GDPR Compliance: Overview & Resources Available
What is the European Union's General Data Protection Regulation (GDPR)?
The GDPR is a European Union data protection regulation that imposes certain standards on the entities (data controllers) who collect and control the use of the personal data relating to individuals (data subjects) regarding the manner in which the data controller collects, uses and distributes the data while it is under its control. The GDPR also imposes standards on the entities (data processors) who are instructed by a data controller to collect, use, or store personal data on the data controller’s behalf.
Please see here for the text of the regulation.
Who is Governed by the GDPR?
The GDPR applies to a data controller or data processor outside of the EU that processes personal data of EU data subjects if the controller or processor offers goods or services to data subjects in the EU. Causeway websites are a service that Vital Technical Marketing, Inc. (VTM) offers to data subjects all around the world on behalf of certain international organizations and companies. This means that VTM is governed by the GDPR as a data processer who collects, uses, and stores personal data of EU data subjects on behalf of these international organizations and companies, who are the data controllers determining the purpose and means of VTM’s collection, use and storage of personal data.
What constitutes Personal Data that's subject to the GDPR?
Personal Data is defined as “any information relating to an identified or identifiable natural person.” (GDPR, Article 2(a)). Personal Data includes a person’s name, email address, mailing address, and IP address.
What are the key principles of the GDPR?
- Lawfulness, fairness and transparency. Transparency requires that the data subject has the right to know who is processing their personal data, what personal data is being processed, the purpose of the processing, and any data breach that is likely to result in a high risk to the data subject’s rights and freedoms.
- Purpose limitation. Personal data must be processed only for specific and limited purposes, which includes for the purpose of performing a contract.
- Data minimization. Personal data must be proportional, i.e., what is necessary to fulfill the purposes for which it is processed.
- Accuracy. Personal data must be accurate and, when necessary, capable of being updated.
- Storage limitation. Personal data must not be stored for longer than required to fulfill the purposes for which it was processed if it is in a form which permits identification of the data subjects.
- Integrity and confidentiality. Appropriate security against unauthorized or unlawful processing and against loss or destruction is required given the personal data and the purposes for which is processed.
- Accountability. The data controller is responsible for compliance with these principles.
Where can I find the Causeway Policies that were updated to address GDPR?
Data Processing Addendum for Causeway Customers:
The below Addendum includes the Data Processing Terms and supplements the Causeway Master Services Agreement. This addendum will be effective as the day VTM receives a completed and executed Addendum from your organization.
Instructions: This Addendum has been pre-signed by VTM. To enter into this Addendum, Causeway Customer must:
- Complete the Customer information by signing and providing the customer full legal entity name, address and signatory information; and
- Submit the completed and signed Addendum to Causeway via email to firstname.lastname@example.org.
Effectiveness. This Addendum will be effective only if it is executed and submitted to Causeway, per the instructions above.