While enforcement began on May 25, 2018, all businesses must remain aware of their ongoing duties. Please note that non-compliance can result in significant fines.
Important Disclaimer: We provide this information to help you understand basic GDPR concepts. However, this is not legal advice. You should consult with legal counsel to determine how these laws affect your specific organization.
Does the GDPR apply to me?
The regulation applies to any business based in the EU or any entity processing the data of EU citizens. Under these rules, organizations fall into two categories: Controllers or Processors.
Controllers decide the purpose and method of storing or processing personal info.
In contrast, Processors store or handle that data on behalf of another company.
Notably, some organizations may serve both roles simultaneously.
When it comes to the personal information I enter into WellWink, is my organization a controller or a processor?
Because you control and manage the data you enter into the CRM, you are the controller for that data. You decide how that data is used, how long to keep it, how often to update it, etc.
Your role with WellWink?
Since you manage the data entered into our CRM, your organization acts as the Controller. You hold the power to decide how that data is used, updated, and how long it is kept.
What is WellWink’s role?
We act as your Data Processor. Specifically, WellWink manages the personal data within our systems according to the actions you take in our applications. We store this information securely on your behalf.
How does my organization ensure our compliance?
Every business has different needs based on its specific data role. Generally, you must have systems in place to respond to user requests regarding their personal information.
When using WellWink, please review our updated Terms of Use and Privacy Policy. By accepting our terms, you acknowledge that your use of the platform will comply with all applicable laws, including the GDPR.
WellWink Compliance?
WellWink has been fully compliant since May 25, 2018. We have taken extensive steps to meet data transparency goals and protect your organization’s critical business information. For example, we updated our Data Processing Addendum (based on Model Contractual Clauses) to meet strict GDPR requirements.
We have amended our Data Processing Addendum (based on Model Contractual Clauses) to be compliant with the data processing requirements of GDPR.
The information above is provided to help you understand WellWink’s role as processor of your data, the rights of your users, and the responsibilities you hold as a controller of their data. It is not comprehensive and is not legal advice.
Frequently Asked Questions
What is GDPR?
The EU’s General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents’ personal data.
Who does it apply to?
GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.
Where does the GDPR apply?
This law doesn’t have territorial boundaries. It doesn’t matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.
What is personal data or Personally Identifiable Information (PII)?
Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
What are the key changes from the previous regulations?
New & enhanced rights for data subjects- This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
Explicit consent– Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
Right to access– At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
Right to be forgotten– The data subject can request the controller to remove their personal information from the controller’s systems.
Obligations of the processors– GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller’s instructions.
Data Protection Officer– Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
Privacy Impact Assessments (PIA)– Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
Breach notification– Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
Data portability– The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.
What are the lawful bases the data controller can use to process customer data?
The data controller can choose from six data processing bases. These are:
Contract- This applies when you need to process the customer’s personal data to fulfill your contractual obligations, or to take some action based on the customer’s request (e.g., sending a quote or invoice).
Legal Obligation– This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).
Vital Interests– This applies to urgent matters of life and death, especially regarding health data.
Public Task- This applies to activities of public authorities.
Legitimate Interests– Legitimate interests can include commercial interests, such as direct marketing, individual interests, or broader societal benefits. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.
Consent– Consent is also a lawful basis to process data. Consent of the data subject means “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
What is LIA?
LIA stands for Legitimate Interests Assessment. It specifies the reason an organization wants to process a customer’s personal data. The organization must also conduct an LIA to show that the processing is necessary.
The assessment of whether a legitimate interest exists.
The establishment of the necessity for processing.
The performance of the balancing test.
Does the GDPR require EU personal data to stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Our data processing addendum, which references the European Commission’s model clauses, will continue to help our customers facilitate transfers of EU personal data outside of the EU.
Where can I find additional resources on GDPR?
Here are some links you can refer to for additional reading on the GDPR:
Find your supervisory authority
Rules for businesses and organizations
Your organization’s guide to GDPR
Note: Zoho Corporation is not responsible for the content in these pages and does not endorse these links.