What is GDPR ?
The GDPR applies when ‘personal data’ are ‘processed’. The GDPR defines ‘processing’ as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means (…)’. This includes activities such as collecting, storing, disclosing, and erasing data. Consequently, practically everything that can be done with personal data will be considered to be ‘processing’.
Taken together, these key definitions mean that, in principle, an organization processes ‘personal data’ within the meaning of the GDPR, whenever that organization touches data that relate to an individual, whether the data are public or private, sensitive or non-sensitive, directly or indirectly identify a person, and whether identification is possible now or in the future.
Who is accountable for upholding the GDPR requirements?
The four most important actors in the GDPR are ‘data subjects’, ‘controllers’, ‘processors’, and ‘Data Protection Authorities’. ‘Data subjects’ are people – the natural persons whose personal data are processed. ‘Controllers’ are those who determine the purposes and the means of processing of personal data – companies for example. ‘Processors’ are entities that do something with personal data on behalf of controllers; in such case, there is a clear hierarchy. For example, if company Y gathers and analyses survey data on the customers of company X, as instructed by company X, company X is the controller and company Y the data processor. If two organizations work together in determining why and how personal data will be processed, they will be seen as joint controllers and will share the regulatory burden and liability for errors and mistakes.
The GDPR attempts to head off predictable principal-agent problems with processors. It requires that controllers ensure that processors are competent and responsible. To establish a chain of accountability, processors cannot subcontract without consent of the controller. The GDPR also specifies that if the subcontracted processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations
Adherence to European FIPs
The Fair Information Practices (FIPs) – the centrepiece of the 1995 Directive – remain at the core of the GDPR. This is the basis of our claim that those in compliance with the Directive are well positioned to meet the GDPR’s enhancements. Taken together, the imposition of the FIPs serves several of the GDPR’s strategic aims. The FIPs attempt to minimize data collection and use. In the abstract, the FIPs are an appealing set of substantive and procedural protections against the power of data intensive companies. But taken together, the FIPs, create barriers to big data driven business models.
The FIPs apply cumulatively – each must be fulfilled in order for the data processing to be legitimate.
First, the lawfulness, fairness, and transparency principle articulate data protection law’s overarching norm: personal data must be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject.’ The lawfulness requirement is reasonably clear: personal data processing must be compliant with the GDPR and other laws. The fairness requirement could be compared with the general good faith requirement in some legal systems.
Second, the purpose limitation principle entails that personal data should only be collected for a purpose that is specified in advance, and that those data should not be used for incompatible purposes. The purpose should be specific and concrete; vague and abstract purposes such as ‘promoting consumer satisfaction’, ‘product development’ or ‘optimizing services’ are prohibit
Third, the data minimization principle holds that personal data should be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’ The preamble adds that ‘[p]ersonal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.’ Only those data that are needed for the specific purpose may be obtained. Thus, the pizza delivery service should not collect data about people’s religious or political views – after all, such data are not necessary for delivering the pizza. The data minimization principle thus prohibits collecting as much personal data as possible because the data could be useful in the future, in a way rejecting many big data business models.
Fourth, the accuracy principle requires that personal data are ‘accurate and, where necessary, kept up to date.’ Data controllers must take ‘every reasonable step (…) to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.’ Thus, the accuracy principle does not always require full accuracy; it requires accuracy ‘having regard to the purposes’ for which personal data are processed. Data controllers must proactively ensure appropriate accuracy, and must offer data subjects the possibility to correct data.
Fifth, in addition to minimizing data, the GDPR tightly limits data storage. The principle imposes a ‘no longer than necessary’ standard. The preamble adds that controllers should set, ex ante, time limits for planned erasure. Thus, the pizza delivery service should not store customer addresses for unreasonably long periods. Deleting the address once the pizza has been delivered would be perfect. But the pizza place could also keep the address for a few months to save returning customers the time of dictating their address again.
Sixth, the integrity and confidentiality principle imposes data security responsibilities. Security must be ‘appropriate’ and protect against loss, destruction, damage and unlawful processing.
