The GDPR Policy page explains a few key concepts of the data protection regulation and outlines our company’s role as Data Processor and our approach to your privacy and data protection.Last updated in November 2019
What is the GDPR?The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations. The full text of the GDPR can be found here.
Does the GDPR apply to me?While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you. How does it work? The GDPR sets out obligations on Data Controllers, or those that determine the purpose and means of the processing of personal data of EU residents, and Data Processors, or those that process personal data of EU residents on behalf of Data Controllers.
How does it work?The GDPR sets out obligations on Data Controllers, or those that determine the purpose and means of the processing of personal data of EU residents, and Data Processors, or those that process personal data of EU residents on behalf of Data Controllers.
Data ControllerThe Data Controller determines the purposes for which and the means by which personal data is processed. So, if your company/organization decides ‘why’ and ‘how’ the personal data should be processed it is the Data Controller. Employees processing personal data within your organization do so to fulfill your tasks as Data Controller.
Your company/organization is a joint controller when together with one or more organizations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.
Data ProcessorThe Data Processor processes personal data only on behalf of the Controller. The Data Processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The Data Processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorization from the Data Controller.
Opening and GDPRAt Opening we are committed to privacy of both our customers (and your customers, job seekers and employees). We are continuously reviewing our systems, processes, policies and documentation and updating them where necessary. Under the General Data Protection Regulation (GDPR), Opening is a Data Processor.
Opening processes the personal data on behalf of its customers, the Data Controllers of said data. As a Data Processor, Opening does not process said data except on instructions from the Data Controller. Processing resumes and other relevant information is a “legitimate interest” of a company (“controller”) who is trying to evaluate candidates for employment per Article 6; Opening does not need to obtain consent from job applicants to screen and rank their resume data. Opening has features to allow for the correction or deletion of personal data at predetermined time intervals as well as on-demand from our own systems per Article 17.