The General Data Protection Regulation (GDPR) puts on us, as the Personal Data Administrator, specific responsibilities. All of them have the goal of securing the rights and freedoms of landing page users and our customers – in some way also the Personal Data Administrator and owner of the landing pages.
The GDPR is specifying and securing the rights of people that fall into the category of the protection of personal data. Here they are:
- Information obligation
The Personal Data Administrator has new obligations, according to the new law. Article 13, paragraph 1 and 2 of the GDPR lists necessary elements that you have to make people aware of (here: landing page user):
– identity and contact information
– information about personal data recipients or category of recipients
– the period through which personal data will be stored
– the right to demand from an administrator access to personal data regarding people they impact, the editing of it, removal and limits to a processing of it or the right to post an objection regarding processing and the right to move the data
– the right to withdraw legal consent at any moment without impacting alignment with the right to process having been made based on the agreement before its withdrawal
– the right to post a complaint to the supervisory authority information or handing the personal data is the legal obligation and the organization has the obligation to hand them over. There is also a case of consequences for not providing it.
- The right to access by the data subject
According to this law, the personal data user can obtain, from the data administrator, an answer to the question of how his or her data is actually processed. If that’s the case, this person has the right to obtain the following information:
– the goal of the data processing (marketing campaigns, agreement processing, etc.)
– personal data categories that fall into the category of processing (name, surname, physical address)
– information about recipients or categories of recipients (for example companies in a group, the main company and its subsidiaries) that will receive this data, especially about receivers outside of the European Union (EU) (so-called third countries)
– the minimum estimated time or planned time period for storing personal data, and if it’s not possible, the criteria for establishing that period
– information about a user’s privileges: the right to demand rectification, remove or limit processing of the data and to post an objection in relation to that processing
– information about the right to post a complaint to the supervising authority
– if the personal data were not acquired from the person that they concern – all available information about the source from which the administrator acquired them
– information about an automated decision-making process (if one is currently underway by the administrator and it concerns this person), including profiling that is mentioned in Article 22, paragraph 1 and 4 of the GDPR and important information about the rules on making them and the importance and predicted consequences of this processing for a person this data concerns
– the right to have direct access to personal data.
- The right to rectification
According to Article 16 of the GDPR:
The person which the data concerns have the right to demand from an administrator immediate rectification concerning his or her personal data that are not correct. With processing in mind, the person which the data concerns have the right to fill in incomplete personal data, including presentation of additional statements.
Therefore our application’s customers will have the right to:
– edit personal data from a gathered lead
– change the data on an invoice.
- The right to erasure (the right to be forgotten)
According to Article 17 of the GDPR, every physical person can demand “to be forgotten” if keeping his or her data would violate the GDPR, the law of the European Union or the law of a member country which the administrator abides by.
Therefore our customers have the right to:
– erase a lead
– erasing the account from our platform, including all the data, without the possibility to get back the leads (naturally, there is the possibility of creating a new account, but it will be lacking previously acquired leads and created landing pages).
- The right to the restriction of processing
According to Article 18 of the GDPR, the person which the data concerns have the right to demand from an administrator restriction of the processing of the data under the following circumstances:
– the person which the data concerns questions the correctness of personal data – for a period of time that lets the administrator check the correctness of the data
– the processing is illegal and the person which the data concerns are opposing the eradication of data, demanding the limitation of its use
the administrator doesn’t need the personal data anymore but it is needed by the person which the data concerns to establish, pursue or defend a legal claim
– the person which the data concerns have submitted an objection based on Article 21, paragraph 1 against processing – until confirmation that claims on the administrator’s side override the claims of the person which the data concerns
Therefore a landing page owner using our platform has the right to erase the agreement on processing data based on a demand of the person that the data concerns, through the editing process in our application.
- Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16 and Article 18 to each recipient to whom the personal data have been disclosed unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
By taking steps connected to the last three points, a landing page owner is obligated to notify the user of having made a rectification, erasure or limiting the processing of his or her personal data.
- Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit said data to another controller without hindrance from the controller to which the personal data has been provided, where:
– the processing is based on consent pursuant to point (a) of Article 6 or point (a) of Article 9 or on a contract pursuant to point (b) of Article 6; and
– the processing is carried out by automated means.
Therefore Landingi’s customers have the right to move or copy the information on leads outside the platform. We allow data export in the form of a CSV file.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Therefore a landing page user has the right to objection involving data processing.
The GDPR puts on us, as a company offering the Landingi platform, and on our customers, a number of legal obligations involved with adjusting the platform or processing data. Ultimately this new law protects all sides from making mistakes that come with insufficient security.
This is our last material concerning GDPR. The previous entries involved:
– the launch of GDPR and the consequences for entrepreneurs (interview with a lawyer),