This article outlines frequently asked questions about MRI OnLocation and GDPR. It does not provide legal advice. Please consult with your legal counsel to familiarize yourself with the requirements.
Read the GDPR statement on the MRI website.
What is the GDPR?
On May 25, 2018, a landmark privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data.
The GDPR is the comprehensive data protection law in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It updated and replaced the patchwork of national data protection laws in place with a single set of rules directly enforceable in each EU member state.
What does the GDPR regulate?
The GDPR regulates the “processing” of data for EU individuals, which includes collection, storage, transfer, or use. Any organization that processes the personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
How does the GDPR change privacy law?
The key changes are the following:
- Expanded data privacy rights for EU individuals, data breach notification, and added security requirements for organizations and customer profiling and monitoring requirements.
- GDPR also includes binding Corporate Rules for organizations to legalize transfers of personal data outside the EU and a 4% global revenue fine for organizations that fail to adhere to the GDPR compliance obligations.
- Overall, the GDPR provides a central enforcement point by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
Does the GDPR require EU personal data to stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. However, OnLocation must comply with the privacy rights of EU individuals, and we must ensure compliance with our obligations on how we market, track, and handle EU personal data. These include ensuring the rights of EU citizens are maintained and ensuring data handling is carried out in a way that meets the recommendations defined in the GDPR.
Is there a GDPR certification?
No, there is not currently a GDPR certification issued by the European Commission. OnLocation will be monitoring any certifications that come out after the GDPR goes into effect and will certify them if it deems them to be appropriate.
Does the GDPR require EU personal data to be encrypted at rest?
The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented (Article 32(1)). Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance.
Does OnLocation encrypt personal data at rest?
Yes. We apply encryption of data at rest for all customer accounts.
Does OnLocation have GDPR features or functionality?
Yes. The following features are available to you:
- A disclaimer for visitor information capture.
- A disclaimer for photo capture specifically.
- The ability for a visitor to disable the system from remembering their details on sign in.
- A way for visitors to see all information you have about them.
- The ability to erase a visitor’s information on their request.
Some of these require activation, and some are features you can use on request. Find out how to enable these features.
Data Protection Officer (DPO)
The GDPR requires that you appoint a representative in the EU.
MRI New Zealand Holdings Limited (MRI) has appointed a DPO responsible for setting up policies, reviewing Data Protection Impact Assessment reports, monitoring compliance with the GDPR, and all tasks listed in Article 39.
The Data Protection Officer
MRI Software, LLC
Data Protection Representative (DPR) in the EU
The GDPR specifies under Article 27 that an organization with no establishment in the European Union (EU) but which processes the personal data of data subjects inside the EU must appoint a Data Protection Representative in the EU to allow data subjects and local data protection authorities to have a relevant contact.
MRI, which processes the personal data of individuals in the European Union, in either the role of ‘data controller’ or ‘data processor’, has appointed MRI Software Ireland Limited as its EU Data Protection Representative for the purposes of GDPR.
The contact details are:
MRI Software Ireland Limited
If you want to raise a data protection query or otherwise exercise your rights in respect of your personal data to our Data Protection Representative, you may do so by:
- Sending an email to firstname.lastname@example.org quoting MRI OnLocation in the subject line; or
- By mailing your inquiry to the above address for the attention of MRI Data Privacy Practitioner.
When mailing inquiries, it is essential that your mark your letters for MRI Software Ireland Limited. Please refer clearly to MRI OnLocation in your correspondence.
On receiving your correspondence, OnLocation is likely to request evidence of your identity to ensure your personal data and information connected with it are not provided to anyone other than you.
If you have any concerns over how MRI Software Ireland Limited will handle the personal data that we will require to undertake our services, please contact email@example.com.