2. 2
What is GDPR?
The General Data Protection Regulation requires businesses to protect the personal data
and the privacy of EU citizens for transactions carried out within EU member states.
4. 4
Who is affected?
Any company that:
• Has a presence in an EU country.
• Don’t have a presence in the EU, but process the personal data of European residents.
• Has more than 250 employees.
• Has fewer than 250 employees but your data-processing impacts the rights of data subjects or includes
certain kinds of sensitive personal data.
5. What does the numbers say?
• 92% of U.S. companies consider GDPR a number one data protection priority (PwC survey);
• 50% of the companies affected by GDPR will not be in full compliance by the end of 2018 (Gartner);
• Enforces fines of up to €20 million or 2-4% of global turnover, whichever is greater.
6. Individuals rights and roles definition
The most important feature of the GDPR is that it clearly defines what individual’s rights are:
Individual rights to
Access their own personal data
Rectify inaccurate personal data
Challenge automated decision making
Object to direct marketing
“To be forgotten”
Data portability
7. What changed? Where are the regulations tighter?
Major changes Explanation
Increased Territorial Scope GPDR makes it very clear - it will apply to the processing of personal data by controllers and processors in
the EU, regardless of whether the processing takes place in the EU or not.
Consent
The conditions for consent are strengthened. Consent must be clear and distinguishable from other matters
and provided in an intelligible and easily accessible form, using clear language, for every data capture.
Breach Notification
The data controller must report data breaches to the data protection authorities without undue delay and in
any event within 72 hours of the time of becoming aware of a data breach.
Right to Access The controller has to provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data,
cease further dissemination of the data, and potentially have third parties halt processing of the data. (no
longer relevant to original purposes for processing, or data while withdrawing consent)
Data Portability
The right for a data subject to receive the personal data concerning them, which they have previously
provided in a 'commonly use and machine readable format' and have the right to transmit that data to another
controller.
Privacy by Design Inclusion of data protection from the onset of the designing of systems, rather than an addition.
8. Best practices from our industry
Adoption of
pseudonymization
This type of partial encryption technique means that personal data can no longer be attributed to a
specific data subject without the use of additional information, and that information is kept
separately and can be thought of as an encryption key. It enhances security, and allows much freer
use of data under the workings of the GDPR.
Revision of
consent points
Use compliance
from tech partners
Under the GDPR, consent given by the customer is valid only if customers give it freely, based
on clear and specific information for each processing operation needed. Under the old rulings
such operations could be bundled together; that is no longer the case.
Ex. AWS has its DPA that will meet the requirements of the GDPR which is available to all AWS
customers. Need to contact our AWS account manager.
9. Who needs a dedicated Data Protection Officer (DPO)?
The GDPR Section 4, states that Data Protection Officers are to be appointed if:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope
and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant
to Article 9 of the GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
Importantly, the DPO:
• Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices;
• May be a staff member or an external service provider;
• Contact details must be provided to the relevant DPA;
• Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge;
• Must report directly to the highest level of management;
• Must not carry out any other tasks that could results in a conflict of interest.
The good news is Cleeng can handle most of the sensitive user data management, and with our strong European base and
background, many of this functions can be off-loaded to us.Want to know more? Contact us
11. Current status at Cleeng
Major changes Status
1 GDPR awareness Every key position at Cleeng is well informed, and has specific role in meeting the GDPR compliance.
2 Held information Cleeng encrypts its end-user data to keep it safe from potential intrusion. It also complies with Amazon Web Services, and meets the SAE16 SOC1 certification.
3 Communicating privacy information Cleeng communicates its Privacy Policy on its official website.
4
Right to Access End-users can access their private information via the “My Account” feature. The personal data is hidden/masked within our infrastructure.
Right to be Forgotten
Cleeng users can explicitly ask to be forgotten. Then, all the personal information is permanently erased while only a User ID is kept for potential future activity.
Note: As an eCommerce company, Cleeng obliges the local fiscal laws and has to keep personal data for bookkeeping (up to 10 years).
Right to Export Data Within the “My Account” feature, end-users have the opportunity to request and receive a data export in an appropriate format for further processing.
5 Update procedures Cleeng has been working on the GDRP compliance in the past year, and our systems and processes are up to date.
6
Lawful basis for processing personal
data
As an eCommerce company, we have to collect personal information in order to identify users and enable the service of our clients. However, the company keeps only the minimum
required information (name, email, account entitlement, services purchased) related only to the purchased services. Any information collected from our users will not be sold, shared, or
rented to others in ways different from what is disclosed in this privacy statement.
7 Consent On the Cleeng website there is a mandatory opt-in option on all of our data capture and account creation points.
8 Children Information
The Cleeng service does not store age or children-related information. The service itself is targeted to users aged 18+ and we also recommend our clients to limit their parental control
functions to account restriction independent of age.
9 Data Breach Notification In accordance with the European laws, Cleeng is partnering with the best-in-class cybersecurity companies, which monitor our platform 24/7 and run ad-hoc penetration tests.
10 Subject access request/Data processing Role-based administration is in place at our main data systems: The Broadcaster Dashboard and the Cleeng Admin.
11 Data Protection Officer Cleeng has appointed an official DPO since September 2017 who is in charge of Privacy and Security compliance
12 International As an international organization based in the Netherlands, Cleeng is governed by the Dutch DPA (Wet bescherming persoonsgegevens).