What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR), whose implementation started on 25 May 2018, applies to companies based in the European Union and to international companies that process personal data belonging to individuals residing in the European Union.
While many of the principles of the GDPR Regulation are in fact an extension of existing EU data protection rules, the GDPR Regulation has a broader scope and more stringent standards and provides for significant financial penalties. For example, it sets more stringent requirements in terms of obtaining consent for the use of certain types of data and expands the rights of individuals to access their data and to transfer that data. It also provides for significant sanctions, giving supervisory authorities the possibility to impose financial penalties of up to 4% of a company's total annual revenues for certain infringements.
The commitment and preparation of Alfanet S.A.
Data protection is a key issue for Alfanet S.A., which complies with current European Union data protection legislation and the General Data Protection Regulation (GDPR).
Having already initiated the necessary procedures to comply with the GDPR regulation, we make the following commitments:
- Transparency: Our Data Policy will remain the sole means of describing our methods for processing users' personal data. In addition, however, we will provide consent options for new and existing customers and recipients of our updates, notifications within the products and solutions we advertise, and education campaigns for our end customers.
- Control: In this context, we will always provide the possibility to exercise the "right to be forgotten" through the newsletters we send out.
- Accountability: Our legal department has regular meetings with regulatory and legislative authorities, as well as privacy experts, to ensure we remain highly informed and make adjustments where necessary.
Relevant legal bases
Under the GPDR regulation, there are a number of grounds that justify the processing of personal data. Below we outline the most relevant legal bases under the GDPR regulation.
The data being processed must be necessary for the performance of the task and must be set out in the contract entered into with the individual concerned.
- Specific and clear consent is required, which should be given freely, having been made aware of all relevant information and with a clear, positive action.
- Recipients have the right to withdraw their consent and should be informed of this right.
- A business or other third party must have legitimate interests that are not undermined by the rights or interests of the individual who consents to the processing of their personal data.
- The processing of the data must be stopped if there is an objection.
Alfanet S.A. as data controller and as data processor
Data Controller: Data controllers should adopt compliance measures covering how the data are collected, the purposes for which they are used and the period for which they are retained and ensure that individuals have a right of access to the data held.
Data processor: Also, in cases directly involving data processors, data controllers must engage data processors to ensure that the data are processed securely and lawfully.
Although Alfanet S.A. manages most of its services as a data controller, there are certain cases in which it also acts as a data processor in the context of its cooperation with businesses.
Where Alfanet S.A. processes data as a data processor on your behalf, your business must have its own legal basis on which it processes and discloses data to us.