GDPR guidelines
What is GDPR?
The General Data Protection Regulation (GDPR) is European legislation that was introduced to bring stronger control over the processing of personal information of European residents. With GDPR in force, users can keep track of what information is stored about them by various organizations, how it is being used, where it is stored, and other key factors about data storage.
Who needs to comply with the GDPR?
Any organization that is based in the EU or provides services to or processes the personal data of people in the EU must comply with GDPR, regardless of where they are located.
What data does GDPR apply to?
GDPR applies to any personal data processed by a person or organization. Data such as name, address, email address, phone number, postal code, location, traits, health data, academic records, income records, and any other information that can be used to identify a natural person with reasonable certainty, is considered personal data. It is worth noting that online identifiers such as cookies, mobile identifiers, and IP address also come under the purview of this regulation.
Who are the stakeholders involved?
Stakeholders in GDPR can be divided into four groups:
- Data Controllers: Data can only be processed if there is a lawful basis for doing so. Consent, legitimate interest, performance of contract are just three of the lawful bases that organizations can use for processing personal data.
- Consent: Consent must be freely given, specific, informed, and unambiguous. It must also be possible to revoke consent as easily as giving consent. The method of obtaining consent may vary depending on the service the user is using and the situation of obtaining consent.
- Performance of contract: Processing data as part of a written contract between the parties.
- Legitimate interest: An interest for processing data for a specific purpose provided that the assessment for leveraging this lawful basis is positive.
- Data processors: Organizations that process personal data on behalf of the data controllers. To ensure proper data security, contracts are key to pass the data protection obligations to the data processor. Personal data must be processed safely and lawfully by the data processor.
- Data subjects: The customers or end users whose data is processed. They have the right to know how their data is being processed and for what purpose. They also have the rights provided by the law such as the Right to access, rectify, object to, or restrict processing and the right to erasure of data.
- Supervisory authorities: Regulators appointed by government bodies to monitor the consistent application of the regulation and issue fines and penalties to defaulters.
Where is my data located?
The data of zoho.com customers resides in our US data centers and the data of zoho.eu customers resides in our EU data centers.
Learn more about how Zoho has ensured we are GDPR compliant.
Disclaimer : The content presented here is not to be construed as legal advice. Please contact your legal advisor to learn how GDPR impacts your organization and what you need to do to comply with GDPR.
GDPR compliance and Zoho Marketplace: What partners and developers should know
As far as partners and developers are concerned, it is important to remember certain key points.
When submitting an application, the developer or partner must clearly specify the personal information that is required from the user for the application. Privacy policy and terms of use must also clearly state how personal data will be used and stored. If you are developing an app, you should try to implement data minimization (use only the data needed at that point for that particular operation).
After the application is submitted, it will be subject to a routine review process. In the privacy and security testing phase of the review, the developer will need to provide information about where the data will be stored. If you are managing customer data, storing it in databases, monitoring, or analyzing it, you will need to specify the locations where the data will be stored.
It is also mandatory to obtain the customer's consent before getting their personal information.