What is GDPR?
The General Data Protection Regulation (“GDPR”) is a new, EU-wide privacy and data protection law. It calls for more granular privacy guardrails in an organization’s systems, more nuanced data protection agreements, and more consumer-friendly and detailed disclosures about an organization’s privacy and data protection practices.
The GDPR replaces the EU’s current data protection legal framework from 1995 (commonly known as the “Data Protection Directive”). The Data Protection Directive required transposition into EU Member national law, which led to a fragmented EU data protection law landscape. The GDPR is an EU regulation that has direct legal effect in all EU Member States, i.e., it does not need to be transposed into an EU Member States’ national law in order to become binding. This will enhance consistency and harmonious application of the law in the EU.
When new requirements come into force?
The GDPR already came into force from 25 May 2018. As international team we need to follow and comply with GDPR and local laws too:
- In the UK, the government has created a new Data Protection Act (2018) which replaces the 1998 Data Protection Act. The new UK Data Protection Act was passed just before GDPR came into force, after spending several months in draft formats and passing its way through the House of Commons and House of Lords
- In Latvia, The Personal Data Protection Law (or copy/paste the link into your browser https://likumi.lv/ta/en/en/id/4042 ) shall apply to the extent that this is not contrary to GDRP.
Who is under compliance?
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Generally, The GDPR requirements apply to all companies, institutions, and organizations that process personal data.
Processing personal data is a broad concept under the GDPR
The GDPR governs how personal data of EU individuals may be processed by organizations. “Personal data” and “processing” are frequently used terms in the legislation, and understanding their particular meanings under the GDPR illuminates the true reach of this law:
Personal data is any information relating to an identified or identifiable individual. This is a very broad concept because it includes any information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data is not just a person’s name or email address. It can also encompass information such as financial information or even, in some cases, an IP address. Moreover, certain categories of personal data are given a higher level of data protection because of their sensitive nature. These categories of data are information about an individual’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about person’s sex life or sexual orientation, and criminal record information.
Processing of personal data is the key activity that triggers obligations under the GDPR. Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.
How personal data are processed by Bilderlings?
Bilderlings processes data only for specific purposes and the data are not stored for longer than necessary. Bilderlings maintains the data, which is necessary for providing the services selected by the customer and Bilderlings is able to deliver it to the customer.
Bilderlings processes personal data in one or more of the cases mentioned below:
- for signing and executing the agreement;
- requested by the law;
- for pursuing legitimate (lawful) interests;
- the consent has been obtained from the customer.
The GDPR can apply to organizations located outside the EU
Unlike the Data Protection Directive, the GDPR is relevant to any globally operating company, not just those located in the EU. Under the GDPR, organizations may be in scope if (i) the organization is established in the EU, or (ii) the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.
Our Data processing Policy
The Personal data processing Policy provide information on the processing and protection of personal data of Bilderlings customers, employees and other individuals. In addition to the description of the Policy, more detailed information on the processing of personal data can be included in your service agreements, other documents related to services and on the website.
Who can access these data?
Bilderlings may share customer data only in the cases:
- If the data are required by a public/supervisory authority;
- If that is necessary for providing the relevant service by authorized data receivers -
The data receivers authorized by Bilderlings, i.e., the companies that process the data on behalf of Bilderlings. Bilderlings shall take the necessary measures to ensure that the authorized data receivers carry out the customer data processing according to the guidance received from Bilderlings, comply with the required security and confidentiality requirements, as well as act in accordance with the legal requirements.
The list of authorized data receivers:
- For ensuring card payments – SIA Worldline Latvia (Reg.Nr. 40003072814, Dzirnavu street 37, LV-1010, Rīga)
- For ensuring card payments - SIA Decta (Reg.Nr. 50103962441, Duntes Street 6, Riga, LV-1013, Latvia);
- For ensuring card payments (as acquirer) – BlueOrangeBank JSC (Reg.Nr. 40003551060, Smilšu street 37, LV-1050, Rīga)
- For ensuring card services - Call Centre (transaction logs, balance, blocking) – BPO Services LTD (Reg.Nr. 50103796361, Kr. Valdemāra iela 8, Rīga, LV-1010, Latvia)
- For ensuring card services (card embossing and delivery) - EVRY Card Services Baltijas Filiāle (Reg.Nr. 40103476464 , Biekensalas iela 21, Rīga, LV-1004, Latvia)
- For customer data processing MSO365 – Squalio LLC JSC (Reg.Nr. 40003351675, Krišjāņa Valdemāra 21-19, LV-1010, Rīga)
- For data storage and email services G Suite – Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, VAT number: IE 6388047V
- For customer notification and marketing activities using SMS services – Sales.lv (Reg. Nr. 40103240056, Dzirnavu street 37-62, LV-1010, Rīga)
- For customer resource management – SalesForce.com INC. (Reg.Nr. The Landmark @ One Market street, San Francisco, CA 94105, USA)
- For preparation of insurance proposals – AAS "ERGO" (Reģ.Nr. 40003131253, Skanstes iela 50, LV-1013, Rīga)
- For ensuring payment services – SIA DEAC (Reg.Nr. 40103255973, Maskavas street 459, LV-1063, Rīga)
The most referenced consequence of non-compliance with the GDPR is the maximum fine that can be levied against a non-compliant organization. The maximum fine that may be levied is 4% of global revenue or 20 million EUR, whichever is higher. Certain other types of infringements carry a maximum fine of 2% of global revenue, or 10 million EUR, whichever is higher.
Less frequently referenced are the data protection authorities’ (“DPAs”) powers under Art. 58 of the GDPR. These powers include the ability for the DPAs to impose corrective actions, such as a temporary or definitive limitation on data processing activities, including a complete ban on data processing, or to order the suspension of data flows to a recipient in a third country.
If you have any queries about data processing at Bilderlings,
send us an email to: firstname.lastname@example.org