Answers to the most frequently asked questions on the GDPR and OBI4wan

The protection of personal data is a fundamental right that is proclaimed in the Charter of Fundamental Rights of The European Union and the treaty on the functioning of the European Union. The general data protection regulation is a European law that regulates the protection from this fundamental right.

From May 25th onwards, the regulation is directly applicable in the whole European Union and substitutes the Dutch Personal Data Protection Act. The Dutch Personal Data Protection Act was based on the precursor of the general regulation, the Data Protection Directive No. 95/46/EC of the European Union.

Since the summer of 2017, OBI4wan has been actively preparing for the commencement of the GDPR. OBI4wan has always been investing in time and financial input in system and data security. Individually, OBI4wan has been collecting data from public sources as Twitter, Facebook, Blogs and Fora. These messages are usually from natural persons, that are trackable from a Twitter handle, Facebook name or biography information on the social media platform.

In itself, it is not an issue, as long as the objectives for collecting and processing of this data have a legitimate purpose. In our Privacy Statement, OBI4wan’s legitimate purpose is construed. In this matter, OBI4wan stands as a data controller and data processor. Therefore, simply all responsibilities regarding data protection are carried by OBI4wan.

But aside from collecting public data, your organization and client is collecting private data too from natural person’s channels such as Facebook Messenger, Twitter DM chat, and WhatsApp. For example, take a look at an e-mail address, bank account number, birthdate, etc. this data is also recorded in the solutions of OBI4wan. For this information, your organization, as well as the client itself is the Data controller and OBI4wan the data processor. Your organization, therefore, must comply with the data controller’s duties and OBI4wan must thereby comply with the data processor’s duties.

Through The Government, a manual can be downloaded in which the responsibilities of the data processor as well as the data controller are displayed.

We advise you to go through the manual of the government thoroughly and internally discuss whether your organization meets all criteria to comply with the GDPR and whether all provisions have been met to comply before may 25th, 2018.

Secondly, to form a data processor agreement with all related parties in data processing in your organization is of utmost importance. Even with OBI4wan, if you have not already. If your organization does not possess a standard processor agreement, then we can hand over a template standard processor agreement to you.

The Dutch Personal Data Authority (DPA) is responsible for supervising personal data processing to ensure the compliance of the GDPR. Whenever an organization has not taken traceable provisions to protect the data of natural persons or does not hold up to the directives, administrative fees could be imposed.

Violations of provisions on the principals, legal bases and rights of the related parties can be followed with sanctions of administrative fines up to 20 million EUR or 4% of the worldwide annual revenue, in case the latter is higher.

Based on the paragraph above, it can be stated with all clarity that following through with compliance measures is highly recommended.

We gladly form a processor agreement with your organization. For this measure, please contact us!