General Data Protection Regulation GDPR[Friendsvow] (“us”, “we”, or “our”) operates this Platform
This page informs you of our policies regarding the collection, use and disclosure of Personal Information when you use our Service.
Welcome to gdpr-info.eu. Here you can find the official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version of the OJ L 119, 04.05.2016; cor. OJ L 127, 23.5.2018 as a neatly arranged website. All Articles of the GDPR are linked with suitable recitals. The European Data Protection Regulation is applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe. If you find the page useful, feel free to support us by sharing the project.
Friendsvow GDPR Personal Data
The term ‘personal data’ is the entryway to the application of the General Data Protection Regulation (GDPR). Only if a processing of data concerns personal data, the General Data Protection Regulation applies. The term is defined in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person.
The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.
Since the definition includes “any information,” one must assume that the term “personal data” should be as broadly interpreted as possible. This is also suggested in case law of the European Court of Justice, which also considers less explicit information, such as recordings of work times which include information about the time when an employee begins and ends his work day, as well as breaks or times which do not fall in work time, as personal data. Also, written answers from a candidate during a test and any remarks from the examiner regarding these answers are “personal data” if the candidate can be theoretically identified. The same also applies to IP addresses. If the controller has the legal option to oblige the provider to hand over additional information which enable him to identify the user behind the IP address, this is also personal data. In addition, one must note that personal data need not be objective. Subjective information such as opinions, judgements or estimates can be personal data. Thus, this includes an assessment of creditworthiness of a person or an estimate of work performance by an employer.
Last but not least, the law states that the information for a personnel reference must refer to a natural person. In other words, data protection does not apply to information about legal entities such as corporations, foundations and institutions. For natural persons, on the other hand, protection begins and is extinguished with legal capacity. Basically, a person obtains this capacity with his birth, and loses it upon his death. Data must therefore be assignable to identified or identifiable living persons to be considered personal.
In addition to general personal data, one must consider above all the special categories of personal data (also known as sensitive personal data) which are highly relevant because they are subject to a higher level of protection. These data include genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union members
Information Collection And Use
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information (“Personal Information”) may include, but is not limited to:
- Email address
- Telephone number
- Bank Account
We collect information that your browser sends whenever you visit our Service (“Log Data”). This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.
Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.
We use “cookies” to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
We may employ third party companies and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.
These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.
Links To Other Sites
We have no control over, and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Our Service does not address anyone under the age of 18 (“Children”).
We do not knowingly collect personally identifiable information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Information, please contact us. If we discover that a child under 18 has provided us with Personal Information, we will delete such information from our servers immediately.
Compliance With Laws
We will disclose your Personal Information where required to do so by law or subpoena.
Friendsvow GDPR Right of Access to Data
The right of access plays a central role in the General Data Protection Regulation (GDPR). On the one hand, because only the right of access allows the data subject to exercise further rights (such as rectification and erasure). On the other hand, because an omitted or incomplete disclosure is subject to fines.
The answer to a right of access request includes two stages. First, the controller must check whether any personal data of the person seeking information is being processed at all. In any case, one must report a positive or negative result. If the answer should be positive, the second stage involves a whole range of information. The right of access includes information about the processing purposes, the categories of personal data processed, the recipients or categories of recipients, the planned duration of storage or criteria for their definition, information about the rights of the data subject such as rectification, erasure or restriction of processing, the right to object, instructions on the right to lodge a complaint with the authorities, information about the origin of the data, as long as these were not collected from the data subject himself, and any existence of an automated decision-taking process, including profiling, with meaningful information about the logic involved as well as the implications and intended effects of such procedures. Last but not least, if personal data is transmitted to a third country without an adequate level of protection, data subjects must be informed of all appropriate safeguards which have been taken.
