What is GDPR?
The EU General Data Protection Regulation, better known as GDPR, is one of the most comprehensive privacy and security laws in the world, effective as of May 25, 2018. This regulation was implemented by the EU to harmonize data privacy laws across Europe; protect and empower all EU citizens’ data privacy; give people more control over their personal data and reshape the way organizations approach data privacy. GDPR applies to all organizations operating within the EU as well as to non-EU organizations offering goods or services or monitoring the behavior of data subjects in the EU.
At TPConnects Technologies LLC (“TPC”), we have worked hard to become GDPR compliant, as this new regulation affects us too. Given the importance of GDPR regulations for our customers, partners, and other relevant stakeholders, this page aims to promote transparency, understanding, and on-going updates on how TPC is approaching GDPR compliance—now and in the future.
Who does GDPR apply to?
GDPR applies to any entity or company that processes personal data as part of business activities within the EU. Additionally, the regulation is also applied when an organization is not established in the EU, but still offers products/services and/or is monitoring the behavior of individuals within the EU.
In other words, GDPR applies to both Data Controllers and Data Processors. A Data Controller is an individual or organisation that determines alone or jointly the purpose and the way personal data is processed. A Data Processor is an individual or organisation that processes personal data on behalf of the Data Controller. This means that TPC acts as both a Data Controller and a Data Processor.
TPC is a Data Processor when providing the Airline Solutions viz. Offer and Order Management, NDC Booking Portal creation, Content Aggregation and B2B solutions as we store and process personal data of our customers in line with their documented instructions.
How does GDPR affect data transferred outside of the EU?
GDPR allows personal data to be processed outside of the EU when specific arrangements are made to ensure an adequate level of data protection. TPC has data processing agreements in place with its relevant processors and controllers (including Standard Contractual Clauses for data transfers between EU and non-EU countries) to help safeguard situations whereby personal data is transferred to third countries which do not provide a similar level of protection as GDPR.
Rules that companies/entities must adhere to
Personal data must be processed in a lawful and transparent manner; there must be specific purposes for processing the data and those purposes must be indicated to individuals when collecting their personal data; only the personal data that is necessary to fulfil a purpose can be collected; personal data cannot be stored longer than necessary for the purposes for which it was collected; and organizations must install appropriate technical and organizational safeguards that ensure the security of the personal data.
How does TPC comply with the GDPR and Local Privacy Laws?
Whether we are offering our products and solutions to customers, partnering with other businesses, contracting with suppliers, or hiring new people: TPC collects, uses, processes, transfers, and stores personal data.
TPC identifies all the personal data that is being processed and defines the purpose of this processing in order to determine how the collected data is used and provide appropriate visibility and transparency.
TPC has been enhancing and improving its systems and procedures to ensure compliance with GDPR principles across our system, data, and business practices as the baseline framework for our privacy compliance activities. However, we also take into account local data protection law requirements, which may be more stringent than GDPR, and ensure our framework contains the necessary flexibility to comply with the requirements for example, personal data protection laws in certain jurisdictions, may have certain requirements that diverge from GDPR and are of stricter nature, for example, the inclusion of deceased individual’s personal data as well in KSA’s Personal Data Protection Law (PDPL).
Additionally, considering data privacy also requires strict data security, TPC has implemented processes and procedures to ensure the necessary security levels, i.e. encryption and anonymization of personal data; the creation of processes for data breach notification activities, and the advancement of employee awareness.
Disclaimer: Please note that this page simply provides background information to help you understand how TPC addresses some legal points regarding GDPR and is not legal advice.