What is GDPR?
The General Data Protection Regulation (“GDPR”) is a new, EU-wide privacy and data protection law. It calls for more granular privacy guardrails in an organization’s systems, more nuanced data protection agreements, and more consumer-friendly and detailed disclosures about an organization’s privacy and data protection practices.
The GDPR replaces the EU’s current data protection legal framework from 1995 (commonly known as the “Data Protection Directive”). The Data Protection Directive required transposition into EU Member national law, which led to a fragmented EU data protection law landscape. The GDPR is an EU regulation that has direct legal effect in all EU Member States, i.e., it does not need to be transposed into an EU Member States’ national law in order to become binding. This will enhance consistency and harmonious application of the law in the EU.
Who is under compliance?
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Generally, The GDPR requirements apply to all companies, institutions, and organizations that process personal data.
Processing personal data is a broad concept under the GDPR
The GDPR governs how personal data of EU individuals may be processed by organizations. “Personal data” and “processing” are frequently used terms in the legislation, and understanding their particular meanings under the GDPR illuminates the true reach of this law:
Personal data is any information relating to an identified or identifiable individual. This is a very broad concept because it includes any information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data is not just a person’s name or email address. It can also encompass information such as financial information or even, in some cases, an IP address. Moreover, certain categories of personal data are given a higher level of data protection because of their sensitive nature. These categories of data are information about an individual’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about person’s sex life or sexual orientation, and criminal record information.
Processing of personal data is the key activity that triggers obligations under the GDPR. Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.
How personal data are processed by Skarda Nams?
Skarda Nams processes data only for specific purposes and the data are not stored for longer than necessary. Skarda Nams maintains the data, which is necessary for providing the services selected by the customer and Skarda Nams is able to deliver it to the customer.
Skarda Nams processes personal data in one or more of the cases mentioned below:
- for signing and executing the agreement;
- requested by the law;
- for pursuing legitimate (lawful) interests;
- the consent has been obtained from the customer.
The GDPR can apply to organizations located outside the EU
Unlike the Data Protection Directive, the GDPR is relevant to any globally operating company, not just those located in the EU. Under the GDPR, organizations may be in scope if (i) the organization is established in the EU, or (ii) the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.
Our Data processing Policy
The Personal data processing Policy provide information on the processing and protection of personal data of Skarda Nams customers, employees and other individuals. In addition to the description of the Policy, more detailed information on the processing of personal data can be included in your service agreements, other documents related to services and on the website.
Who can access these data?
Skarda Nams may share customer data only in the cases:
- If the data are required by a public/supervisory authority;
- If that is necessary for providing the relevant service by authorized data receivers –
The data receivers authorized by Skarda Nams, i.e., the companies that process the data on behalf of Skarda Nams. Skarda Nams shall take the necessary measures to ensure that the authorized data receivers carry out the customer data processing according to the guidance received from Skarda Nams, comply with the required security and confidentiality requirements, as well as act in accordance with the legal requirements.
The list of authorized data receivers:
- Klientu resource management – E.Mazulānes birojs SIA (Reģ. Nr. 40203100114, Biķernieku iela 29, dz. 17, Rīga, LV1039)
- Klientu data processing – DigitalOcean, LLC (New York, NY 101 6th Ave)
The most referenced consequence of non-compliance with the GDPR is the maximum fine that can be levied against a non-compliant organization. The maximum fine that may be levied is 4% of global revenue or 20 million EUR, whichever is higher. Certain other types of infringements carry a maximum fine of 2% of global revenue, or 10 million EUR, whichever is higher.
Less frequently referenced are the data protection authorities’ (“DPAs”) powers under Art. 58 of the GDPR. These powers include the ability for the DPAs to impose corrective actions, such as a temporary or definitive limitation on data processing activities, including a complete ban on data processing, or to order the suspension of data flows to a recipient in a third country.
If you have any queries about data processing at Skarda Nams,
send us an email to: privacy@skardanams.lv