GDPR (General Data Protection Regulation)

Everything you need to know about the General Data Protection Regulation and how to be compliant with Erply

1 The regulation defines "personal data" as:
Any information that allows to identify a person is considered personal information. Personal information may be, for example:
- Car registration plate number. (The owner can be looked up in the vehicle registry.)
- Loyalty card number. (It allows to look up a customer in Erply.)
- Username. (Some users may have chosen a username that contains their true name.)

Only persons can be data subjects, not companies. However, a company may have representatives — and the information of those representatives is also personal information that needs protection.

A customer card in Erply does not classify as personal data if all personally identifiable information has been removed. In this case, the customer card cannot be associated with any actual person.

Any information that allows to identify a person.
Any information that an individual would like to protect.
Only data that directly or indirectly reveals someone's racial or ethnic background, religious views, or health.
2 According to the new regulation, what is processing of personal data?
Any operation done with personal data always counts as processing. It does not matter if the data is being changed or not.

In Erply point of sale, data processing activities may include:
- Creation of a new customer.
- Opening and viewing customer's profile.
- Editing customer's profile.
- Looking up a loyal customer.
- Processing a sale.
- Entering customer's information on the sales document manually (into the notes, for example).

Any operation performed with personal data.
Any operation performed with personal data, except deletion;
Only operations in which the data is being shared on social media or transferred over email or the Internet;
Only operations in which the personal data is used for the purposes for which it was collected.
3 When a customer submits their personal information, the data controller is required to ask for customer's consent. Which of the following statements are correct?
Customer must give the consent freely. They must have a choice whether to disclose the information or not, except if it is not possible to provide the product or service otherwise.

Collected information must have a purpose, and you must not ask more information than the particular purpose requires. Each purpose must be presented separately.

An example purpose might be "sales to a loyal customer" (who in turn gets respective benefits: loyal customer's discounts).

For marketing purposes, the customer must give consent separately for each marketing channel.

When the purpose (for which the data was collected) changes, consent must be acquired again.

Before asking for consent, the customer must be informed of what the information will be used for, and what are their rights (right to update or revoke their data, to get an electronic copy of their information, to object to processing, to withdraw their consent etc.). The consent must be documented so that it could be proven later that the customer has agreed to processing.

A consent must be informed, unambiguous, freely given, and associated with a specific purpose.
A consent is a data processing agreement which clearly specifies the processed data and in which the data in question has been provided by the customer. Any controller or processor can use the data.
When the processing purpose changes, the data controller can also use the personal data for the new purpose.
4 Consenting to data processing. Which of the following statements are correct?
When asking for a customer's personal information, you need a proof which indicates that the customer gave their permission to use that data. This can be a paper registration form, or a timestamped entry in a database. The consent is valid until the person withdraws it or the agreement ends. A consent can be withdrawn at any time.

If the product or service that you are selling does not directly require the information you want to collect (eg. if customer can consume the service or make the transaction anonymously, too), then the request for additional information (and the consent to process it) must be clearly separated.

To collect and process data of children, a parent's or guardian's consent is required. The minimum age at which a person can themselves give consent varies by country; check your local legislation.

The data collector has to be able to provide proof that the data subject gave a consent.
The consent must be distinguishable from other agreements.
The consent must be provided freely.
The consent has to be withdrawable at any time.
When providing service directly to a child, data processing is lawful only with a parent's consent.
5 Which of the following categories are regarded as sensitive data?
Sensitive information is data that can reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic and biometric data, health information, and data about a person's sex life or sexual orientation.

Processing these kinds of data can cause a lot of harm. Biometric information can be used for surveillance and tracking. Analyzing religious or political views or ethnicity can segregate the data subject into unfavourable target groups. Trade union membership can be used maliciously by employers. Storing sensitive information in Erply is prohibited.

Credit card details
Trade union membership
Passport number
National identification number
Sexual orientation
6 Which of the following can be classified as personal data?
Any data which can be used to identify specific customer is personal data. This holds true even if identification would require consulting some other registry or database (phone numbers, home addresses, car registration plate numbers).

Data which is created during processing (e.g. logs, invoices, payments) can also be personal data, if they contain a copy of personal data (names, phone numbers, addresses).

Any information that the customer has provided.
All data about a customer that has been acquired or created during processing.
Data that can be used to identify a specific person.
Data that can be used to identify a specific person, but which is stored encrypted.
Data that can be associated with a person by using lookups to other databases.
Non-digital data referring to a specific person (paper forms, receipts etc.).
7 Personal data. Which of the following can be considered as personal data?
If there is even a slight chance that a person can be identified via given data, it is considered personal information.

A car registration number can be linked to the owner of the car. Usernames can refer to a person (it might contain their full name, for example) and even in a password, a person might have used information about themselves. Addresses and IP addresses can be used to locate the person and a loyalty card is typically linked to specific person.

