GDPR Policy

The General Data Protection Regulation (GDPR) is a key data privacy law from the EU that governs how the personal data of individuals in the EU and EEA is handled. It aims to give individuals control over their personal data and standardizes data privacy laws across Europe. Organizations must follow principles like obtaining clear consent for data processing and ensuring data protection by design. The GDPR grants individuals rights to access, correct, delete, or transfer their data and imposes heavy penalties for non-compliance.

GDPR – What AltTask is doing about it

AltTask has consistently prioritized the privacy and protection of its users’ data. Our dedication to these principles has been evident through our efforts to surpass industry standards over the years. We only collect and process personal information to the extent necessary for our products to function, and we are committed to maintaining this approach. At AltTask, we cultivate a culture that values privacy, viewing GDPR not as a hurdle but as a chance to further reinforce our commitment to data protection.

What is GDPR?

GDPR, the General Data Protection Regulation, is a comprehensive privacy and data protection law in the EU that governs how companies must protect EU residents’ data and grants those residents greater control over their personal information.

This regulation is pertinent not only to businesses based in the EU or those serving EU residents but to any company operating on a global scale. Recognizing the importance of our customers’ data, regardless of their location, we have adopted GDPR controls as the foundational standard for all our operations globally. The GDPR has been in effect since May 25th, 2018.

What is personal data?

Personal data encompasses any information related to a person who can be directly or indirectly identified. Under GDPR, the scope of what constitutes personal data is wide-ranging, covering not only obvious details like a person’s name or email address but also a variety of other information. This can include financial details, genetic and biometric data, IP addresses, physical addresses, and ethnic background. Essentially, if information—either on its own or when combined with other data—can identify an individual, it falls under the category of personal data as defined by GDPR.

FAQs

1. What is GDPR?

The General Data Protection Regulation (GDPR) marks a significant overhaul in data privacy and protection laws within the EU. Recognizing the rapid advancements in technology against the backdrop of outdated privacy laws, the EU took a decisive step in 2016 to modernize its Data Protection Directive to align with the contemporary digital landscape. This legislation establishes a detailed framework for managing the personal data of EU residents.

2. Who is affected by GDPR?

The GDPR is relevant to any entity that handles the personal data of individuals residing in the EU. It introduces specific responsibilities for entities processing data (data processors) and clarifies the obligations of those who determine how and why data is processed (data controllers).

3. Where does the GDPR apply?

The reach of the GDPR is not confined by geographic limits. Regardless of where an organization is based, if it processes the personal data of EU residents, it falls under the purview of the GDPR.

4. What are the penalties for non-compliance?

Violating GDPR guidelines can result in substantial fines, up to 4% of an organization's annual global revenue or €20 million, whichever is higher.

5. Who are the key stakeholders?

- Data Subject: An individual in the EU to whom the personal data belongs.

- Data Controller: The entity that decides why and how personal data is processed.

- Data Processor: The entity that processes data on behalf of the controller.

- Supervisory Authorities: Governmental bodies tasked with enforcing GDPR compliance.

6. What is personal data or Personally Identifiable Information (PII)?

Personal data, or Personally Identifiable Information (PII), encompasses any information that can be used to directly or indirectly identify a person. This includes both direct identifiers, such as names, email addresses, and phone numbers, and indirect identifiers, like dates of birth and gender.

7. What are the Major Updates from Previous Data Protection Rules?

The GDPR introduced several significant updates to enhance and expand the rights of data subjects concerning their personal data. Key changes include:

- Explicit Consent: Individuals must be clearly informed about the processing of their personal data, and it must be as straightforward to withdraw consent as it is to give it.

- Right to Access: Data subjects have the right to know exactly what personal data is being stored or processed about them at any time.

- Right to be Forgotten: Individuals can request the deletion of their personal data from an organization's systems.

- Obligations for Processors: The GDPR increases the responsibilities of data processors, who must now demonstrate compliance with the regulation and adhere to the instructions of the data controller.

- Data Protection Officer (DPO): Many organizations will need to designate a DPO responsible for ensuring compliance with GDPR, managing data protection strategies, and serving as the point of contact for supervisory authorities.

- Privacy Impact Assessments (PIA): Organizations are required to conduct PIAs for processing activities that pose a high risk to individuals' rights and freedoms, aiming to minimize risks and implement mitigating measures.

- Breach Notification: In the event of a data breach, organizations must notify the relevant supervisory authority within 72 hours, and, when the breach poses a high risk to individuals' rights and freedoms, notify the affected data subjects without undue delay.

- Data Portability: Individuals have the right to receive their personal data in a commonly used and machine-readable format and, where feasible, have it transferred directly to another data controller.

8. What are the lawful bases the data controller can use to process customer data?

Data controllers are permitted to process personal data based on six lawful grounds, each suited to different scenarios:

- Contractual Necessity: This is applicable when processing of personal data is essential for fulfilling contractual obligations with the customer or to undertake per-contractual steps at the customer's request (e.g., providing a quote or invoice).

- Legal Compliance: This basis is used when processing is necessary to comply with legal obligations (e.g., responding to lawful requests from authorities).

- Protection of Vital Interests: This ground pertains to situations where processing is necessary to protect someone’s life, making it particularly relevant for processing health data in emergencies.

- Performance of a Task Carried Out in the Public Interest: This applies to processing necessary for performing a task in the public interest or in the exercise of official authority vested in the data controller.

- Legitimate Interests: This basis is for processing necessary for the purposes of legitimate interests pursued by the data controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject. This includes commercial interests, individual or societal benefits. Controllers are required to conduct a Legitimate Interests Assessment to justify such processing.

- Consent: Consent is a valid basis when the data subject has given a clear affirmative act establishing a freely given, specific, informed, and unambiguous agreement to the processing of their personal data.

9. What is LIA?

Legitimate Interests Assessment (LIA) is a framework used by organizations to justify processing personal data under the premise of legitimate interests. It encompasses:

- Identifying Legitimate Interest: Pinpointing a concrete reason for data processing that benefits the organization.

- Necessity Test: Demonstrating that the processing is essential for the stated purpose.

- Balancing Test: Weighing the organization's interests against the individual's rights to ensure the latter isn't overridden.

Documentation of the LIA is critical for demonstrating compliance and accountability, showing that the rights of individuals have been duly considered.

10. Where can I find additional resources on GDPR?

For further insights and information on GDPR, consider exploring these resources:

- Supervisory Authorities: Details on members can be found at [European Data Protection Board](https://edpb.europa.eu/about-edpb/board/members_en).

- EU Data Protection Supervisor: Visit [EDPS](https://edps.europa.eu) for more information.

- GDPR Official Site: For comprehensive GDPR guidelines, check [gdpr.eu](https://gdpr.eu/).

- Business and Organization Rules: The European Commission provides details at [EU Data Protection Rules](https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en).

- Guide to GDPR: The ICO's guide for organizations is available at [ICO GDPR Guide](https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/).

Please note that AltTask does not vouch for the content on these sites and does not explicitly endorse them.

By using our software, you agree to adhere to our GDPR policy, ensuring the protection and privacy of your personal data. For details, please refer to our updated policy on https://gdpr.eu.