No. The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented. Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance. The following are kinds of security actions considered “appropriate to the risk” (1) the pseudonymization and encryption of personal data (as mentioned); (2) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (3) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (4) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Does the GDPR require encryption of all personal data?
As an owner of the data (e.g. data subject) located in the EEA, do I have the absolute right to be forgotten? Putting another way, is Sencha obligated to delete all my personal data upon my request?
No. The right to erasure (or right to be forgotten) is not absolute. Sencha may refuse to honor the request if continued processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which Sencha is subject. In addition, Sencha can refuse to honor the request for the establishment, exercise or defense of legal claims. Therefore, several relevant factors have to be taken into account when considering a request for deletion of personal data by the data subject. Note, however, that data subjects have an absolute right to prevent their personal data from being processed for direct marketing purposes.
What is the difference of ‘data controller’ and ‘data processor’?
Data Controller is the owner of their information and decides how that information should be used. Data Processor is an entity who processes the personal data of the Data Controller and carries out instructions of the Data Controller with regard to this data. Generally speaking, when Sencha collects data from a customer in order to create an account, Sencha will be the Data Controller. Formal definitions from the GDPR full text may be found at https://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Is it required to have consent from individuals to process their personal data?
Consent is only one of the legal bases a company can use for the processing of personal data. For example, Sencha can process personal data (A) when necessary for the performance of a contract to which the data subject (the individual whose data is processed) is a party; (B) when there is a legal obligation to do so (such as the submission of employee data to a tax authority); and (C) sometimes even on the basis of legitimate interests, such as commercial and marketing goals. The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.
Does the GDPR apply to company that is established outside the European Union?
Yes. The GDPR applies to all companies regardless of where it is located to the extent Sencha process personal data in the context of (A) offering goods and services (whether paid or not) to people in the EEA; or (B) monitoring the behavior of people in the EEA, for example by placing cookies on the devices of EEA individuals.
Does my data need to be stored in Europe?
No. The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA. The GDPR does not invalidate or override the EU Model Clauses or the EU-U.S. and Swiss-U.S. Privacy Shield Framework, which are both legally valid mechanisms to ensure the legal transfer of personal data into and out of the EEA.