GDPR

Understanding the GDPR: Your Guide to EU Data Privacy

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). Implemented in 2018, it aims to give control to citizens over their personal data and simplify the regulatory environment for international business by unifying data protection laws within the EU.

What Does the GDPR Apply To?

The GDPR applies to any organization that processes the personal data of EU residents, regardless of the organization’s location. Personal data is any information that relates to an identified or identifiable natural person. This can include a wide range of details, such as names, addresses, email addresses, phone numbers, IP addresses, and even online identifiers like cookies.

Key Principles of the GDPR

  • Transparency and Consent: Individuals have the right to be informed about how their data is being collected, used, and stored. They must also provide explicit consent for this processing.
  • Right of Access: Individuals have the right to access their personal data and obtain a copy of it from the organization holding it.
  • Right to Rectification: Individuals have the right to request that inaccurate or incomplete personal data be corrected.
  • Right to Erasure (Right to be Forgotten): Individuals have the right to request that their personal data be deleted, under certain circumstances.
  • Data Security: Organizations are required to implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.
  • Data Breach Notification: In the event of a data breach, organizations must notify the relevant authorities and affected individuals within specific timeframes.

What Does the GDPR Mean for Businesses?

Organizations that handle the personal data of EU residents need to comply with the GDPR’s requirements. This may involve:

  • Conducting a data audit to identify and assess how personal data is being processed.
  • Appointing a Data Protection Officer (DPO) in some cases.
  • Implementing appropriate technical and organizational safeguards for data protection.
  • Obtaining clear and unambiguous consent from individuals before processing their data.
  • Responding to individual requests regarding their data rights (access, rectification, erasure, etc.).
  • Reporting data breaches to the authorities and affected individuals.

The GDPR and You

The GDPR empowers EU residents with greater control over their personal data. Understanding your rights under the GDPR can help you make informed decisions about how your data is shared and used.

For businesses, GDPR compliance is not just a legal requirement, but also a way to build trust and transparency with customers. By prioritizing data protection, businesses can demonstrate their commitment to responsible data practices in today’s digital world.

Adherence to European FIPs

The Fair Information Practices (FIPs) – the centrepiece of the 1995 Directive – remain at the core of the GDPR. This is the basis of our claim that those in compliance with the Directive are well positioned to meet the GDPR’s enhancements. Taken together, the imposition of the FIPs serves several of the GDPR’s strategic aims. The FIPs attempt to minimize data collection and use. In the abstract, the FIPs are an appealing set of substantive and procedural protections against the power of data intensive companies. But taken together, the FIPs, create barriers to big data driven business models.

The FIPs apply cumulatively – each must be fulfilled in order for the data processing to be legitimate.

First, the lawfulness, fairness, and transparency principle articulate data protection law’s overarching norm: personal data must be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject.’ The lawfulness requirement is reasonably clear: personal data processing must be compliant with the GDPR and other laws. The fairness requirement could be compared with the general good faith requirement in some legal systems.

Second, the purpose limitation principle entails that personal data should only be collected for a purpose that is specified in advance, and that those data should not be used for incompatible purposes. The purpose should be specific and concrete; vague and abstract purposes such as ‘promoting consumer satisfaction’, ‘product development’ or ‘optimizing services’ are prohibit

Third, the data minimization principle holds that personal data should be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’ The preamble adds that ‘[p]ersonal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.’ Only those data that are needed for the specific purpose may be obtained. Thus, the pizza delivery service should not collect data about people’s religious or political views – after all, such data are not necessary for delivering the pizza. The data minimization principle thus prohibits collecting as much personal data as possible because the data could be useful in the future, in a way rejecting many big data business models.

Fourth, the accuracy principle requires that personal data are ‘accurate and, where necessary, kept up to date.’ Data controllers must take ‘every reasonable step (…) to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.’ Thus, the accuracy principle does not always require full accuracy; it requires accuracy ‘having regard to the purposes’ for which personal data are processed. Data controllers must proactively ensure appropriate accuracy, and must offer data subjects the possibility to correct data.

Fifth, in addition to minimizing data, the GDPR tightly limits data storage. The principle imposes a ‘no longer than necessary’ standard. The preamble adds that controllers should set, ex ante, time limits for planned erasure. Thus, the pizza delivery service should not store customer addresses for unreasonably long periods. Deleting the address once the pizza has been delivered would be perfect. But the pizza place could also keep the address for a few months to save returning customers the time of dictating their address again.