Car registration number
Full name
Email address
Postal address
Loyalty card number
IP address
Account username
Account password
Bank account number
Job title
8 Data processing is lawful when:
Customer's permission is required for collecting and processing data. A person can also give consent by signing an agreement that lists required information and describes how it will be processed (notifies the customer about collection of data).
The person has given a consent to this particular processing purpose.
The person has not given a direct consent, but they have signed an agreement which gives a legal basis for data processing.
9 When should customer's consent be acquired when they sign up?
The consent must be collected before the person hands over any personal data.

Before collecting the consent, the customer must also be informed of their rights, purposes of processing and other details, so that the customer would be fully aware of what they are agreeing to.

After the customer has been informed about the data processing purpose and their rights, and before personal data is collected.
Before the customer has been informed about the data processing purpose and their rights.
Before processing personal data.
Before publishing the personal information (on the internet, in a web shop or for marketing purposes). As long as the personal data is not being published (data remains for internal use), the customer does not have to be informed about their rights and no consent is required.
10 What are the customer's rights when their data is processed?
The customer has the right to ask which other companies are processing their information. This information must be provided when collecting the data, as well as when the customer makes an inquiry.

The customer has the right to ask for a copy of their personal data, including data that has been created about them (their customer group, for example).

Customer can withdraw their consent fully or partially — for selected processing purposes or for all purposes at once. If customer takes back their consent, you also need to remove information that is no longer needed (as stored information must be minimal and purposeful).

If customer's requests are not fulfilled, they have the right to report to the local supervisory authority or to go to court.

Right to know the names of all other companies that will handle the data.
Right to have access to their personal data (to see what is being stored)
Right to have the personal data updated or corrected.
Right to have the personal data deleted.
Right to temporarily restrict the processing (in situations where the data needs to be verified, the person does not want their data deleted or when they have objected to processing).
Right to lodge complaints about processing purposes and to take back their consent fully or partially.
Right to lodge a complaint to the supervisory authority or to court.
Right to lodge a complaint to the police.
Right to get an extract of their data.
11 Which rights does the customer have when requesting an extract of personal data?
The regulation does not specifically define the output format; each processor can decide it on their own.

Under normal circumstances, customer must be able to get the data extract free of charge. If the customer issues repeated requests or abuses their rights, a reasonable fee may be collected to cover the costs.

All invalid information must be updated. This is not necessary if the information is historical or statistical by nature (eg. customer's payment history). If the customer has unpaid invoices, you do not need to comply with their request to change or erase their data; the customer will have to settle their balance first.

The copy of personal data must be provided in the format requested by the customer.
Providing the copy must be free of charge.
Personal data must be changed or updated if customer requests that.
Personal data must be erased if customer requests that.
12 Requirements for data processing. Which of the following statements are correct?
The amount of data collected must match the purpose it will be used for.

If customer has agreed to weekly offers by email, this does not give the right to ask for their phone number. On the other hand, requiring the phone number is justified if customer has asked to be notified when their ordered item will be in stock.

Data must be collected minimally — only as much as needed for the processing.
Data must be processed lawfully, in accordance with laws and data protection principles.
Data must be processed fairly.
Data must be processed transparently. The customer must be fully informed about the process.
Data must only be processed for purposes the customer has agreed with.
13 When a customer provides personal data, which of the following actions are correct?
Even if customer has told their name, ask for a proof of identity, too. Disclosing or modifying the information of the wrong person is a serious offense.

Data must not be kept forever. There must be a deadline or a condition that specifies how long the information will be stored. A loyal customer's information, for example, should be deleted if they have not made any purchases in a certain time period.

Customer must show their ID to prevent identity fraud.
Requiring a proof of identity is not necessary.
Before collecting personal data, explain the purposes for which the data is collected.
Before collecting personal data, explain the customer's rights.
Inform customer about their right to lodge complaints to the supervisory authority or to go to court.
Informing customer about the right to lodge complaints is optional.
Inform customer about how long the data will be kept (or what condition determines it).
Provide the contacts of your company (and the company's representative, if possible) so that the customer could get in touch if they have questions or complaints about data protection.
14 In which cases it is allowed to view customer's personal information?
The customer data must be accessed with a clear purpose. All operations done with the data (creating, updating, viewing, deleting) are logged.

Data processing in POS should be done with the customer present and only if the customer has been identified.

To get an overview of unpaid invoices, we recommend to use the Unpaid Invoices report, Overdue Invoices report or Balance report instead. Open customer form only if the report indicates that the customer indeed has a due balance.

When the customer has submitted a request (eg. to see their data).
Customer profile can be viewed at any time.
To do the data processing activities the customer has agreed to.
To update customer information if they have requested that and they have been properly identified.
Data can be updated at any time without identifying the customer.
If you are curious whether the customer might have unpaid invoices or a problematic credit history.
15 What should be done if it appears that there has been a data leak or somebody from outside the company has been able to get access to the data?
When data has been accessed unlawfully, immediately notify the employer. The employer will inform the supervisory authority and will take steps to prevent further incidents.
Immediately notify the employer.
The logs will contain all necessary information, so no further actions are necessary.
The data in POS is freely usable and the customer has been informed that there are no restrictions to looking up that information.
Score: 0/15