The General Data Protection Regulation (GDPR)
EU & UK GDPR
In 2016, the General Data Protection Regulation (GDPR) was passed at EU level. The Regulation came into effect on 25 May 2018. From this date, GDPR applies directly and immediately to all EU member states and harmonizes data protection legislation across all EU member states. However, despite being a Regulation there are some domestic derogations where member states have discretion to legislate in particular areas so there is no complete harmonization.
Following Brexit, EU-GDPR has been retained in UK domestic law as the UK-GDPR, with independence to keep the framework under review. The UK-GDPR sits alongside an amended version of the Data Protection Act (DPA) 2018, which controls how personal information is used by organisations, businesses or the government.
These data protection regulations, EU-GDPR/UK-GDPR, impose higher requirements on organizations responsible for ownership (Data Controllers) and processing of personal data (Data Processors), whereas Data Subjects, whose personal data is handled, will benefit from extended rights.
Adequacy
“Adequacy” is a formal decision made by the EU, highlighting that another country, territory, sector or international organization is recognized to provide an equivalent level of protection for personal data as the EU does.
On 28 June 2021, the EU Commission published adequacy decisions in respect of the UK following a detailed assessment of the UK’s laws and systems for protecting personal data.
Data is the cornerstone of one-to-one marketing, an indispensable but fragile resource so it is in the interests of all to treat access to personal data as a privilege, not a right. Maintaining the highest possible standards of data practice is about much more than mere compliance, it is about delivering one-to-one marketing that is a true exchange of value between Rocketseed, looking to prosper, and the Customer, looking to benefit.
Data Controller and Data Processor
Rocketseed as a distributor of its email branding, signature and disclaimer software to its customers, as provider of bulk mail software to its customers and a user of personal data for its own internal marketing purposes, has separate roles as both Data Processor and Data Controller. In order to handle personal data, the 7 principles of these data processing regulations needs to be met, which are:
- Lawfulness, Fairness and Transparency – having a legal basis, being transparent and acting in a data subject’s best interest
- Purpose Limitation – Only process personal data for the purpose it was intended for
- Data Minimisation – Only gather and keep the amount of data that is needed
- Accuracy – Make sure the data obtained is the most accurate
- Storage Limitations – Discard personal data that is no longer needed
- Integrity and Confidentiality – Access to personal data should be limited to only those who process it
- Accountability – Controllers and Processors must be responsible for due diligence and compliance to Data Protection Laws
Access to Personal Data
Under GDPR, data subjects have enhanced rights. They have the right to access their personal data that is held by a Data Controller. Also, data subjects have the right to information about the processing of their personal data. They have the right to know for what purpose the information is processed, for how long the information is stored and the identity of the recipient of the registered person’s data etc.
The right of access of data subjects is limited partly by the right of the Data Controller to require the data subject to specify the information or processing activities to which data access is required. Whilst Data Controllers can no longer charge a fee for the right of access they can charge for any manifestly onerous or excessive requests or for requests for further copies.
Where consent is the lawful basis for processing, the data subject has the right to retract consent to processing of personal data (opt -out) at any given time. If consent is retracted, the Data Controller must cease processing of the relevant personal data for the purpose for which consent was obtained. The Data Controller can however, continue to process the personal data for other purposes which rely on another lawful basis.
On our privacy page, Rocketseed enables and welcomes Data Subject Access Requests via a simple form directed straight to our privacy team and DPO to address any queries or concerns regarding personal data. Rocketseed enables this feature regardless of geography, meaning concerns can be addressed even for individuals who are outside the territorial scope of the EU/UK-GDPR.
As Data Privacy laws continually evolve in the changing landscape of threats and advancement of technology, Rocketseed continues to work proactively to secure the continuing best protection of our customer personal data to ensure that data is safe with us.
More detailed general information on GDPR can be found on our Privacy page, and for Customers, additionally in our Data Processing Terms.