On May 25, 2018, a landmark privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data.
This article outlines frequently asked questions about MRI OnLocation and GDPR. It does not provide legal advice. We urge you to consult with your own legal counsel to familiarize yourself with the requirements that govern your specific situation.
Read the GDPR statement on the MRI website.
What is the GDPR?
The GDPR is the comprehensive data protection law in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
What does the GDPR regulate?
The GDPR regulates the “processing” of data for EU individuals, which includes collection, storage, transfer, or use. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
How does the GDPR change privacy law?
The key changes are the following:
- Expanded data privacy rights for EU individuals, data breach notification and added security requirements for organizations, as well as customer profiling and monitoring requirements.
- GDPR also includes binding Corporate Rules for organizations to legalize transfers of personal data outside the EU, and a 4% global revenue fine for organizations that fail to adhere to the GDPR compliance obligations.
- Overall the GDPR provides a central point of enforcement by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
Does the GDPR require EU personal data to stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. However, OnLocation must comply with the privacy rights of EU individuals and we must ensure compliance with our obligations on how we market, track, and handle EU personal data. These include ensuring the rights of EU citizens is maintained as well as ensuring the handling of data is carried out in a way that meets the recommendations defined in the GDPR.
Is there a GDPR certification?
No, there is not currently a GDPR certification issued by the European Commission. OnLocation will be monitoring any certifications that come out after the GDPR goes into effect and will certify to them, if it deems them to be appropriate.
Does the GDPR require EU personal data to be encrypted at rest?
The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented (Article 32(1)). Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance.
Does OnLocation encrypt personal data at rest?
Yes. We apply encryption of data at rest for all customer accounts.
Does OnLocation have GDPR features or functionality?
Yes. The following features are available to you:
- A disclaimer for visitor information capture.
- A disclaimer for photo capture specifically.
- The ability for a visitor to disable the system from remembering their details on sign in.
- A way for visitors to see all information you have about them.
- The ability to erase a visitor’s information on their request.
Some of these require activation and some are features that you can use on request when required. To learn how to enable these features see our article here.
OnLocation's Data Protection Officer (DPO)
The GDPR requires that you appoint a representative in the EU.
OnLocation has appointed a DPO who will be responsible for setting up policies, reviewing Data Protection Impact Assessment reports, monitoring compliance with the GDPR, and all tasks listed in Article 39.
The Data Protection Officer
Data Protection Representative (DPR) in the EU
The GDPR specifies under Article 27 that an organization with no establishment in the European Union (EU), but which processes the personal data of data subjects inside the EU, must appoint a Data Protection Representative in the EU to allow data subjects and local data protection authorities to have a relevant contact.
WhosOnLocation Limited, which processes the personal data of individuals in the EU, in either the role of ‘data controller’ or ‘data processor’, has appointed MRI Software Ireland Limited as its EU Data Protection Representative for the purposes of GDPR.
The contact details are:
MRI Software Ireland Limited
If you want to raise a data protection query, or otherwise exercise your rights in respect of your personal data, to our Data Protection Representative, you may do so by:
- Sending an email to email@example.com quoting <WhosOnLocation Limited> in the subject line; or
- Mailing your inquiry to the above address for the attention of <MRI Data Privacy Practitioner>.
On receiving your correspondence, WhosOnLocation Limited is likely to request evidence of your identity to ensure that we are permitted to discuss and disclose information to you.
When mailing inquiries, it is essential that your mark your letters for ‘MRI Software Ireland Limited’ and not ‘WhosOnLocation Limited’, or your inquiry may not reach us. Please refer clearly to WhosOnLocation Limited in your correspondence.
On receiving your correspondence, WhosOnLocation Limited is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.
If you have any concerns over how MRI Software Ireland Limited will handle the personal data that we will require to undertake our services, please contact firstname.lastname@example.org.