European Union’s General Data Protection Regulation (or GDPR)
The Regulation will take effect on 25th of May 2018
The MOST serious infringements will be subject to fines capped at a maximum of €20million or 4% of total worldwide turnover, whichever is the highest. Can be lesser in some cases.
Who is protected by GDPR?
The GDPR applies to processing of personal data of EU citizens.
Is GDPR retrospective?
Do I need to appoint a DPO?
Data Protection Officer is not complusory. Only companies with large scale collection or processing of personal data.
The regulation does not define. But a useful reference and analysis is at PDF
What is a breach under GDPR?
Applicable terms for Hong Kong and Singapore Companies
GDPR defines it as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” Under GDPR, entities have only 72 hours to notify a supervisory authority, which is also known as a data protection authority (DPA). Data controllers are required to report breaches to the authority, while processors must report them to their controllers.
Hong Kong and Singapore companies also have a clear idea of who to report breaches to, since GDPR requires companies with an obvious European footprint to designate an EU representative who would then report to the DPA in their member state.In addition to self-reporting the breach, GDPR says that companies must notify the impacted data subjects through a notification letter.
According to GDPR, the notification must:
Describe the nature of the personal data breach including where possible,the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Cloud computing has become an essential element of the IT sourcing strategy for many companies.
IT, legal and procurement staff in these companies are therefore faced with the fact that comprehensive know-how in many areas — not only in technology — is now necessary if cloud services are to be used responsibly, economically and in a way that is legally compliant with the locally applicable regulation frameworks.
Cloud services provide a high potential for increasing efficiency in the business world. However, from a data protection perspective, the following aspects are identified as critical:
Risk due to involvement of a third party: With the Cloud Service Provider (CSP), a third party becomes involved in the processing of personal data by the Cloud Service Customer (CSC). From the point of view of the affected person whose rights are to be protected, this represents an increase in the risk that unauthorized persons might be able to access the data being processed.
Loss of control: An increase in the number of people authorized to access the processed data means an increase in the challenge of committing all involved persons to act according to data protection laws, as well as the challenge of verifying the observance of all data protection obligations. The term “loss of control” refers to the fact that the affected person often does not know who the authorized third parties are, or has no way of monitoring them.
The European General Data Protection Regulation (GDPR) that will become binding in all EU countries on 25 May 2018 establishes fundamental and modern technical, economic and legal framework conditions. With it, the EU is sending a clear and globally recognisable signal showing how a society can react to quickly developing technical possibilities and their consequences for the people within it. The resulting challenges for providers and users of modern IT services alike should not be underestimated, and to prepare for these challenges ahead of time is a must.
Reference: https://cloudprivacycheck.eu/ and https://martechtoday.com/now-that-gdpr-is-here-what-do-us-companies-do-if-they-have-a-breach-217121
Effective on: 2020-09-02
Introduction and Scope
Hoplite Technology Limited ("Hoplite," "we," "us," "our") takes the protection of personal data very seriously. Hoplite Technology is the developer of Anti-Phishing Bot. This Privacy Notice (the "Notice") addresses data subjects whose personal data we may receive in our Anti-Phishing Bot software application (the "Service"). This Notice does not apply to personal data we collect by other means, such as personal data that we receive directly through Hoplite's own publicly accessible website.
What Information does Hoplite Collect?
We receive and store any information you knowingly provide to us. When you create a new Hoplite or Anti-Phishing Bot account, we will solicit your consent to connect your Gmail, Google Suite, Microsoft 365 or Outlook account to your Hoplite APIs, thereby providing us with access to your email headers and meta data. We access and store a subset of data from your Gmail, Google Suite, O365 or Outlook account to provide you with our Services.
The App will only use access to read, write, modify, or control Gmail, Google Suite, Microsoft 365 or Outlook message bodies (including attachments), metadata, headers, and settings to provide a web email client that allows users to compose, send, read, and process emails and will not transfer this Gmail, Google Suite, Microsoft 365 or Outlook data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets.
Hoplite acts as an agent, also known as a data processor, for the PII we process for our customers through the Service. This means that Hoplite’s customers determine the type of PII they provide to the Service for Hoplite to process on their behalf. Hoplite generally has no direct relationship with the individuals whose PII it receives from its customers and Hoplite’s customers are responsible for providing notice to the individuals whose PII will be collected and provided to Hoplite.
Purpose of Processing PII
We process PII submitted by our customers for the purposes of providing the Service to our customers, which typically involves our anti-phishing program.
Basis of Processing
Within the scope of this Notice, we process PII based on the documented instructions of our customers.
We delete the PII submitted to us by customers and business partners within 90 days of receiving a request to delete from our customers or the data subject unless applicable law requires a different retention period.
Sharing PII with Third Parties
We share PII with our corporate affiliates and our service providers, who process PII on behalf of Hoplite, and who agree to use the PII only to perform the Services for us or as required by law. Our service providers include businesses that provide:
internet hosting and infrastructure services;
office management services; cloud storage services; and customer service software.
Our service providers may be located within or outside of the United States; however, we will require that those third parties maintain at least the same level of confidentiality that we maintain for such PII.
Other Disclosure of PII
We may also disclose PII: to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders, provided that in such instances we may not be able to ensure that such recipients of your PII will maintain the privacy or security of your PII;
if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change; or to our subsidiaries or affiliates only if necessary for business and operational purposes.
We use and may transfer, sell, and share aggregated, anonymous data, which does not include any PII, about our Service for any legal business purpose, such as analyzing usage trends and seeking compatible business opportunities.
We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our Services are first-party cookies, since they are placed directly by us. Other parties, such as Microsoft, may also set their own (third-party) cookies through our Services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.
Data Integrity & Security
Hoplite has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect PII from unauthorized processing such as unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure.
Access, Review & Deletion
If we store PII about you, you may have a right to request access to, and the opportunity to update, correct, or delete, such PII. You may also have the right to opt out of having your PII shared with third parties and to revoke your consent that you have previously provided for your PII to be shared with third parties, except as required by law. You also have the right to opt out if your PII is used for any purpose that is materially different from, but nevertheless compatible with the purpose(s) for which it was originally collected or subsequently authorized by you. Requests should be sent to the Hoplite customer who provided your PII to Hoplite, or to Hoplite directly at firstname.lastname@example.org. Hoplite has limited rights to access PII our customers submit to our Service. Therefore, if you contact us with such a request, please provide the name of the Hoplite customer who submitted your PII to our Service. We will forward your request to that customer and provide assistance to our customers, as needed, as they respond to your request.
Inquiries or Complaints
In compliance with the Privacy Shield Principles, Hoplite commits to resolve complaints about our collection or use of personal data. For inquiries or complaints regarding our Privacy Shield policy, you may contact us by emailing email@example.com. Hoplite representatives will respond within 24 days.
Hoplite Technology Limited is subject to the investigatory and enforcement powers of the Hong Kong SAR Law.
Changes to this Notice
If we make any material change to this Notice, we will post the revised Notice to this web page and update the "Effective" date above to reflect the date on which the new Notice became effective.
If you have any questions about this Notice or our processing of your PII, please write to our privacy contact at firstname.lastname@example.org or by postal mail at:
Hoplite Technology Limited.
Unit 538 , 19W , Hong Kong Science and Technology Park
Please allow up to four weeks for us to reply.