GDPR
GDPR is an EU law with mandatory rules for how organisations and companies must use personal data in an integrity friendly way. Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data. Interests, information about past purchases, health, and online behaviour is also considered personal data as it could identify a person.
- Processing data means collecting, structuring, organizing, using, storing, sharing, disclosing, erasing and destruction of data. Each organization that processes personal data (which is every organization with employees and customers) must ensure that the personal data it uses fulfils the requirements of the GDPR. In a nutshell, the main requirements of the GDPR are as follows:
- The GDPR applies in all EU Member states.
- Our use of personal data is in line with integrity friendly principles. For example, processing must have a defined purpose. Thus, we do not collect personal information “just in case” we might need it later. We are honest, open and transparent about how we use data. You have a right to know how your data is being used, and you have a say in this matter. We only store personal data as long as it is necessary, and it is held in a safe and secure manner.
- Our use of personal data must be legal. The GDPR sets out six alternatives to the legal basis (for example consent).
- Our use of personal data is respectful to the individuals’ rights. The GDPR provides each person with certain rights of their personal data. You have the right to gain access to your personal data. You have a right to know how we are using your data, and to object to the processing of your date.
- Personal data breaches will be reported within 72 hours. If personal data is disclosed, accessed, changed or stolen we will act, even if the breach happened at one of our suppliers (e.g. Homestay coordinator). In the event of loss of sensitive data, such as health or financial data, the incident will be reported to the relevant authority and each affected individual within 72 hours.
For further information on GDPR, please see:
- Complete guide to GDPR compliance
- What is GDPR
- Everything you need to know about the “Right to be forgotten”