The General Data Protection Law (GDPR) impacts both citizens of the European Union (EU) as well as companies like Eastman that do business there. The law is designed to provide protections for the data collected by companies and gives people living in the EU rights to understand what's being done with the information.
Following is a list of questions that should provide you with a general understanding of GDPR and its impact on you and Eastman:
What is GDPR?
GDPR stands for General Data Protection Regulation. This is a new European regulation focused on unifying privacy across the European Union and protecting personal data of data subjects. It became enforceable May 25, 2018, superseding laws that date back to 1996.
To whom does the regulation apply?
The regulation focuses on the protection of a data subject related to processing and movement of personal data. The data subject must be a natural person living in the European Union. It is not based on European citizenship. It is not corporate entities.
What is included as personal data?
Personal data is any information relating to an identifiable natural person. Examples include name, phone number (business or personal), email address (business or personal), an identification number, location data, credit card numbers, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the data subject. This list is expanded beyond what is typically considered personally identifiable information (PII).
What rights are given to the data subject under GDPR?
The regulation gives data subjects:
- The right of access to their data
- The right to rectify their data
- The right to erase their data
- The right to restrict processing of their data
- The right to data portability
- The right to object
What are the legal grounds in which Eastman can gather and process personal data?
- The data subject can give consent
- The data subject agrees based on contract performance
- For Eastman to comply with legal obligations under Union or Member State law
- To protect the vital interests of a natural person
- To perform a task in the public interest set out by a Union or Member State law
- For purposes of legitimate interests pursued by Eastman or a third party
Who is affected by GDPR?
Anyone that interacts with employees, contractors, vendors, and customers living in Europe.
What are Eastman’s responsibilities with GDPR?
Eastman must ensure that personal data is processed lawfully, fairly, and in a transparent manner. Any personal data must be collected for specific, explicit, and legitimate reasons. The collection of personal data should be limited to what is necessary. To do this, Eastman needs to know
- What personal data is being collected
- Where personal data is being stored
- How long personal data is being stored (or the criteria to determine this period)
- What the purpose is for processing (using) the personal data
- The legal basis for processing personal data
- Who has access to the personal data (including 3rd parties)
- How personal data is protected