General Data Protection Regulation
The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.
May 25, 2018
GDPR covers all of the European Union Member States, which includes: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
The United Kingdom is still part of the EU and thus governed by GDPR. This includes Channel Isles, England, Northern Ireland, Scotland, and Wales. GDPR also includes European Economic Area Countries, such as Iceland, Lichtenstein, and Norway.
There are dependent territories/countries that are technically in the EU though not in Europe that are governed by GDPR; these include Azores, Canary Islands, Guadeloupe, French Guiana, Madeira, Martinique, Mayotte, Reunion, and Saint Martin.
No. GDPR only applies to people living and working in the EU or related countries.
Yes, ComplianceLine has data processing agreements in place, which include the standard contractual clauses (EU 2010/87)
ComplianceLine has dual verification system for reports that may contain GDPR information. During the setup process, any client who has locations in the EU or related states will automatically be assigned a category named, “GDPR”. Any report that comes in from an EU or related state will be assigned the “GDPR” category. Also, as part of the review process by our QA Team the reviewer will mark the “GDPR” checkbox identifying these calls as GDPR.
Two data points allow ComplianceLine to be able to identify at any time identify reports related to GDPR. We are able to provide clients and their reports information in a timely fashion due to this.
If a reporter contacts ComplianceLine directly, we will notify the client of any data requested within one business day. ComplianceLine will wait for up to one-business day for the client to respond to any data requests. If the client has not responded at that time, ComplianceLine will act according to GDPR guidance.
ComplianceLine has determined that all call records pertaining to GDPR will be retained for 6 months. After 6 months, all report data will be purged from the system. A shell of the report will remain with a note that this report has been removed according GDPR guidelines.
In order to identify records in SC that are GDPR related, we provide clients with a field that they fill out when uploading their files to the system. All searches done against these names will be flagged as GDPR.
This flag is how we identify any information that is provided in accordance with GDPR. If a data requestor, request for change or request for deletion comes to ComplianceLine, we will respond to the client who performed the search within one-business day.
ComplianceLine will wait up to one-business day for a response from the client for instruction on how to proceed with the request. If the client does not respond in this period, ComplianceLine will fulfill the request based on GDPR guidance.
Since SC is a system of audit for checking employees, vendors, physicians, board members, and volunteers against sanction databases, we will save any records and search results for 2 years for any entity agged as GDPR. After the 2-year time period all search information, will be completely purged from our system leaving only a shell of the search with a note that this person “has been removed” in accordance with GDPR guidelines.
A data controller is the originator of the data. Example 1: The Client/Caller provides the data to ComplianceLine. The Client/Caller is the data controller. Example 2: ComplianceLine provides access to Clients’ data to a vendor. ComplianceLine is the data controller.
A data processor is the entity receiving the data: Example 1: ComplianceLine receives the data from the Client/Caller. ComplianceLine is the data processor. Example 2: The vendor receives access to our Clients’ data. The vendor is the data processor.
ComplianceLine, our Clients or vendors could be subject to the following penalties: Under the GDPR, the EU Information Commissioner’s Office (ICO) can impose fines of up to 20 million Euros or 4% of the companies worldwide turnover (whichever is greater) against both data controllers and data processors.