GDPR
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.
| GDPR Principle/Right | Company Policy Provision |
|---|---|
| Lawfulness, Fairness, and Transparency (Art. 5, 6) | |
| Processing shall be lawful only if a legal basis applies (e.g., consent, contract). Processing must be fair and transparent to the data subject. | See Terms Of Use, School Addendum, Section 2 & 3 (Establishes the service contract as the basis for processing); Privacy Policy (Provides transparency on data practices) |
| Purpose Limitation (Art. 5) | |
| Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. | See Privacy Policy, How We Collect and Use Information; Security Statement, Section 2 |
| Data Minimisation (Art. 5) | |
| Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. | See Security Statement, Section 4 |
| Accuracy & Right to Rectification (Art. 5, 16) | |
| Personal data shall be accurate and, where necessary, kept up to date. Data subjects have the right to have inaccurate personal data rectified. | See Security Statement, Section 6, "Correction of RECORDS" |
| Storage Limitation (Art. 5) | |
| Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. | See Security Statement, Section 6, "Removal of RECORDS"; Data Management Policy |
| Integrity and Confidentiality (Security) (Art. 5, 32) | |
| Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. | See Security Statement, Section 5; Cryptography Policy, Access Control Policy, and Operations Security Policy |
| Accountability & Data Protection Officer (Art. 5, 24, 37) | |
| The controller shall be responsible for, and be able to demonstrate compliance with the principles. A Data Protection Officer (DPO) must be appointed in certain circumstances. | See Information Security Roles and Responsibilities; Privacy Policy, How to Contact Us |
| Right of Access (Art. 15) | |
| The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data. | See Security Statement, Section 6, "Viewing of RECORDS"; Privacy Policy, Access to Individual Data |
| Right to Erasure ('Right to be Forgotten') (Art. 17) | |
| The data subject shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay. | See Security Statement, Section 6, "Removal of RECORDS"; Terms Of Use, School Addendum, Section 4 |
| Right to Data Portability (Art. 20) | |
| The data subject shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. | See Security Statement, Section 6, "Viewing of RECORDS" |
| Right to Object (Art. 21) | |
| The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them. | See Privacy Policy, Your Choices About Your Information (regarding communications); Security Statement, Section 3.2 (regarding removal from the yearbook) |
| Data Transfers (Chapter 5) | |
| Transfers of personal data to a third country may only take place if appropriate safeguards are in place. | See Privacy Policy, Storage and processing; Third-Party Management Policy |
| Data Breach Notification (Art. 33, 34) | |
| In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. When the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the breach to the data subject without undue delay. | See Terms Of Use, School Addendum, Section 5; Privacy Policy, In the event of a data breach; Incident Response Plan |
