Personal data and their protection in the EU/EEA
GDPR aims to protect the fundamental rights of EU citizens (data subjects) by focusing on their personal data. Personal data covers any information related to a natural person that can be used to directly or indirectly identify the person. The EU Charter of Fundamental Rights (2000) stipulates that EU citizens have the right to protection of their personal data:
(1) Everyone has the right to the protection of personal data concerning him or her;
(2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
These rights, that have so far been secured by EU and national laws, will be further strengthened by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter GDRP).
GDPR came into force on 24 May 2016 and will apply from Summer 2018 in Norway too. It applies to any company operating in the EU/EEA region as well as to companies offering products or services to European citizens.
GDPR equally apply to data controllers (that are liable for obtaining consent from EU citizens to handle their personal data) and processors, like ReCheckit (that do not necessarily have direct contact with data subjects but have access to their personal data). Both sets of actors are obliged to ensure that EU citizens’ personal data are processed in accordance with the principles defined in the GDPR.
GDPR compliance at ReCheckit
As prompted by its core business activities, ReCheckit is a data processor that does not collect personal data directly from EU citizens in business context. Customers/users buy products or services online on ReCheckit clients’ websites and they give their consent to these companies. Depending on the nature of its product/service offered to its clients, however, ReCheckit may or may not access personal data collected by its clients, that is, by data controllers.
- OnSite services do not require identification of the data subject (client’s customers), thus data subjects cannot claim their rights as they are not identified, and no personal data is collected.
- In other services (such as OnSite services using personal data and abandonment emails) the applied data processing makes it possible to identify the data subjects if required by ReCheckit clients (data controllers) or by the data subjects
The legally and technically transparent relations between the data controller and the data processor are secured by a binding contract between ReCheckit (as data processor) and its clients (as data controllers).
This contract serves as the legal basis of data processing. It also sets out the division of labour between ReCheckit (as data processor) and the data controller (whom the private individuals as customers gave their consent), the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the Controller, and those of ReCheckit in line with Article 28(3) of GDPR. This agreement and the general GDPR policies, organizational and technical measures applied at ReCheckit jointly serve ReCheckit clients and their customers/users with the best possible data protection.
ReCheckit will retain any personal data for as long as necessary for its business purposes and according to mandatory legislation. Personal data is retained/deleted according to the following guideline:
|Type of personal data:||Storage time:|
|Email address and first name collected in relation to abandonment services (email)||As long as the DPA with Client is in force and in line with the details specified in the DPA (maximum 1 year)|
|Name, phone number, e-mail address related in relation to abandonment services (onsite)||As long as the DPA with Client is in force and in line with the details specified in the DPA (maximum 2 months)|
|Cookies||Generally, cookies are not used.|
When in use, retention period is 30 minutes.
|IP Address||Dropped immediately upon receival by the first web-server without further processing.|
ReCheckit do not share personal data with third parties unless required in order to perform a contract with the customer, or for legal reasons. We may use third party data processors to collect, store or in other ways process personal data. ReCheckit have entered into data processing agreements with all data processors we work with in order to ensure information security. As of today, ReCheckit works with the following categories of data processors: Cloud services provider (Amazon Web Services), Office service- and software provider (Microsoft), IT service providers supporting internal collaboration and internal procedures. ReCheckit do not transfer personal data to countries outside the EU/EEA.
Data subject rights are detailed in Chapter 3 of GDPR. These include, among others, individual customers right to access, rectification, erasure, object to processing and data portability. ReCheckit transfers personal data to any third parties neither inside, nor outside the EU.
Private persons are advised to contact ReCheckit clients, whom they gave their consent, if they want to claim their rights (their personal data either deleted or rectified, for example). In any other cases, questions should be addressed to the following parties:
- ReCheckit AS: Sørkedalsveien 10D, 0369 Oslo (firstname.lastname@example.org)
- Foresight AS (ReCheckit’s external DPO): Høffsveien 1a, 0275 Oslo (email@example.com)
- Datatilsynet (supervisory authority): https://www.datatilsynet.no/om-datatilsynet/kontakt-oss/
In order to contribute to the protection of fundamental rights in line with GDPR, ReCheckit does its best to adhere to the legal and technical developments by raising awareness among its staff and by applying the necessary organizational and technical measures within its systems.
ReCheckit may change this policy from time to time in the future. Any such changes will be posted on this website. Please check back frequently to see any updates or changes.