Information can be provided to the data subject in writing, electronically or verbally as per Art. 12(1) sentences 2 and 3 of the GDPR, depending on the circumstance. According to Art. 12(3) GDPR information must be provided without undue delay but at latest within one month. Only in reasoned cases may this one-month deadline be exceptionally exceeded. As a rule, the information has to be provided free of charge. If, in addition, further copies are requested, one can request a reasonable payment which reflects administrative costs. The controller is also allowed to refuse a data subject’s requests to right of access if it is unjustified or excessive. The controller additionally has the right, if he is processing a large volume of information about the data subject, that he or she specify their request within the right of access regarding specific data processing or kind of information.
Suitable GDPR articles
Art. 12 GDPR Transparent information, communication and modalities for the exercise of the rights of the data subjectArt. 15 GDPR Right of access by the data subjectArt. 46 GDPR Transfers subject to appropriate safeguards
Friendsvow GDPR Records of Processing Data Activities
The General Data Protection Regulation obligates, as per Art. 30 of the GDPR, written documentation and overview of procedures by which personal data are processed. Records of processing activities must include significant information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients. This must be completely made available to authorities upon request.
The obligation to create records of processing activities is not only imposed on the controller and their representative, but also directly on the processor and their representatives as set forth in Art. 30(2) of the GDPR. For a change, companies or institutions with fewer than 250 employees are exempt from keeping a record, if the processing is not likely to pose a risk to the rights and freedoms of the data subject, if no special categories of data are processed or if the processing is done only occasionally, as is indicated in Art. 30(5) GDPR. In practice, this exemption is rarely applicable. Apart from any difficulties which occur during the interpretation of what is considered “only occasional,” in most companies – even with a broad interpretation of the term – data will unambiguously be processed regularly, including data processing for the website, their web shop, salary calculation or CRM systems. One must note that the obligation for documentation and therefore records of processing activities will be a focus of authorities’ inspections of the implementation of the Data Protection Regulation.
If a company does not maintain records of processing activities and/or does not provide a complete index to authorities, they are subject to fines according to Art. 83(4)(a) of the GDPR. The possible fines can be up to 10 million euros or 2% of their annual turnover. This total is, as a rule, only assessed by the authorities in exceptional cases. For this, the authorities are encouraged, as set forth in recital 13, “to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.”
Suitable GDPR articles
Friendsvow GDPR Right to be Forgotten
The right to be forgotten derives from the case Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González (2014). For the first time, the right to be forgotten is codified and to be found in the General Data Protection Regulation (GDPR) in addition to the right to erasure.
The correspondingly-named rule primarily regulates erasure obligations. According to this, personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing, the data subject has objected and there are no overriding legitimate grounds for the processing, or erasure is required to fulfil a statutory obligation under the EU law or the right of the Member States. In addition, data must naturally be erased if the processing itself was against the law in the first place.
The controller is therefore on the one hand automatically subject to statutory erasure obligations, and must, on the other hand, comply with the data subject’s right to erasure. The law does not describe how the data must be erased in individual cases. The decisive element is that as a result it is no longer possible to discern personal data without disproportionate effort. It is sufficient if the data media has been physically destroyed, or if the data is permanently over-written using special software.
In addition, the right to be forgotten is found in Art. 17(2) of the GDPR. If the controller has made the personal data public, and if one of the above reasons for erasure exists, he must take reasonable measures, considering the circumstances, to inform all other controllers in data processing that all links to this personal data, as well as copies or replicates of the personal data, must be erased.
An erasure request is not subject to any particular form, and the controller may not require any specific form. However, the identity of the data subject must be proven in a suitable way. If the identity has not been proven, the controller can request additional information or refuse to erase the data. If there is a request or a statutory obligation to erase, this must be executed quickly. This means that the controller has to check the conditions for erasure without undue delay. In the case of an erasure request, the data subject must be informed within one month about the measures taken or the reasons for refusal. The right to be forgotten is reflected a second time in the notification obligation. In addition to erasure, according to Art. 19 of the GDPR the controller must inform all recipients of the data about any rectification or erasure and thereby must use all means available and exhaust all appropriate measures.
