The General Data Protection Regulation (GDPR) is a new European privacy regulation which replaces the EU Data Protection Directive called Directive 95/46/EC. The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. The effective date for GDPR is May 25, 2018. It provides data subjects with an array of privacy rights, which provide individuals with greater transparency into and control over uses of their personal information.
1. What is Outfield doing for the GDPR?
We are big fans of GDPR here at Outfield because we think it gives individuals important rights over their data. It helps us provide an even better level of trust with users regarding how their data is processed and stored over the internet. We also believe GDPR is the new global standard for data protection and we continuously work to maintain compliance with GDPR. Outfield is committed to always operating in the best interests of our customers and this includes compliance with GDPR.
We are constantly learning from external GDPR experts who specialize in compliance, gathering information, and making the needed investments as required by law. Furthermore, we are communicating with our customers around the world to answer their questions and to help them use Outfield's services in compliance with GDPR.
2. GDPR Key Principles
Several major principles underpin many of the requirements found in the GDPR in regards controlling and processing the personal data:
Fairness and Transparency
Organizations must always process personal data lawfully, fairly, and in a transparent manner.
Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that’s incompatible with those purposes.
Organizations can collect only personal data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.
Personal data must be accurate and, where necessary, kept up to date.
Personal data must be kept only for as long as it’s needed to fulfill the original purpose of collection.
Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration.
A data controller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR.
3. Data Controller vs. Data Processor
In order to fully understand who is responsible for which personal data, you need to understand the difference between the data processor and the data controller.
You are the data processor when you process personal data on behalf of a data controller.
You are the data controller when you decide the "purposes" and "means" of any processing of personal data.
Outfield as a Data Processor
The places and people you store in Outfield as accounts and/or contacts are your data subjects, and you are considered the data controller for this personal data. Using the Outfield app to manage your customers means that you have engaged Outfield as a data processor to carry out certain processing activities on your behalf. According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article).
Outfield as a Data Controller
Additionally, Outfield acts as the data controller for the personal data we collect about you, the user of Outfield services including website, web app, mobile apps. We process your personal data necessary for us to perform our contract with you (GDPR Article 6(1)(b)). We process your personal data to meet our obligations under the law (GDPR Article 6(1)(c)). This primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.We process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
4. Individual RightsThe GDPR grants you a number of rights regarding how Outfield handles your personal data.
You have the right to confirm with Outfield whether Outfield is processing your personal data.
Right to Object
You can, in certain cases, object at any time to the processing of your personal data, in particular if the processing is for direct marketing purposes.
You can send us a request to correct or complete personal data if the data is inaccurate or incomplete.
Restriction of Processing
You can request Outfield to stop access to and modification of your personal data.
Outfield provides functionality in the web app to export your data for your users, accounts, and activity in CSV format so that you can transmit your own personal data to another company. In certain cases, you have the right to ask Outfield to provide additional personal data, also in a structured, commonly used, and machine-readable format such as a CSV file.
Right to Erasure
This is also known as “the right to be forgotten.” This right empowers you to request that Outfield delete or remove your personal data in situations such as when the data is no longer needed for the original purpose, when the data subject withdraws consent, or when the data subject objects to the processing and the controller has no overriding legitimate interest in the processing. Outfield provides you this functionality in the settings section of the Outfield web app.
If you have any questions or feedback, or need to reach our Data Protection Officer, please reach out to our support team by email at firstname.lastname@example.org.