What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR), which is enforced starting May 25th 2018, creates consistent data protection rules across Europe. It applies to organizations who are based in the EU and global organizations who processes personal data about individuals in the EU.
While many of the principles are similar to prior EU data protection rules, the GDPR has a wider scope, more prescriptive standards, and substantial fines.
What is Labforward’s position on the GDPR?
Information for Organizations
Organizations who use Labforward’s software to manage their research data can continue to use Labforward’s platform in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with other laws that apply to them.
Key Legal Bases
Under GDPR, there are a number of grounds to legitimize the processing of personal data. Below, we’ve outlined the most relevant legal bases under the GDPR.
- Data processed must be necessary for the Service and defined in the contract with the individual
- Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
- People have a right to withdraw consent, which must be brought to their attention
- Must be from a person over the age of consent specified in that Member State, otherwise given by or authorised by a parent / guardian
- Explicit consent is required for some processing (e.g., special categories of personal data)
- If a business or a third party has legitimate interests which are not overridden by individuals’ rights or interests.
- Processing must be paused if objection is raised by an individual
Is Labforward a Data Controller or a Data Processor?
It depends on the circumstance. Here are the most common use cases that apply to Labforward:
- When you visit our website, get in touch with Labforward or create a labfolder account, Labforward acts as the data controller.
- When your organization uses labfolder’s Cloud version of our electronic lab notebook, Labforward is the data processor and the organization is the data controller. For some data points (usage information) Labforward may also be considered the data controller.
- When your organization uses labfolder’s Server version of our electronic lab notebook, Labforward is neither the controller nor the processor.
You are the data controller when you decide the ‘purposes’ and ‘means’ of any processing of personal data.
- Similar to what’s already in place for data protection law today, data controllers will have to adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure people have a right to access the data held about them.
You are the data processor when you process personal data on behalf of a data controller. Certain obligations now apply directly to data processors, and controllers must bind them to certain contractual commitments to ensure data is processed safely and legally.
When Labforward is processing data as a data processor acting on your behalf, your organization needs to have its own legal basis to process and share the data with us.
Services as data processor
Where Labforward provides services to our EU partners as a data processor on their behalf, we’ll ensure that we comply with the specific requirements for data processors. This means that, as relevant, we’ll refresh any necessary contractual obligations to align with the GDPR.
Where we appoint parties to act as data processor on our behalf, we’ll also ensure that we have appropriate terms in place to comply with our requirements under GDPR and safeguard our data.
Where we act as a data processor on an organization’s behalf, we will be relying on our customer’s legal basis as data controller for our processing of such data.