GDPR Compliance

1. What is GDPR?

GDPR is a privacy and data protection law that regulates how European Union residents’ data is protected by companies and enhances the control the European Union residents have over their data shared over any platform.

The GDPR is relevant to any globally operating company which may be accessible to the European Businesses or Citizens of the European Union directly or indirectly. The customers’ data shared on our platform is important irrespective of where the customer is based out of, which is why as a responsible platform, we have implemented GDPR controls as our baseline standard for all our operations across the Globe. GDPR has taken effect from __ January 2024.

2. Does the GDPR apply to me?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who:

• Market their products to people in the EU.
• Monitor the behaviour of people in the EU.

In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

In keeping with our ongoing commitment to privacy and security, M/s Agastiyar Research Educational Trust is committed to making it easier for you to comply with the GDPR.

3. What are the main responsibilities under GDPR?

GDPR requires that personal data be:

• Processed lawfully, fairly, and transparently.
• Collected for specified, explicit, and legitimate purposes.
• Limited to what is necessary for the purposes for which it is processed.
• Accurate and kept up to date.
• Stored only as long as necessary.
• Processed securely to protect against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Further, GDPR places additional obligations on companies to document their processing activities and be able to demonstrate their compliance with the above principles.

4. What is the definition of “personal data” under the GDPR?

Personal data refers to data that relates to an identified or identifiable natural person (aka “data subject”). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, email id, phone number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Importantly, this is a very broad definition and can encompass data like IP addresses of a user’s personal device, their device ID, or their phone number. It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID). What matters is that the information can be used to “pick that user out of the crowd” even if you don’t know who that user is.

5. Who is the Controller and who is the Processor in the case of Agastiyar Research Educational Trust relationship with Customer?

Unless explicitly clarified in any agreement, Agastiyar Research Educational Trust will be the Processor and Customer/User will be the Controller.

6. What are the key changes from the previous regulations?

New and enhanced rights for data subjects:

• Explicit consent: Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
• Right to access: At any point in time, the data subject can ask the Processor what personal data is being stored or retained about him/her.
• Right to be forgotten: The data subject can request the Processor to remove their personal information from the Processor’s systems.
• Obligations of the processors: GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller’s instructions.
• Data Protection Officer: Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance, and data protection practices.
• Privacy Impact Assessments (PIA): Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
• Breach notification: Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
• Data portability: The Processor must be able to provide data subjects with a copy of their personal data in machine-readable format. If possible, they must be able to transfer the data to another controller.

7. What steps does the Company take to become GDPR-ready?

We have covered a lot of ground toward understanding and analyzing how GDPR will impact our customers and making appropriate changes to our product and processes. Below is a glimpse of our analysis and the steps we took to ensure we are compliant well in time:

• We have revised our Privacy Policy to incorporate the requirements of the applicable privacy laws based on our data inventory, data flows, and data handling practices.
• Customers will be notified of a breach within 72 hours after the Company becomes aware of it.
• We have cleaned up our databases to ensure that we have only the latest and most accurate information.
• Based on the PIAs and internal audits, we have improved our data security methods and processes.
• We conducted internal audits of our products, processes, operations, and management.
• Our application teams have embraced the concept of privacy by design and have provided you more control over the data you store in our systems.
• We have appointed a designated Data Protection Officer to oversee data protection and privacy breaches.
• We have assessed all our products, individually, against the requirements of the GDPR and have implemented new features that will give you more control over your data.
• We have raised awareness across the organization through frequent discussions in our internal channels and trained employees to handle data appropriately.

8. GDPR Rights

• EU-US Privacy Shield related: If you have any questions related to the topics of transfer of data between EU-Swiss and US or EU-US privacy shield regulation, please post it via email, and we will get back to you in a timely manner.
• Transfer data: Under GDPR, if you need to transfer data to another processor or controller, we can provide you with a copy of the personal data we have.
• Delete or object personal data: We will respect requests to delete personal data or object processing; they both will be handled by deleting your personal data from our service in 90 days.
• Restrict processing: You can request the restriction of your personal processing by mailing to us at agastiyarzones@gmail.com.
• Correct data: If you feel your personal data is incorrect, you can post a request with information regarding the data to be corrected. We will process the needed changes or will notify data controllers on the subject (in case you are not our customer yet).
• Access to personal data about subject: Under GDPR, ruling data subjects have the right to access their personal data. You can post a request, and we will provide data we store.

Back to Top ↑