Sixth, the integrity and confidentiality principle imposes data security responsibilities. Security must be ‘appropriate’ and protect against loss, destruction, damage and unlawful processing.

The legal basis for processing personal data

Europe’s privacy approach enshrines data protection as a fundamental right. To implement this commitment, the GDPR specifies six legal justifications for data processing, which were copied almost verbatim from the Directive. Data processing should, in addition to adhering to the FIPs, be based on one of six grounds. Roughly summarized, these grounds are: (1) the data subject has consented to the data processing, (2) the data processing is necessary for a contract with the data subject, (3) there is a law mandating the data processing (e.g. tax law requires companies to keep certain records), (4) data processing is necessary to protect the life of a data subject (e.g. the data subject is unconscious after a car accident, and the hospital needs to know from the data subject’s family doctor whether the data subject uses certain medication) (5) data processing happens for a public task (e.g. the tax office gathers certain data, such as people’s tax returns, to fulfil its tasks), and (6) when the interests of the data controller prevail over the interests of the data subject.

The General Data Protection Regulation (“GDPR”) is an EU-wide comprehensive data protection law that replaces the Data Protection Directive to strengthen personal data governance in light of rapid technological advancements, increased globalization, and more complex international flows of personal data. 

Unlike the Data Protection Directive, the GDPR is relevant to any globally operating company that processes personal data about people present in the EU (+ Switzerland and Norway), not just those residing in the EU. Courier.ie is fully aware of the complexities of GDPR (or German: EU Datenschutz Grundverordnung) and is committed to creating exceptional delivery experiences for your organization and your customers without compromising data protection. 
What GDPR means for Courier.ie 

As per terms defined under the GDPR, between Courier.ie and our customers, Courier.ie is the “data processor” and your company is the “data controller”. Your company as a data controller collects data from end-users, who are considered the “data subjects”. If Courier.ie processes the personal data of the end-users, your organization remains in charge of the way it is treated through instructions. For example, if someone wants to make use of their “right to be forgotten”, Courier.ie will delete their data as well as part of our standard services. 

As one of the leading parcel delivery service in Ireland, Courier.ie receives a large number of data points every day from all over the globe, including personal data of data subjects, usually email addresses, phone numbers, or residential addresses. While you are taking measures to safeguard your customer’s rights, Courier.ie is also committed to adhering to the requirements of the GDPR to protect your data. 
Your data on Courier.ie is protected as per EU-GDPR
Courier.ie is EU-GDPR or EU-DSGVO compliant and we protect your data like our own. Our company has established a comprehensive Privacy Policy as we take the privacy of our customers very seriously and aim to provide a safe, reliable, and GDPR-compliant online experience:

  • User Controls:

Our system allows you to assign different kinds of user permissions to your organization’s users, restricting data access to only authorized persons.

  • Encryption & Data Storage:

Unauthorized change or access of personal data is prevented through encryption “at rest” (when stored), “in motion” (when transferred), and in backups.

  • Logging of Data:

Any upload, transmission, access, and/or alteration of personal data and other data is logged by our systems.

  • Data Security:

All of our services are hosted and processed on servers of ISO 27001-certified cloud servers with RSA, 4,096-bit encryption

 Data Ownership:

All your data entirely belongs to you. Courier.ie will only use any personal data to provide our services and will delete it at your request.

  • Data Recoverability & Reliability:

We have a data recovery system in place to monitor system statuses and can restore data in the event of an unlikely technical fault. Your data is regularly updated and backed up in our system.

  • Processing on behalf:

When further sub-processors are involved in handling your data, we carry out the appropriate checks to ensure they are also operating in line with GDPR regulation. A list of our sub-processors is part of any commercial agreement and we will inform you in advance about any changes.

We make sure that GDPR is always at the forefront

  • Servicing of data erasure requests:

Your customers have a “right to be forgotten” (as mandated in Art. 17 GDPR) and Courier.ie is equipped to service such requests. 

  • Compliance documentation

: Courier.ie can provide legal documentation to ensure compliance with GDPR including, Data Processing Agreements (DPA), Technical and Organizational Measures (TOMs) and Standard Contractual Clauses (SCCs). 

  • Data Incident Response

: In the unlikely event that a system breaks down and the personal data of clients could be compromised, we will notify all customers immediately in accordance with legal and contractual obligations.

At Courier.ie, our team is dedicated to helping you confidently maintain compliance when sending post-purchase communication to your customers and using our product. If you have any questions about GDPR, please contact your Account Manager or sales.

Scroll to Top