GDPR Roles
Data Controller
(7) 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;[1]
You, as a Dear Lucy customer, are a data controller. This means that you decide the access, context and extent of the data collected and processed by us, the data processor.
Data Processor
(8) 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller [2]
Dear Lucy, as a service provider, is a data processor. We guarantee to implement and enforce appropriate technical and organizational measures to protect the rights of data subject and keeping all our customers’ data secure. Dear Lucy is responsible to both the data controller and to the authorities.
Personal Data and Data Subject
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;[3]
Data Subjects in Dear Lucy service can be e.g. your company’s employees, sales people or your customers’ contact persons. In all our integrations, we follow a practice of minimizing the amount of personal data collected.
Data Subject Rights
Under GDPR, data subjects have explicit rights around how their personal data is managed. These rights include[4]:
Right to be Informed
All individuals have the right to be informed when their personal data is being stored, the type and duration of data stored, and the purposes of the processing for which the personal data are intended [Articles 13, 14, 19].
Dear Lucy
- Provides an up-to-date and GDPR-compliant Service description and Privacy Policy, which describe how personal data is processed inside the service
- Informs the data controller when material changes to the service are made, as required by the GDPR
Right to Access & Right to Rectification
Individuals have the right to access their personal data and know the purpose of processing it [Article 15]. The data subject has the right to correct any incorrect or inaccurate information concerning him or her [Article 16].
Dear Lucy
- All the data processed by Dear Lucy is decided by the data controller
- Access to a data subject’s data is customised per our customers’ processes
- Data in Dear Lucy is collected by integrations to customers’ systems. In principal, personal information is rectified automatically when data is updated in the source system
Right to Erasure
Individuals have the right to have their data erased when processing is no longer necessary [Article 17].
Dear Lucy
- Data is stored only as long as it is needed for reporting on dashboards
- Parts or all of customers’ data can be removed from the service per request
- Disaster recovery backups of customers’ data are destroyed automatically as soon our data retention obligations are fulfilled (e.g., to protect other data stored in the same backup archives)
Right to Data Portability
The data subject has the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller [Article 20].
Dear Lucy
- All or parts of customers’ data can be exported from Dear Lucy in JSON format
Breach Notification
In the case of personal data breach, the controller must notify the supervisory authority within 72 hours after becoming aware of it [Article 33], and if the data breach is likely to place the rights and freedoms of natural persons in high risk, the controller must notify the data subjects without undue delay [Article 34]
Dear Lucy
- Security is our top priority:
- We actively follow security releases from the 3rd party service providers we're using
- We monitor 3rd party software components used by our application code and keep them updated with latest security releases
- Our systems are regularly audited by an independent third party
- In the unlikely event of data breach, we will immediately notify you and provide our customers with instructions on how to notify authorities and data subjects
[1] Article 4 http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e1489-1-1
[2] Article 4 http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e1489-1-1
[3] Article 4 http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e1489-1-1
[4] http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e2161-1-1
Comments
0 comments
Article is closed for comments.