The GDPR is applicable to every organisation which deals with personally identifiable data of EU citizens, regardless of where the organisations themselves are located. On this page, we explain the methods and ways we handle personal data to achieve GDPR compliance, both for ourselves and for our customers.
GDPR basics — definitions
Personal Data
Information about a living individual, who can be identified (a) from that data, or (b) from that data and any other information which is, or could in the future, come into the possession of the data controller. Includes names, identification numbers, location data, and online identifiers.
Processing
Any operation which is performed upon or applied to personal data, whether undertaken manually or by automated means — acquisition, organisation, storage, retrieval, consultation, amendment, availability, disclosure, erasure or destruction.
Data Subject
An individual who is the subject of personal data.
Data Controller
The person, organisation, public authority, agency or other body who — alone or with others — determines the purposes for which and the manner in which any personal data is to be processed, and defines the controls required for such processing.
Data Processor
Any person or organisation (other than an employee of the Data Controller) who undertakes the processing of personal data on behalf of the Data Controller.
Data Subject Consent
The Data Subject's approval or agreement for an activity to take place, having considered the benefits and risks. For consent to be valid, the data subject needs to be informed, have the capacity and knowledge to make a decision, and to have given consent voluntarily. Specific requirements apply for consent given by Children, including validating parental consent and the age of the Child.
A quick summary
Here is a quick summary of other important GDPR rules:
Consent
Stringent consent requirements
Under GDPR, organisations need to collect unambiguous, freely given, specific and informed consent to use and store data. Pre-ticked boxes, inactivity or consent-by-default are not valid. Consent must be as easy to withdraw as to give.
Rights
Enhanced individual rights
Individuals have enhanced rights to access, update or delete their data at any time. In some cases, individuals have the right to a copy of their data in a structured format which they can transfer to others.
Reporting
Data breach reporting
In the event of a data breach, organisations must notify the concerned authorities (e.g. the Information and Data Protection Commissioner) within 72 hours. If the breach is likely to cause higher risk to the rights and freedoms of individuals, those individuals must be notified too.
Penalties
Significant penalties
If organisations fail to comply with GDPR, they may face sanctions of up to €20 million or 4% of annual turnover — whichever is greater.
Our policy statement
Our scope
This GDPR Compliance Data Protection Policy shall:
- Apply to all SMSwarriors activities related to the processing of Personal Data, either as Data Controller or as Data Processor acting under the lawful instructions of a third party.
- Apply to all ways in which Personal Data is acquired, received, processed, stored, amended, disclosed and erased by SMSwarriors. This includes Company data, as well as personal data owned by an external organisation and entrusted to the Company under a contract which specifically communicates data-protection requirements.
- Ensure that the rights of Data Subjects under GDPR are upheld by SMSwarriors.
- Be communicated to all employees, contractors, third-party users, external Data Processors, and any other organisation or individual with a bona-fide need to access Personal Data held by or entrusted to SMSwarriors.
Our data
To fully comply with EU GDPR, SMSwarriors has:
- Thoroughly researched and prepared a list of all types of personal information it holds, the source of that information, who it shares with, what it does with it and how long the data is kept.
- Prepared a list of places where it keeps personal information and the ways data flows between them.
- Published a publicly accessible privacy policy that outlines all processes related to personal data.
- Included a lawful basis in the privacy policy to explain why it needs to process personal information.
Accountability & management
To fully comply with EU GDPR, SMSwarriors has:
- Appointed a Data Protection Officer (DPO).
- Created awareness among decision makers about GDPR guidelines.
- Made sure that the technical security is up to date.
- Trained staff to be aware of data protection.
- Prepared a list of sub-processors — the privacy policy mentions the use of these sub-processors.
- Established procedures to report data breaches involving personal data to the local authority and to the people (data subjects) involved.
- Put a contract in place with the data processors with which it shares data.
- Prepared and made available a Data Processing Agreement (DPA) to existing customers.
Customer rights
As part of our GDPR compliance journey and data-subject rights, our customers can easily:
- Request access to their personal information.
- Update their own personal information to keep it accurate.
- Request deletion of their personal data.
- Request that we stop processing their data.
- Request that their data be delivered to themselves or to a third party.
- Object to profiling or automated decision-making that could impact them.
Consent
As part of our GDPR compliance journey and consent rules, SMSwarriors warrants that:
- The Data Subject's consent is obtained when it starts processing a person's information.
- Its privacy policy is written in clear and understandable terms.
- It is as easy for customers to withdraw consent as it was to give it in the first place.
- When it processes children's personal data, it verifies their age and obtains consent from their legal guardian.
- It informs existing customers when it updates the privacy policy or cookie policy.