The General Data Protection Regulation (GDPR), which is enforced starting May 25th 2018, creates consistent data protection rules across Europe. It applies to organizations who are based in the EU and global organizations who processes personal data about individuals in the EU.
While many of the principles are similar to prior EU data protection rules, the GDPR has a wider scope, more prescriptive standards, and substantial fines.
Organizations who use labfolder’s software to manage their research data can continue to use labfolder’s platform in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with other laws that apply to them.
Under GDPR, there are a number of grounds to legitimize the processing of personal data. Below, we’ve outlined the most relevant legal bases under the GDPR.
It depends on the circumstance. Here are the most common use cases that apply to labfolder:
You are the data controller when you decide the ‘purposes’ and ‘means’ of any processing of personal data.
You are the data processor when you process personal data on behalf of a data controller. Certain obligations now apply directly to data processors, and controllers must bind them to certain contractual commitments to ensure data is processed safely and legally.
When labfolder is processing data as a data processor acting on your behalf, your organization needs to have its own legal basis to process and share the data with us.
Where labfolder provides services to our EU partners as a data processor on their behalf, we’ll ensure that we comply with the specific requirements for data processors. This means that, as relevant, we’ll refresh any necessary contractual obligations to align with the GDPR.
Where we appoint parties to act as data processor on our behalf, we’ll also ensure that we have appropriate terms in place to comply with our requirements under GDPR and safeguard our data.
Where we act as a data processor on an organization’s behalf, we will be relying on our customer’s legal basis as data controller for our processing of such data.