What is GDPR?
The European General Data Privacy Regulation (GDPR) is a regulation by which the EU governing bodies intend to strengthen and unify data protection for all individuals within the European Union (EU).
What is changing and why?
The current EU privacy rules are considered “directive,” which means that each EU member state takes guidance and operates independently. GDPR is a “regulation,” which means it doesn’t require any legislation to be passed by individual member states and it directly replaces existing national law.
Effective May 25, 2018, the new regulation is designed to give control back to citizens and residents over their personal data while simplifying the regulatory environment for international businesses through unification within the EU.
How is Samba TV handling GDPR regulations?
Beginning in mid-2015, in preparation for launching in the EU, we began reassessing our privacy practices in order to align with current and future privacy EU directives.
At that time, there was still a significant amount of unknowns around the interpretation and requirements of GDPR. However, a few of the items we focused on and addressed included:
- Complied with the EU regulations which existed at the time and made efforts to “future-proof” against impending GDPR changes
- Redesigned our opt-in and introduced additional user choices and controls via both in-app settings and internal processes
- Introduced additional user rights such as the right to erasure, subject access rights and data portability
In June 2017, we began re-assessing our privacy practices, processes, and policy and hired Phil Lee of Fieldfisher as our EU privacy counsel, retained privacy experts from Canada, Australia, Brazil, and Argentina to review our policies and practices in the context of the privacy laws of those countries.
Most recently, we hired a Data Privacy Officer (DPO) and will continue with, among other things, data protection impact assessments, data mapping, Privacy Shield certification and internal data protection policies.
Key Concepts & Terms
- Controller – an entity that determines the purposes and means of the processing of personal data. In other words, the controller determines “why” and “how” data is processed.Samba is primarily a controller
- Processor – an entity which processes personal data on behalf of the data controller. It has no autonomy to process personal data for its own purposes. In some cases, Samba is a processor.
Any information relating to an identified or identifiable natural person. This includes obviously personal identifiers including names, email addresses and contact details as well as less obvious personal identifiers including IP addresses, online and unique device identifiers, adIDs, GUIDs and hashed/encrypted data.
Controllers must meet one of six specified lawful grounds in order to collect and use personal data. No single basis is better or more important than the others, and which basis is most appropriate to use will depend on a company’s purpose and relationship with the individual.
Most lawful bases require that processing is necessary; if you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
At Samba TV, consent, legitimate interests and contract are most applicable to our offering:
- Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which s/he, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.
Legitimate interests: The GDPR enables data controllers to process personal data which “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
- Contract: “If you are an individual from the EEA, our legal basis for collecting and using your personal information will depend on the personal information concerned and the specific context in which we collect it. However, we will normally collect personal information from you only where: 1) we have your consent to do so, 2) where we need the personal information to perform a contract with you (such as delivering the Services to you), or 3) where the processing is in our or a third party’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you, or may otherwise need the personal information to protect your vital interests or those of another person.”
Controllers must provide a privacy notice to data subjects explaining how personal data is collected, used and disclosed. GDPR mandates specific disclosures.
Requires appropriate data export solution (EU Model Clauses and/or Privacy Shield) for transferring (or accessing) outside of EU.
Provide users with an adequate amount of choice through opt-in and in-app settings. At Samba, because of our direct relationship with the consumer through our branded opt-in, interactive TV features and consumer applications, we’ve always believed that privacy and consumer trust was an essential focus and have been transparent and provided customers opt-in choice from day one.
Controllers must enable data subjects to exercise certain rights in respect of their personal data, including rights of access, rectification, erasure, restriction of processing, objection to processing, and data portability.
Contracts between controllers and processors must contain certain terms relating to the processor’s handling of personal data which are much more substantial under GDPR.
Requires formal policies to protect personal data from security incidents and handle breaches. Notifications to supervisory authorities and/or data subjects within 72 hours.
Required where the core activities consist of the regular and systematic monitoring of personal data on a large scale.
3 Key Concepts
- The current EU privacy rules are considered “directive” whereas GDPR is a “regulation.”
- Companies must provide clear notice to their customers of the purpose for which their data is being collected and consent must be “freely given, specific, informed and unambiguous.”
- Choice (opt-in) is the core tenet of GDPR and is the idea that information sharing will not occur unless consumers affirmatively allow it or request it.