upRing GDPR FAQ
What is the GDPR?
The GDPR is the European Union’s new data protection law. It replaces the Data Protection Directive (“Directive”), which has been in effect since 1995. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data.
When will the GDPR come into effect?
The GDPR takes effect on May 25, 2018. Although the GDPR became law in April 2016, given the significant changes some organizations will need to make to align with the regulation, a two-year transition period was included.
Who does GDPR apply to?
The GDPR applies to companies, government agencies, non-profits, and other organizations that offer goods and services to people in the EU and that collect and analyze data tied to EU residents (personal data). The GDPR applies no matter where personal data is processed and imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles:
- Requiring transparency on the handling and use of personal data.
- Limiting personal data processing to specified, legitimate purposes.
- Limiting personal data collection and storage to intended purposes.
- Enabling individuals to correct or request deletion of their personal data.
- Limiting the storage of personally identifiable data for only as long as necessary for its intended purpose.
- Ensuring personal data is protected using appropriate security practices.
Although the rules differ somewhat, the GDPR applies to organizations that collect and process data for their own purposes (“controllers”) as well as to organizations that process data on behalf of others (“processors”). In addition, unlike the current Data Protection Directive, both controllers and processors can be held accountable for failing to comply with GDPR.
Does GDPR apply to upRing?
To the extent beClocked processes EU personal data, yes, GDPR applies to upRing.
What is personal data under the GDPR?
The definition of personal data is broad under the GDPR. It includes any information relating to an identified or identifiable natural person (‘data subject’). Under the law, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. If an identifier can be tied to a natural person, it is personal data for purposes of GDPR compliance.
What are Processors and Controllers under GDPR?
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines purposes and means of the processing of personal data.
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf and under the direction of the controller.
Is beClocked SL (“beClocked”) a Processor or Controller under GDPR with respect to upRing?
beClocked makes numerous decisions about the purposes and means of processing personal data we collect directly from upRing users, including how we use the data we collect for our services. For example, beClocked determines how data is stored and processed using the service including available data fields (e.g. tasks with due dates, reminders, files and notes) and the purpose and functionality behind the data (e.g. offering push notifications for reminders, synchronizing data between different devices). Therefore, under GDPR upRing is a controller and not a processor of that data.
upRing is delivered pursuant to the data protection policies and procedures as a data controller, including:
- Maintains a Privacy Statement at https://go.upring.com/fwlink/?LinkId=521839 that explains to consumers how beClocked collects and processes personal information as a data controller; and
- Maintains appropriate processes to select, contract with, and monitor the data processing activities of vendors that process personal information on behalf of beClocked.
- To the extent you have questions about what this means for your business, we encourage our customers to work with a legally qualified professional to discuss GDPR, how it applies specifically to their organization, and how best to ensure compliance.
What are the responsibilities of a Controller?
A controller is directly responsible for complying with data protection laws. This includes requirements to:
- provide notice of processing to the data subject;
- confirm legitimacy and proportionality for the processing of personal information;
- assure that disclosures to third parties are made in accordance with appropriate contractual terms and otherwise in compliance with applicable law;
- establish adequate measures to protect the cross-border transfer of personal information outside the EU; and
- establish appropriate controls over processors who process personal information on the controller’s behalf, including:
- assuring processors maintain appropriate security measures,
- confirming the engagement of sub-processors in compliance with applicable rules, and
- assuring adequate protections for cross-border transfers.
Is upRing GDPR Compliant?
YES, upRing is GDPR compliant.
What terms apply to use of upRing?
How does beClocked comply with Data Subject Rights?
beClocked honors data subject rights through different means:
- Data subjects can access, correct, or delete their content via the upRing apps or the upRing website.
- Data subjects can export their content via the upRing Exporter