Articles 1, 2, 3, 4 | General summary & scope | kooble have read & understood |
Article 5 | Principles relating to processing of personal data | kooble have made sure that key decision makers are aware that the law is changing and identified areas that could cause compliance problems under the GDPR. kooble employees who handle personal data of other employees or customers will receive training in order to ensure that they handle changes in accordance with GDPR. |
Article 6 | Lawfulness of processing: the following conditions that must be satisfied for the processing of personal data to be lawful.- Consent from individual
- Contract with individual
- Compliance with a legal obligation
- Vital interests
- Public task
- Legitimate interest
| kooble has: - Audited the use of personal data to assess what lawful processing grounds it currently relies on and whether they remain valid under the GDPR
- Train staff so that they are aware of legal processing grounds.
- Begun the process of obtaining renewed consent
|
Article 7 | New legislation around the consent of the individual for the organisation to hold his/her personal data. Consent must be:- Unbundled
- Active opt-in
- Granular
- Named
- Easy to withdraw
- Documented
| kooble has reviewed methods for seeking, obtaining and recording consent to ensure compliance. Implemented explicit and affirmative consent through check boxes and clear privacy policies. kooble have audited all the actions that users can take, from the signup to account deletion, and ensure that each step complies with new laws of consent. |
Article 8 | Children’s data consent | kooble are awaiting clarification from DPO |
Article 9 | Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation. | kooble do not collect or process this information and will not do so. |
Article 10 | Sensitive Personal Data relating to criminal convictions and offences or related security measures. | kooble do not collect or process this information and will not do so. |
Article 11 | Processing which does not require identification | kooble will examine every data subject’s request with respect. However in cases where we can prove that the data subject cannot be identified, data subject’s rights and kooble’s actions will be limited. |
Articles 12-14 | Privacy Notices must be given at the time that the data is obtained from the subject. | kooble are currently modifying their booking process to include clearer links to their privacy policies. |
Articles 15-23 | Rights of the individual to: - access their information;
- have inaccuracies corrected;
- have information erased;
- prevent direct marketing;
- prevent automated decision making and profiling;
- data portability.
| kooble will enable employees and customers to request their personal data processed by the company. Trained personnel will respond to requests within the 1 month timeframe. Users will be able to request exclusion form any personalisation. |
Article 24 | Definition of a Controller | kooble acts as a data controller and will comply with the guidelines. |
Article 25 | Data Protection by design and by default | Several guidelines will be applied during the software development process: - Training
- Design - all design decisions will take into account the GDPR
- Coding will use approved tools and frameworks
- Testing - test whether data protection and security requirements are implemented
- Maintenance - kooble should be prepared to respond to incidents, personal data breaches, faults and attacks, and be capable of issuing updates, guidelines, and information to users and those affected by the software
|
Article 28 | Definition of a Processor | kooble will comply with the legislation when processing data and ensure that any third parties are GDPR compliant |
Article 30 | Record keeping all personal data processing activities shall be recorded. | Article does not apply to kooble as number of employees is less than 250. That said, implementation of the rest of this roadmap should see kooble comply with this article. |
Article 33-34 | Data Breaches | kooble will ensure that there are procedures in place to detect, investigate and report on any personal data breaches within 72 hours of becoming aware of it. |
Article 35-36 | Data protection impact assessment and prior consultation | Not applicable as data processing done by kooble is not considered high risk. |
Article 37-39 | Appointment of DPOs | Does not apply to kooble but kooble will train relevant staff in data protection matters |
Article 40-43 | Codes of conduct & certifications | kooble will comply with appropriate Codes of Conducts and Certifications including PCI-DSS |
Article 44-50 | Cross-border data transfer | As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection. A current list of “approved countries” is available here. kooble will: - Identify and map all cross-border data flows.
- Examine and assess for each of these flows whether (i) the receiving country is an EEA Member State or deemed “adequate”, (ii) if not, whether any “appropriate safeguards” have been put in place, and/or (iii) if not, whether any specific derogations apply.
- Adhere to approved code of conduct / certification mechanisms.
|
Article 51-99 | Remaining articles give guidance information on: - Independent Supervisory Authorities
- Cooperation and Consistency
- Remedies, Liability, and Sanctions
- Provisions relating to specific data processing situations
- Delegated Acts and Implementing Acts
- Final provisions
| kooble have read and understood these guidance articles. |