CLARIFICATIONS ABOUT THE GDPR
WHAT IS THE GDPR?
GDPR stands for General Data Protection Regulation and it was approved and adopted by the European Union (EU) Parliament through the Regulation (EU) nº 2016/679, which will come into effect on May 25, 2018.
WHO IS SUBJECTED TO THE GDPR?
GDPR rules apply to any organization and/or company, even if established outside the EU, which offers goods and/or services (physical or digital ones), monitor the behavior and/or process and hold personal data of users (data subjects) residing in the EU.
WHAT CONSTITUTES PERSONAL DATA UNDER THE GDPR?
Any information related to a natural or legal person, known as “Data Subject”, which can be used, directly or indirectly, to identify this person. For example: name, photos, email address, bank details, medical information, geolocation, phone numbers, posts on social media, computer IP address, etc.
WHAT IS THE DIFFERENCE BETWEEN DATA CONTROLLER AND DATA PROCESSOR?
Data Controller is the entity which determines the purpose, conditions and means for the processing of personal data, whereas Data Processor is the one processing the data for the Controller.
This difference is of the utmost importance because the rules imposed by the GDPR to each of these entities (Controller and Processor) are different and the main obligations fall under the Data Controller.
MAIN OBLIGATIONS OF COMPANIES UNDER THE GDPR
1)Getting explicit and/or unambiguous consent, depending on the data, through free, specific, informed, and intelligible consent in which the data subject positively accepts that her personal data is processed.
2)Inform and get the consent concerning the usage of cookies and other data collection tools;
3)Implement appropriate and sufficient technical measures to ensure the protection and confidentiality of the personal data under its responsibility and enforce the GDPR rules;
4)Provide the information and personal data of Data Subjects whenever duly requested by them;
5)Hold Agreements as data processors to ensure data will be processed according to the confidentiality criteria and only data subjected to formal consent will be processed by their data subjects.
6)Appropriately register all data processing activities under its responsibility;
7)Notify the competent control authority if there is breach in personal data, within the deadline and conditions established under the GDPR, unless the personal data breach isn’t susceptible to cause harm to the rights and freedoms of the data subject.
8)Communicate the data subject if their personal data is breached, except in the cases foreseen under the GDPR;
9)Carrying out an impact assessment on the protection of data, whenever a given kind of data processing uses new technology and taking into account its nature, origin, particularity, and purpose, is susceptible to implicate high-risk to the rights and freedoms of data subjects;
10)Hire or assign employee to be responsible for the protection of data subjected to processing, if the company is subjected to one of the scenarios foreseen in the GDPR.
MAIN RIGHTS OF DATA SUBJECTS
1)Transparency of the information, communication, and rules to exercise all the rights of a data subject. In the case of Hotmart, all information can be obtained in the Terms of Use, Privacy Policy and Platform Cookies Policy.
2)Receive from the responsible from your personal data, whenever requested through the appropriate channels, information regarding:
a)The identity and the contact information of the entity responsible for the data collection;
b)The contact information of the processing responsible for the data protection, if applicable;
c)The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
d)The reasons for which the processing is needed;
e)All recipients to which your personal data will be shared with;
f)The period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
g)The right to withdraw consent at any time;
h)If personal data communication is a legal or contractual requirement, or a requirement necessary to enter into an Agreement, as well as if the data subject is obliged to provide personal data and the possible consequences of not providing such data;
It is important to notice that, in the case of the Hotmart Platform, the information described in the letters “c”, “d”, “e”, and “f” are already ranked in the Privacy Policy and Cookies Policy. The remaining information may be requested at any time by the data subject at gdpr@hotmart.com
3)The right to rectify their personal data if there are erroneous data pursuant request for this end;
4)The right to request erasure of their personal data, pursuant request for this end;
5)The right to get from the processing the limits of the processing, pursuant request for this end;
6)The right to demand the processing for the personal data to communicate to each recipient to whom the personal data were sent and also any rectification or erasure of personal data or limitation of processing, pursuant request to this end;
7)The right to data portability pursuant request to this end;
8)The right from the data subject to object, at any time, for personal reasons, to the personal data processing (Article 21);
WHAT HOTMART IS DOING TO COMPLY TO THE GDPR
Hotmart tried its best to adjust to the changes brought by the GDPR. As we see them, they are incredibly positive to our users and they will favor a more transparent, responsible, conscious, safe, and democratic environment concerning the usage of personal data of users by several services and online platforms.
Henceforth, we have created a transparent Cookies Policy, which allows the user to identify which cookies and other tools are used to gather personal data, which data are being stored and period they are stored for.
Besides, our Privacy Policy establishes the terms in which personal data will be used, processed and shared with third-parties so it is clear for users why we need their data.
Internally, Hotmart has compliance regulations to adequately process personal data gathered from users so only employees who actually need to access the data gain access to them, in a controlled and identified manner.
Additionally, one employee (Data Protection Officer – DPO) will be elected to enforce all compliance regulations as well as being the interface between users and fiscal and control authorities.
We have created an exclusive communication channel with our users to clear their questions about the GDPR, their rights and how to enforce them.
It is important to point out that it is of the utmost importance for Hotmart to gather, store, and process personal data collected from the users in order to provide the services offered through its Platform.
Nonetheless, we ensure our users to put our best efforts into keeping all personal data collected secure, protected and confidential, however, it is technically impossible to ensure the data inviolability in the unlikely event of external attacks and system breaches.
In such cases, we commit to informing the users of the situation and the data that were violated in accordance with the principles of transparency and trust that regulates the relationship between Hotmart and its users.
Obviously, the GDPR represents a major break in the previous standard, causing an impact in the culture and in the manner in which companies behave online.
Therefore, all agents involved in this change, including users, need to understand that this transformation will not take place overnight, but bit by bit, once that many aspects of the GDPR are still obscure as in how they will be enforced, technically and practically.
Regardless of these challenges inherent to the enforcement of the GDPR, Hotmart is committed to being aligned with the best practices of the market and the rules set forth by the authorities in power to keep its many applications according to the rules of the GDPR.
MORE INFORMATION
For more information about the GDPR, we suggest you access the websites listed below. We do not take any responsibility for the correctness, adequacy, and/or update of the information on such sites, since they are under the responsibility of third-parties.
https://www.eugdpr.org/
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
(Version updated May 18, 2018)