The GDPR, or General Data Protection Regulation, is a European privacy law that went into effect in May 2018. It regulates how personal data of individuals in the EU can be collected, used, and processed. The law impacts European companies, businesses that target European individuals, and those that collect, use, or process the personal data of European individuals. This means the GDPR will apply to most organisations that process personal data of EU individuals—regardless of where the business is established and where their processing activities take place.
What constitutes personal data under GDPR?
The GDPR defines “personal data” as any information that can be used to directly or indirectly identify a person, such as a name, unique identifier, photograph, email address, or IP address.
What requirements does the GDPR impose on organisations?
The GDPR imposes the following principles-based requirements:
- Personal data must be processed in a fair, legal, and transparent way for the purpose(s) that the data subject reasonably expected at the time of collection.
- Organisations must be transparent and specify at the time of collection what personal data they collect, how it will be used and shared, and how long it will be retained.
- Personal data should be held no longer than necessary to fulfil its purpose.
- Data subjects have specific rights regarding their personal data. They include the right to request access, deletion, or correction of their personal data; the right to restrict processing of their data; and the right obtain their data in a format that will enable the data subject to transport their data to another organisation.
What roles are assigned to organisations under the GDPR?
Organisations are assigned the role of data controller or data processor. Many organisations will qualify as both, depending on the relationship of the parties and specific data processing activities. This is how SourceWhale views those roles and associated responsibilities:
A “data controller” is the party that alone or jointly with others determines the purposes and means of the processing of personal data, and processes the personal data for its own purposes. While using SourceWhale to source candidates and/or clients, users (“you”) are the data controller because you determine the purpose (e.g. recruiting a candidate) and the means (using SourceWhale) of processing the personal data. Separately, SourceWhale is a data controller for the personal data associated with your SourceWhale account (e.g. your business contact information) because we control the means and purposes of this processing for our use: invoicing, to communicate information about your account and for other administrative functions.
SourceWhale is the “data processor” because we process personal data on your behalf under an agreement in which you tell us what data to process, for what purpose(s), how long we can keep the data, and any restrictions you impose on our use of the data.