The right to be forgotten is not unreservedly guaranteed. It is limited especially when colliding with the right of freedom of expression and information. Other exceptions are if the processing of data which is subject to an erasure request is necessary to comply with legal obligations, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or for the defence of legal claims.
Suitable GDPR articles
Friendsvow GDPR Right to be Informed
There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data. Therefore, the General Data Protection Regulation (GDPR) gives individuals a right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the controller.
The law differentiates between two cases: On the one hand, if personal data is directly obtained from the data subject (Art. 13 of the GDPR) and, on the other hand, if this is not the case (Art. 14 of the GDPR).
Where data is obtained directly, the person must be immediately informed, meaning at the time the data is obtained. In terms of content, the controller’s obligation to inform includes his identity, the contact data of the Data Protection Officer (if available), the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to third countries. In addition, the right to be informed also includes information about the duration of storage, the rights of the data subject, the ability to withdraw consent, the right to lodge a complaint with the authorities and whether the provision of personal data is a statutory or contractual requirement. In addition, the data subject must be informed of any automated decision-making activities, including profiling. Only if the data subject is already aware of the above information it is not necessary to provide these.
If personal data is not obtained from the data subject, he or she must be provided the information within a reasonable period of time, but at latest after a month. In cases where the gathered information is used to directly contact the data subject, he or she has the right to be informed immediately upon being approached. As far as content is concerned, the controller has to provide the same specific information as if the personal data would have been directly obtained from the data subject. The only exception is the information about any obligations to provide the personal data, as the controller does not have the decision-making authority in this case. In addition, the controller has the obligation to inform from what sources the personal data originated, and whether it was publicly available. The data subject has a right to be informed in a precise, transparent, comprehensible and easily accessible form. The obligation to inform can be fulfilled in writing or electronic form. It is explicitly stated that so-called ‘standardised image symbols’ can also be used in order to convey a meaningful overview of the intended processing in an easily comprehended, understandable and clear form.
In the case that the personal data is not gathered from the data subject, in exceptional cases there is no obligation to inform. This applies, if providing the information is either impossible or unreasonably expensive, the gathering and/or transmission is required by law, or if the data must remain confidential due to professional secrecy or other statutory secrecy obligations.
Suitable GDPR articles
Art. 12 GDPR Transparent information, communication and modalities for the exercise of the rights of the data subjectArt. 13 GDPR Information to be provided where personal data are collected from the data subjectArt. 14 GDPR Information to be provided where personal data have not been obtained from the data subject
(39) Principles of Data Processing(58) The Principle of Transparency(59) Procedures for the Exercise of the Rights of the Data Subjects(60) Information Obligation(61) Time of Information(62) Exceptions to the Obligation to Provide Information(73) Restrictions of Rights and Principles
Friendsvow GDPR Privacy Impact Assessment
The instrument for a privacy impact assessment (PIA) or data protection impact assessment (DPIA) was introduced with the General Data Protection Regulation (Art. 35 of the GDPR). This refers to the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing. One can bundle the assessment for several processing procedures.
Basically, a data protection impact assessment must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. The assessment must be carried out especially if one of the rule examples set forth in Art. 35(3) of the GDPR is relevant. In order to specify the open-ended wording of the law regarding the basic obligation to perform a privacy impact assessment, the supervisory authorities are involved. In a first draft, the Article 29 Working Party created a catalogue of ten criteria which indicate that the processing bears a high risk to the rights and freedoms of a natural person. These are for example scoring/profiling, automatic decisions which lead to legal consequences for those impacted, systematic monitoring, processing of special personal data, data which is processed in a large scale, the merging or combining of data which was gathered by various processes, data about incapacitated persons or those with limited ability to act, use of newer technologies or biometric procedures, data transfer to countries outside the EU/EEC and data processing which hinders those involved in exercising their rights. A privacy impact assessment is not absolutely necessary if a processing operation only fulfils one of these criteria. However, if several criteria are met, the risk for the data subjects is expected to be high and a data protection impact assessment is always required. If there is doubt and it is difficult to determine a high risk, a DPIA should nevertheless be conducted. This process must be repeated at least every three years.
