Find your portal
Sign up
Find your portal
Address in english
0000 123 0000
abc@gmail.com

Reglamento general de protección de datos de la UE

Introducción

GDPR significa Reglamento General de Protección de Datos y es una ley de privacidad de la UE que entró en vigor el 25 de mayo de 2018 [1]. El RGPD se aplica a todas las empresas con un nexo en la UE o que se dirige a una audiencia de la UE en sus materiales de marketing [2].

GDPR está diseñado para proteger la información personal confidencial de los usuarios finales, como contraseñas, direcciones, información financiera, registros médicos y antecedentes penales. También se extiende a otra información de identificación personal, como el nombre, la foto, los números de identificación del gobierno y la dirección IP. [3]

Las empresas tienen un incentivo financiero para cumplir la ley. Si se denuncia una infracción del RGPD a una empresa y esta no toma medidas oportunas para corregirla, puede estar sujeta a multas de hasta 20 millones de euros o el 4 % de los ingresos totales, lo que sea mayor. Las multas dependen de la gravedad de la infracción y de si se considera que la empresa ha tomado el cumplimiento y las normas en materia de seguridad de manera suficientemente seria. [4]

Controladores de datos y Procesadores de datos

GDPR tiene un modelo de responsabilidad conjunta que se divide entre un "Controlador de datos" (una empresa que brinda un servicio a los usuarios finales) y un "Procesador de datos" (una empresa que brinda un servicio a los controladores de datos que incluye el almacenamiento y procesamiento de datos del usuario final ). [5]

A data controller relies on its data processors to take good care of the end user data. If a data controller hears from a data processor that there has been a breach and the breach is serious enough, the data controller must inform their end users within 72 hours. [6]

A data controller must also provide end users with a clear description of how they will use their data and get an explicit consent for this usage. A data controller must also provide a way for end users to download their data in a portable way, withdraw their consent, and for removing themselves (and their data) from the service. [7]

A data processor stores end user data on behalf of the data controller and must ensure that this data never falls into the wrong hands. Data processors must follow industry best practices including encryption of passwords, PCI compliance, and ensuring the security of data transferred to/from the EU. [8] In the case of a breach, a data processor must inform the data controllers in a timely fashion. A data processor may themselves use third party services to store and process end user data, and in this case the data processor must ensure that these third party services are also GDPR compliant.

How CYPHER LEARNING is GDPR Compliant

CYPHER LEARNING is primarily a data processor, since we offer our cloud-hosted LMS to organisations. Those organizations are data collectors, since they sign up end users and those users enter data into our system. To be compliant as a data processor, we do the following:

  1. Follow industry best practices to ensure the security of our system and prevent breaches. For more details about our security features, visit our public FAQ.
  2. Provide clear privacy policies.
  3. Provide our customers with a framework that allows policy consents to be required for particular account types and/or visitors.
  4. Allow policies to be versioned (which then requires re-acceptance and reported on.
  5. Allow end users to withdraw their consent from policies if desired.
  6. Allow customers to provide end users with self-service data export for data portability.
  7. Allow customers to provide end users with the ability to self-delete their accounts or request that their accounts are deleted.
  8. Provide end users with a set of privacy settings.
  9. Commit to alert our customers with a timely notification of any serious breach.
  10. Use the EU-US and Swiss-US Privacy shield for EU-US data transfer.
  11. Confirm that the third party services and systems we utilize for the operations of our product are also GDPR compliant.

CYPHER LEARNING is also secondarily a data controller since we require the person who initially signs up for our service to enter some data such as their name and email address. To be compliant as a data collector, we do the following:

  1. Provide clear Terms of service and Privacy Policy.
  2. Provide a method to self-delete their site and all related data.
  3. Use industry best security practices to protect against data breaches.
  4. Commit to alert our customers within 72 hours of any serious breach.
  5. Provide clear privacy policies, which are documented here.

Third party optional integrations in our App Center

CYPHER LEARNING products include a wide variety of optional integrations with third party products via our App Center, and most of these party systems can be considered as a data processor. We do not warrant that these third party products are GDPR compliant, and expressly disclaim any liability for damages which may occur if those third party products are breached.

We also expressly disclaim legal responsibility for having to notify our data collectors or end users if third party systems that we provide optional integrations with via our App Center are breached. Our customers are expected to have a separate contract with each third party system that they integrate with CYPHER LEARNING products, and we recommend that our customers contact each of these third party providers to see if they are GDPR compliant.

Disclaimer

The information on this page is not legal advice for you or your company to use in complying with EU data privacy laws like the GDPR. The content on this page is meant only for educational purposes and to provide you with background information to help you better understand CYPHER LEARNING’s efforts to comply with the regulation.

References

  1. https://gdpr-info.eu/
  2. https://www.workplaceprivacyreport.com/2018/01/articles/international-2/does-the-gdpr-apply-to-your-us-based-company/
  3. https://gdpr-info.eu/art-4-gdpr/
  4. https://www.gdpreu.org/cumplimiento/multas-y-sanciones/
  5. https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  6. https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
  7. https://www.i-scoop.eu/gdpr/right-to-data-portability/
  8. https://www.itgovernance.co.uk/blog/transferring-personal-data-under-the-gdpr/

Para obtener más detalles sobre GDPR, visite https://www.eugdpr.org/ .