General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in two decades. GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016 and took effect on May 25, 2018. Unlike a Directive, it does not require any enabling legislation to be passed by government.

Who does the GDPR affect?

The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global turnover or €20 Million for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringements, e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, e.g., a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

What constitutes personal data?

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

What are Stellar’s responsibilities as a data processor?

When any Stellar customer uses Flight Operator System (FOS) to process personal data, the controller is usually Stellar’s customer (and sometimes it is the customer’s customer). However, in all these cases, Stellar is always the data processor in relation to this activity. This is because the customer is directing the processing of data through its interaction with the FOS service controls, and Stellar is only executing customer directions. As a data processor, Stellar is responsible for protecting the global infrastructure that runs all our services. Controllers using Stellar maintain control over data hosted on this infrastructure, including the security configuration controls for handling end-user content and personal data.

Helpful Links

European Commission - https://ec.europa.eu/info/law/law-topic/data-protection_en

Amazon’s EU Data Protection information - https://aws.amazon.com/compliance/eu-data-protection/

Microsoft GDPR information - https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

For additional inquiries, please contact us at support@stellar.aero