Introduction to GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) to regulate the processing of personal data. Effective from May 25, 2018, GDPR replaced the 1995 Data Protection Directive, establishing a stringent regulatory framework designed to protect personal data and enhance privacy. The regulation emphasizes accountability and transparency from organizations that process personal data.
CMSI’s Commitment to GDPR Compliance
Content Management System International (CMSI) demonstrates a strong commitment to GDPR compliance through various strategies and practices. As the most significant privacy law in Europe in the past 20 years, GDPR requires organizations to reexamine and update their policies and services to ensure compliance. CMSI respects its members’ privacy and has updated its policies accordingly.
Data Privacy Officer (DPO)
A Data Privacy Officer (DPO) is a key role within CMSI, responsible for overseeing the data protection strategy and ensuring compliance with data privacy regulations. CMSI has appointed an internal DPO to manage GDPR compliance, keep track of documents and records, and oversee all GDPR-related activities.
Personal Data Processing Agreement (PDPA)
A Personal Data Processing Agreement (PDPA) outlines the terms and conditions under which personal data is processed by a data processor on behalf of a data controller. This agreement is crucial for GDPR compliance. In this DPA, the “Data Controller” refers to the Advertiser, and the “Data Processor” refers to CMSI.
Key Points of the PDPA:
- CMSI’s DPO manages all GDPR-related activities to ensure legal compliance.
- Conduct effective privacy impact assessments (PIAs) for data processing.
- Maintain a register of all data handled, including storage locations and authorized users.
- Establish agreements with data processors on data processing.
- Handle contracts for data processing.
- The DPO monitors privacy conditions and handles data breaches.
- The DPO remains informed on the organization’s data handling.
Privacy Impact Assessment (PIA)
A Privacy Impact Assessment (PIA) evaluates and manages the privacy implications of new projects, systems, or processes involving personal data. CMSI conducted a PIA to identify the information Affiliates process and ensure GDPR compliance.
Objectives and Extent of Personal Data Processing:
- Data Controllers use Data Processors for advertising.
- Data Controllers use tracking technology provided by Data Processors to manage publisher networks and maintain records.
- Users can sign up through various channels, including the website, newsletter, invitations, and social media campaigns.
Enrolling in the Online Panel Program:
- Participants must provide a double opt-in before becoming members.
- Upon consent, panel providers receive participant data, and they begin receiving online surveys.
Handling Personal Data:
- Members can manage their personal data through their account areas.
- Types of personal information processed include Cookie ID, IP address, and contact information.
Publishers’ and Affiliates’ Obligations
Responsibilities:
- Implement organizational and technological safeguards for data processing compliance.
- Ensure individuals with access to personal data comply with the DPA terms.
- Remove personal data as instructed by the Data Processor.
- Ensure employees access personal data only as necessary.
- Handle personal data confidentially and protect it from security threats.
Right to Unsubscribe
The “right to unsubscribe” allows individuals to opt out of receiving further communications. This mechanism is essential for maintaining user privacy and preventing unwanted communications. Members can terminate their accounts or unsubscribe from newsletters and emails easily.
Data Access and Breach Response
Access:
- Only legal CMSI staff and certain data processors have access to member data, strictly for necessary functions like sending newsletters or customer care.
Breach Response:
- CMSI has a data breach response plan stored on internal Google Drive. The DPO handles data breaches, and CMSI keeps internal sequence logging information for retrieval checks.
Communication of GDPR to Staff
CMSI has distributed an internal privacy policy and provided education on GDPR compliance to all employees, ensuring that all staff members understand and follow the necessary steps to protect data.
Standards and Legalities
- CMSI is not responsible for the legality of services in countries where it offers affiliate services.
- For EU Campaigns, this Agreement is governed by the laws of the United Kingdom.
- Disputes arising from this contract should be resolved through mediation, initiated within 28 days of notice.
For any queries concerning GDPR compliance, please contact us at: info@cognetrixglobal.com