privacy



Welcome to unc.nu [kol] Privacy GDPR page. Here you can find our company's complete implementation of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version of the OJ L 119, 04.05.2016; cor. OJ L 127, 23.5.2018. The European Data Protection Regulation is applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe. If you need additional information/clarification regarding this matter please contact us. Click on key issues below to review all relevant policies protecting your data and basic rights at Goya 36, 28001 Madrid (Kingdom of Spain), Niue PSB Fonuakula Alofi (Niue) and 1 Fullerton Road Singapore 049213 (Republic of Singapore). plus offices in other countries.

consent

While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR). The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.

The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous.
 

data protection officer

Art. 35 GDPR Data protection impact assessment Art. 37 GDPR Designation of the data protection officer Art. 38 GDPR Position of the data protection officer Art. 39 GDPR Tasks of the data protection officer.

Contrary to popular belief, decisive for the legal obligation to appoint a Data Protection Officer is not the size of the company but the core processing activities which are defined as those essential to achieving the company's goals. If these core activities consist of processing sensitive personal data on a large scale or a form of data processing which is particularly far reaching for the rights of the data subjects, the company has to appoint a DPO. Public bodies on the other hand always have to appoint a DPO, with the exception of courts who are acting in their judicial capacity. In addition, the legal norm to appoint a Data Protection Officer has a flexibility clause for Member States. These are free to decide whether a company has to appoint a Data Protection Officer under stricter requirements (e.g. Section 38 German Federal Data Protection Act).


personal data

Art. 4 GDPR Definitions Art. 9 GDPR Processing of special categories of personal data.

Only if a processing of data concerns personal data, the General Data Protection Regulation applies. The term is defined in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person.

The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.
 

processing data

(24) Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Profiled (36) Determination of the Main Establishment (80) Designation of a Representative (81) The Use of Processors (82) Record of Processing Activities (98) Preparation of Codes of Conduct by Organizations and Associations (99) Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct (101) General Principles for International Data Transfers (108) Appropriate Safeguards (109) Standard Data Protection Clauses (146) Indemnity (147) Jurisdiction.

The General Data Protection Regulation (GDPR) offers a uniform, Europe-wide possibility for so-called 'commissioned data processing', which is the gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.

The relevant regulations for commissioned data processing already apply, if the processing is connected to activities of an establishment within the EU. This means that it is sufficient if either the controller or the processor operates an establishment in the EU, and the processing takes place in context of its activities. One has to differentiate between processing and joint control (Art. 26 GDPR), where both parties jointly define the purposes and means for the data processing and are thus also jointly responsible for these.

In a controller-processor relationship, the latter is only allowed to process personal data based on the documented instructions from the controller. The processor cannot engage another processor to help fulfil a specific contract, without the prior specific or general written authorization of the respective controller. In case of a general authorization, the processor has to inform him about any relevant changes regarding the processing.


client's rights

The right of access plays a central role in the General Data Protection Regulation (GDPR). On the one hand, because only the right of access allows the data subject to exercise further rights (such as rectification and erasure). On the other hand, because an omitted or incomplete disclosure is subject to fines.

The answer to a right of access request includes two stages. First, the controller must check whether any personal data of the person seeking information is being processed at all. In any case, one must report a positive or negative result. If the answer should be positive, the second stage involves a whole range of information. The right of access includes information about the processing purposes, the categories of personal data processed, the recipients or categories of recipients, the planned duration of storage or criteria for their definition, information about the rights of the data subject such as rectification, erasure or restriction of processing, the right to object, instructions on the right to lodge a complaint with the authorities, information about the origin of the data, as long as these were not collected from the data subject himself, and any existence of an automated decision-taking process, including profiling, with meaningful information about the logic involved as well as the implications and intended effects of such procedures. Last but not least, if personal data is transmitted to a third country without an adequate level of protection, data subjects must be informed of all appropriate safeguards which have been taken.

The right to be forgotten derives from the case Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González (2014). For the first time, the right to be forgotten is codified and to be found in the General Data Protection Regulation (GDPR) in addition to the right to erasure.

In addition, the right to be forgotten is found in Art. 17(2) of the GDPR. If the controller has made the personal data public, and if one of the above reasons for erasure exists, he must take reasonable measures, considering the circumstances, to inform all other controllers in data processing that all links to this personal data, as well as copies or replicates of the personal data, must be erased.

The right to be forgotten is not unreservedly guaranteed. It is limited especially when colliding with the right of freedom of expression and information. Other exceptions are if the processing of data which is subject to an erasure request is necessary to comply with legal obligations, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or for the defense of legal claims.

privacy  website  cookies  email  encryption