodies.

4. Privacy Rights of Data Subjects

We recognize the privacy rights granted to data subjects under the GDPR, which include the right to access, rectification, erasure, and objection to automated decision making.

5. Governance

We translate GDPR into actionable steps, norms, and values. It is done by identifying and implementing effective measures required for compliance.

This regulation makes it necessary to secure the rights of data subjects by securing the privacy of information or data. If you have further burning questions, explore its FAQ page for a detailed overview.