The legal basis for processing personal data
Europe’s privacy approach enshrines data protection as a fundamental right. To implement this commitment, the GDPR specifies six legal justifications for data processing, which were copied almost verbatim from the Directive. Data processing should, in addition to adhering to the FIPs, be based on one of six grounds. Roughly summarized, these grounds are: (1) the data subject has consented to the data processing, (2) the data processing is necessary for a contract with the data subject, (3) there is a law mandating the data processing (e.g. tax law requires companies to keep certain records), (4) data processing is necessary to protect the life of a data subject (e.g. the data subject is unconscious after a car accident, and the hospital needs to know from the data subject’s family doctor whether the data subject uses certain medication) (5) data processing happens for a public task (e.g. the tax office gathers certain data, such as people’s tax returns, to fulfil its tasks), and (6) when the interests of the data controller prevail over the interests of the data subject.
The General Data Protection Regulation (“GDPR”) is an EU-wide comprehensive data protection law that replaces the Data Protection Directive to strengthen personal data governance in light of rapid technological advancements, increased globalization, and more complex international flows of personal data.
Unlike the Data Protection Directive, the GDPR is relevant to any globally operating company that processes personal data about people present in the EU (+ Switzerland and Norway), not just those residing in the EU. Courier.ie is fully aware of the complexities of GDPR (or German: EU Datenschutz Grundverordnung) and is committed to creating exceptional delivery experiences for your organization and your customers without compromising data protection.
What GDPR means for Courier.ie
As per terms defined under the GDPR, between Courier.ie and our customers, Courier.ie is the “data processor” and your company is the “data controller”. Your company as a data controller collects data from end-users, who are considered the “data subjects”. If Courier.ie processes the personal data of the end-users, your organization remains in charge of the way it is treated through instructions. For example, if someone wants to make use of their “right to be forgotten”, Courier.ie will delete their data as well as part of our standard services.
As one of the leading parcel delivery service in Ireland, Courier.ie receives a large number of data points every day from all over the globe, including personal data of data subjects, usually email addresses, phone numbers, or residential addresses. While you are taking measures to safeguard your customer’s rights, Courier.ie is also committed to adhering to the requirements of the GDPR to protect your data.
Your data on Courier.ie is protected as per EU-GDPR
- User Controls:
Our system allows you to assign different kinds of user permissions to your organization’s users, restricting data access to only authorized persons.
- Encryption & Data Storage:
Unauthorized change or access of personal data is prevented through encryption “at rest” (when stored), “in motion” (when transferred), and in backups.
- Logging of Data:
Any upload, transmission, access, and/or alteration of personal data and other data is logged by our systems.
- Data Security:
All of our services are hosted and processed on servers of ISO 27001-certified cloud servers with RSA, 4,096-bit encryption
All your data entirely belongs to you. Courier.ie will only use any personal data to provide our services and will delete it at your request.
- Data Recoverability & Reliability:
We have a data recovery system in place to monitor system statuses and can restore data in the event of an unlikely technical fault. Your data is regularly updated and backed up in our system.
- Processing on behalf:
When further sub-processors are involved in handling your data, we carry out the appropriate checks to ensure they are also operating in line with GDPR regulation. A list of our sub-processors is part of any commercial agreement and we will inform you in advance about any changes.
We make sure that GDPR is always at the forefront
- Servicing of data erasure requests:
Your customers have a “right to be forgotten” (as mandated in Art. 17 GDPR) and Courier.ie is equipped to service such requests.
- Compliance documentation
: Courier.ie can provide legal documentation to ensure compliance with GDPR including, Data Processing Agreements (DPA), Technical and Organizational Measures (TOMs) and Standard Contractual Clauses (SCCs).
- Data Incident Response
: In the unlikely event that a system breaks down and the personal data of clients could be compromised, we will notify all customers immediately in accordance with legal and contractual obligations.
At Courier.ie, our team is dedicated to helping you confidently maintain compliance when sending post-purchase communication to your customers and using our product. If you have any questions about GDPR, please contact your Account Manager or sales.