In addition, the national supervisory authorities have to establish and publish a list of processing operations which always require a data protection impact assessment in their jurisdiction (Blacklist). They are also free to publish a list of processing activities which specifically do not require a privacy impact assessment (Whitelist). If a company has appointed a Data Protection Officer, his advice must be taken into account when conducting a DPIA. How and by what criteria the consequences and risks for the data subjects are assessed, remains largely unanswered. The first templates were guided by the inspection schemes of ISO standards or the Standard Data Protection Model.
(75) Risks to the Rights and Freedoms of Natural Persons(84) Risk Evaluation and Impact Assessment(89) Elimination of the General Reporting Requirement(90) Data Protection Impact Assessement(91) Necessity of a Data Protection Impact Assessment(92) Broader Data Protection Impact Assessment(93) Data Protection Impact Assessment at Authorities(94) Consultation of the Supervisory Authority(95) Support by the Processor(96) Consultation of the Supervisory Authority in the Course of a Legislative Process
Friendsvow DPR Third Countries
In view of international trade and cooperation, it is essential these days to be able to also transmit data to third countries. Examining the legitimacy of such a transfer is done in two stages.
First, the data transfer itself must be legal. Any processing of personal data is prohibited but subjected to the possibility of authorisation. In addition to consent, Art. 6 of the General Data Protection Regulation (GDPR) sets forth further authorisation reasons, such as fulfilling a contract or protecting vital interests. For special personal data which requires a higher level of protection, the Art. 9 of the GDPR provides separate legal requirements.
If the intended data transfer meets the general requirements, one must check in a second step whether transfer to the third country is permitted. One must differentiate between secure and unsecure third countries. Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision. In those countries, national laws provide a level of protection for personal data which is comparable to those of EU law. At the time that the General Data Protection Regulation became applicable, the third countries which ensure an adequate level of protection were: Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan and USA (if the recipient belongs to the Privacy Shield). Data transfer to these countries is expressly permitted.
If there is no adequacy decision for a country, this does not necessarily foreclose any data transfer to this country. Rather, the controller must ensure in another way that the personal data will be sufficiently protected by the recipient. This can be assured using standard contractual clauses, for data transfers within a Group through so-called “binding corporate rules,” through the commitment to comply with codes of conduct which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure.
Furthermore, there are several exceptions which legitimise data transfer to a third country, even if the protection of personal data cannot be sufficiently assured. Most frequently, the consent of the data subject is relevant here. At the same time, one must particularly note the requirements for such a consent to be freely given. Further exceptions, such as transmitting to fulfil contracts, important reasons of public interest and the assertion of legal rights are usually less relevant in practice.
Especially from an economic point of view, data transfers between the United States and the European Union are of utmost importance. The European Commission recognised this at an early stage and was keen on securing the flow of personal data through a unique arrangement. However, from a data protection point of view, the so-called Safe Harbour agreement between the two parties has always been questionable and was declared invalid by the European Court of Justice in the wake of the Snowden revelations (Schrems vs. Data Protection Commissioner). Since then it has been replaced by another unique framework, the Privacy Shield, which should provide a stricter set of ground rules for data transfer from the EU to the US. However, many points criticized by the Court during the Schrems ruling still persist in the new arrangement. Therefore, the Privacy Shield is currently under high scrutiny by the European Data Protection Authorities.
Suitable GDPR articles
Art. 40 GDPR Codes of conductArt. 42 GDPR CertificationArt. 44 GDPR General principle for transfersArt. 45 GDPR Transfers on the basis of an adequacy decisionArt. 46 GDPR Transfers subject to appropriate safeguardsArt. 47 GDPR Binding corporate rulesArt. 48 GDPR Transfers or disclosures not authorised by Union lawArt. 49 GDPR Derogations for specific situationsArt. 63 GDPR Consistency mechanism
admin @ friendsvow dot com