Statement on the General Data Protection Regulation
How is Frosmo preparing for the GDPR?
FROSMO takes data protection very seriously and is prepared to be fully compliant with the General Data Protection Regulation (GDPR) when the regulation becomes effective. To achieve compliance, we:
- Have a data protection steering group to review all system and process changes related to data protection and handle questions and requests from customers and other stakeholders.
- Assess our current customer implementations to know exactly what data is being collected through the Frosmo platform in each customer implementation.
- Develop and improve our technical and organizational processes to ensure the data subject’s right to access their own data.
- Document the scope and life-cycle of personal data collected by the Frosmo platform.
- Create internal guidelines and train our staff to be aware of the requirements of the GDPR.
- Cover data tracking and protection issues in our subscription agreements.
In case you have any questions about FROSMO and the GDPR, don’t hesitate to contact us.
What is the GDPR?
The GDPR is a piece of legislation to strengthen and unify data protection for all individuals within the European Union (EU). The regulation becomes enforceable in the EU/ETA area on 25 May 2018. It is directly binding and applicable to all EU member countries, which means that it does not require national governments to pass any enabling legislation.
The GDPR applies to personal data when the data controller (organization that collects data from EU residents) or data processor (organization that processes data on behalf of the data controller) or the data subject (in our case, a website visitor) is based in the EU area. It also applies to organizations based outside EU in case they collect or process personal data of EU residents.
The GDPR defines personal data as basically any data related to an identified or identifiable natural person (data subject). For example, postal address, date of birth, gender, profession, video, IP address, device ID, and car registration number are personal data in case they can be somehow used to identify a person.
According to the GDPR, processing personal data must be:
- Lawful: There must be a legitimate basis for collecting, processing, and storing personal data. For example, you may need to collect certain data on your website in order to provide a service to your website visitors.
- Based on consent: The data subject must give their consent for gathering and processing data through a clear affirmative action.
- Transparent: The data subject has the right to get an access to their personal data, to restrict its processing, and to require its removal. They can also refuse from any automated profiling or decision-making.
In addition, data protection must be integrated by design and by default to any data processing activities carried out by organizations processing personal data. These organizations must also be able to demonstrate their compliance with the above requirements.
For more information about the GDPR, see the official regulation document.