GDPR – GENERAL DATA PROTECTION REGULATION
MLytica LTD
Headquarters and address of management: Sofia 1729, Mladost district, Alexander Malinov No 31
UIC: 207482892
Beginning with 25th May 2018 the GDPR (The General Data Protection Regulation) is applicable. The GDPR changed the data protection environment in the EU fundamentally.
Four main keywords dominate the concept of the GDPR:
- data minimalisation;
- data protection;
- the right of disclosure, and
- the right of deletion of data.
This manual should give an overview on the rules of the GDPR. It should help MLytica LTD to set measures to secure data protection.
This manual applies to MLytica LTD.
All structured processing of personal data, that could identify individual persons is covered by the GDPR. Such personal data includes names, addresses, phone numbers or personal email addresses and etc. Not only digital data is covered, but also print outs or manual records, if those are structured and searchable (e.g. telephone filing cards, paper folders).
The GDPR applies to all data processing:
· in the context of the activities of an EU establishment; even if the processing takes place outside the EU (e.g. data storing on a Server placed outside the EU, but for an EU-based company);
· outside the European Union when it concerns the offering of goods/services to data subjects in the EU;
The term data processing is very broad and includes every operation that is performed on personal data. This includes the collection, storage, adaptation or alteration, use, transmission, erasure or destruction of data.
The basic rules for data processing, which MLytica LTD must follow are:
All processing must be:
- based on a legal basis (“lawfulness”),
- transparent (“transparency”). All processing:
- requires a purpose(“purpose limitation”) and
- must be limited to what is necessary (“data minimisation”).
Personal data may only be processed when:
- accurate and true (“accuracy”) and
- not be stored longer than necessary (“storage limitation”).
Personal data must:
- be protected against unauthorised or unlawful processing, accidental loss, destruction or damage (“integrity and confidentiality”).
As already mentioned above, we need a purpose (“purpose limitation”) to process personal data.
The purpose of the processing must be determined in advance and must be explicit and legitimate.
When defining the purpose and the legal basis for the data processing, please keep in mind that the GDPR differentiate between sensitive and non-sensitive data. Sensitive data are data regarding religion, ethnical origin, political views, biometric data, memberships in work councils, health data and sexual orientation.
Legal basis (“lawfulness”) which allows MLytica LTD to process personal data, are e.g.
· the individual’s explicit consent,
· if we are fulfilling obligations of a contract;
· based on legal responsibilities(e.g. time records because of law regulations, etc.)
Please respect the following requirements for this consent:
· the consent must be given voluntarily;
· capacity to consent: may be assumed with persons above the age of 18,
· ticked box on a website,
· declaration of consent in a clear and plain language,
· declaration of consent is visually highlighted (e.g. in the general terms and conditions of business it is separated by a paragraph or is written in bold print).
Note: consent has an important problem: withdrawal of consent is possible at any time; in case of withdrawal, the data processing must be stopped.
The record of data processing is one of the minimum standards which need to be kept. Moreover, it is important in the case of disclosure: As already mentioned, every applicant, client, customer, etc. has got the right to ask which data are or have been collected, stored and processed by MLytica LTD. The record of data processing helps you to react within the short legal answer period and provide the requesting person with the requested information.
As already mentioned, everybody will have got the right of data dilution after a specific time or in other words, you are only allowed to store data as long as necessary or legally justified. Generally, data need to get stored for as short as possible and legally necessary.
If there is a cooperation with a supplier or service providers in your area of responsibility (e.g. Payroll providers) and personal data is transferred to this partner, we must contractually ensure that appropriate technical and organisational measures are taken to protect our data. Processing must be carried out in accordance with the requirements of the GDPR and the rights of data subjects must be safeguarded.
Therefore, such cooperation must always be based on a processing contract.
It might be, that your cooperation partner insists on his/her standard agreements. In such cases, please get linked to your local lawyer, who will check if the partner’s agreement fulfils the legal requirements or if you need to insist on your own agreements.
A data breach is any violation of data security and privacy, in which personal data is proven to be disclosed to unauthorised parties. In such a case the authorities must be notified within 72 hours of gaining knowledge of a personal data breach, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The concerned data subjects must be notified without undue delay in the case of a high risk to them.
In the case of a data breach, please notify your local lawyer and check and follow the guideline for the case of a Data Breach or contact the Bulgarian Commission for Protection of Personal Data, address: Sofia 1592, blvd “Prof. Cvetan Lazarov” № 2 (www.cpdp.bg).
