GDPR is a hot topic and with communication and data at the heart of our business, Artesian has committed to transparency in our handling of it. Our official statement is available here and the following FAQs should provide additional clarity:
What is GDPR?
The General Data Protection Regulation (GDPR) is designed to provide privacy and protect the personal data of all EU residents. Individuals now have a greater say over how their personal data is collected, used, stored and disposed of – and all businesses have a legal responsibility to ensure they comply. This applies to all organisations, irrespective of location, even beyond the borders of the EU, when working with EU residents' personal data in any manner. It replaces the Data Protection Directive (DPD) and The UK Data Protection Act 1998.
Ok, so what do they mean by personal data?
Personal data is any information related to a person (or in GDPR terms, related to a ‘data subject’), that could be used to directly or indirectly identify that person. For example, names, photos, email addresses, computer IP addresses etc.
And who has the right to work with personal data?
Entities that are working with personal data will do so in one of two capacities. A controller is the entity that determines the purposes, conditions and means of the processing of personal data – this is regardless of whether they directly collect the data from data subjects. A processor refers to any entity that processes personal data under the instruction of a controller.
Is Artesian a processor or controller?
Artesian is both a processor and a controller. For example, our customers provide personal data, such as email addresses to enable us to set up Artesian user accounts. Any action Artesian takes on a customer’s personal data, is done so as a data processor only and our Terms of Service have been updated to reflect that relationship. Artesian is also the data controller for some of the data in our service, as we determine its use.
I’ve heard consent is crucial to GDPR - how did Artesian get consent from every person you’re supplying personal data for?!
Consent is a cornerstone of GDPR, but it is a common mis-understanding of GDPR that consent is required for the processing of personal data. GDPR legislates that there must be a lawful basis to process personal data – and consent is only one of six grounds for processing. These are:
- Consent - the data subject has consented to such processing
- Contractual necessity - processing is necessary in order to enter into or perform a contract with the data subject
- Legal obligation - the controller has a legal obligation to perform the processing
- Vital interests - it is necessary to protect the "vital interests" of the data subject (usually in "life‑or-death" scenarios)
- Public interest - processing is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest.
- Legitimate interests - Personal data may be processed on the basis that the controller has a legitimate interest in processing those data, provided that such legitimate interest is not overridden by the rights or freedoms of the affected data subjects.
As both a processor and controller, Artesian has ensured that a) our processors (including our data suppliers) are GDPR compliant and b) that we have a legal basis for the processing for each type of data. That legal basis varies, dependent on the data considered. We have also put particular value on the rights of the data subjects; we have documented processes in place for reporting errors in data, data subject access requests and the right to erasure. More details on Artesian’s compliance are available in our statement.
But I can’t use the contact information I get from Artesian anymore anyway, can I?
This is another common misunderstanding, possibly due to a higher focus on B2C communication in GDPR articles. You absolutely can email corporate email addresses, in the UK. While GDPR standardises the storing and processing of data, it does not impact whether you can email a corporate email address – this is regulated by the ePrivacy directive and this has not changed. In the UK, the ePrivacy Directive’s requirement for consent does not apply to electronic marketing communications sent to corporate recipients (e.g. corporate email accounts such as email@example.com). However, you must include the sender’s identity and contact details. We have more detail on this here.
Does Artesian have a statement about your GDPR compliance?
We certainly do - you can find it here.
Have there been any changes post-Brexit?
The short answer is no – even though the UK is no longer part of the EU, the GDPR and all of the above continue to apply.
All the regulations (GDPR, PECR and the e-Privacy directive) are based on EU law, however they are written into UK law. The UK versions of these can be updated in the future, moving the UK out of line with the EU, but the fundamentals are likely to continue to be the same.
My details are on Artesian and they are wrong – what do I do?
No problem – just drop a note to firstname.lastname@example.org, giving us your details, and the company it relates to and we’ll investigate and get these updated for you.
My details are on Artesian and I want them removed!
We will look into it for you as a matter of urgency. Please email the details including the person and company it relates to, to email@example.com. As long as it is not a matter of public record (for example Companies House Director name and location), we will process the removal for you, and keep you updated as we do so.
I still want more information about Artesian and GDPR.
If you have any further questions, please get in touch with your Account Manager, or contact us here: firstname.lastname@example.org