Community Hired & GDPR
What is the GDPR?
The General Data Protection Regulation (GDPR) took effect on May 25, 2018. This privacy law will provide European individuals with certain rights over their personal data including a right to access, correct, delete, and restrict processing of their data. The GDPR regulates the “processing” of data which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU.
Community Hired GDPR Compliance
Are Community Hired partners GDPR compliant?
Yes. Community Hired only works with ad networks and communities who are GDPR compliant. Please see their individual websites for specific details on site-specific compliance.
General Information about GDPR
What is Personal Data?
The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.— but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.
For a comprehensive list of what the GDPR considers personal data, please read Article 4(1) of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race, religion, political opinions, health data, etc.
Key Principles of the GDPR
- Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
- Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
- Personal data held needs to be kept up-to-date and accurate. It should be held no longer than necessary to fulfill its purpose.d
- EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.
- All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer (DPO).
How GDPR may relate to your site
What is a Data Controller?
If you are a Community Hired partner that collects data from EU subjects, under the GDPR, you are considered a data controller. The controller is a person or organization that determines the purpose of processing personal data. You, therefore, have the responsibility to ensure that you are fulfilling your obligations under the new GDPR regulations which include maintaining the lawful processing of personal data of your visitors.
A Controller’s General Obligations
As a controller, you are required to process data in accordance with GDPR, including (but not limited to):
- Establishing a process to identify and report data breaches within the timeframes of the GDPR
- Ensuring that the processed personal data is adequately protected.
- Informing your customers how their data is processed.
- Determining what personal data is processed and for what purposes.
Each of your EU customers has the following rights:
- Right of Information and Access
An individual can require information be given regarding the personal data that is being processed, including the purpose of the processing and how long the data will be retained.
- Right to rectification
An individual can require that incorrect personal data be edited.
- Right of portability
An individual can require personal data be provided so that it can be transferred to another data controller.
- Right to object
An individual may object to the processing of their data for direct marketing purposes and/or scientific, historical, research or statistical purposes.
- Right to erasure
An individual may require a controller to have personal data deleted if the processing of their data fails to satisfy the requirements of GDPR.
- Right to restriction of process
An individual may require the processing of their data be restricted when the processing is challenged.