GDPR and RedJade

Overview
The European Union General Data Protection Regulation (GDPR) has now been enacted. RedJade has made improvements to our application to comply with GDPR regulations. In addition, we have provided an overview of how GDRP relates to RedJade below. GDPR applies to every business or organization that collects personal data from EU-based individuals regardless of nationality. See GDPR for full GDPR text.

Processors & Controllers
Companies may act as a data controller, a data processor or both. The data controller is the party determining what data is to be collected, how this data is to be collected, from whom and its usage. The data controller (RedJade Clients) provides instructions either manually or programmatically to be executed by the data processor. For clarity, RedJade is the data controller for RedJade Clients and the data processor for RedJade Client subjects. For further information, see RedJade’s Privacy Policy

Data protection principles
Article 5 of the GDPR states that the processing of personal data should be:

• Lawfulness, Fairness and Transparency: Processed lawfully, fairly and in a transparent manner in relation to the data subject
• Purpose Limitation: Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
• Data Minimization: Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Accuracy: Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that the personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• Storage Limitation: Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject;
• Integrity and Confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Consent
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

GDPR and RedJade
See below for how RedJade handles many GDPR Regulations. For further clarification, see individual GDPR articles (links in red). Please contact us at privacy@redjade.net if you have any questions related to RedJade and GDPR.

Article 1: GDPR General Provisions
The method and types of data collected are fully controlled by the data controller (RedJade Client). RedJade provides options for totally anonymized data collection. Personal data is required if survey invitations need to be sent by e-mail or contacted via telephone or as requested by a RedJade Client. All individual data is anonymized if the subject is removed from RedJade.

Article 5: Accountability
It is the responsibility of the data controller to keep data “no longer than necessary”. As the data processor, RedJade processes data solely in accordance with instructions provided by the data controller. The deletion of records and datasets can be requested by data controllers at any time. Data controllers can delete subjects (anonymizing their data across the application immediately). RedJade is currently working on additional features to anonymize data on study archive.

Consent (consent is mentioned across several articles)
Consent is the responsibility for the data controller (RedJade Client). New consent is NOT required if consent previously obtained meets GDPR requirements. RedJade instituted consent monitoring directly within the application (see Obtaining and Monitoring Subject Consent). The data controller (RedJade Client) should provide an email address or phone number for subjects to contact them to remove consent – this process must be easy for the subject.

Article 11: Processing which does not require identification
Personal data is required for several actions within RedJade – most notably email-based surveys and demographic information stored in the database. RedJade has the ability to collect anonymous data. In addition, when a subject is removed from RedJade, all data is automatically anonymized. Anonymized data is not subject to GDPR. The data controller (RedJade Client) should provide an email address or phone number for subjects to contact them to remove consent – this process must be easy for the subject.

Article 15: Right of access by the data subject
All data stored regarding a subject in RedJade Recruiting is accessible by Recruiting Managers. If all data completed by a subject needs to exported, RedJade Client should contact RedJade directly at privacy@redjade.net.

Article 16: Right to Rectification
Recruiting Managers for RedJade Clients can rectify data in recruiting directly. The data controller (RedJade Client) should provide an email address or phone number for subjects to contact them to rectify data – this process must be easy for the subject. For specific data editing or removal on a subject, RedJade Client should send an email to privacy@redjade.net.

Article 17: Right to erasure (right to be forgotten)
RedJade Client Recruiting Managers (data controllers) can delete any subject (See Deleting a Subject) and their data is immediately removed and anonymized. The data controller (RedJade Client) should provide an email address or phone number for subjects to contact them to remove them from the database – this process must be easy for the subject.

Article 18: Right to restriction of processing
RedJade Client Analyses Managers (data controllers) can exclude any subject from any analyses eliminating the data from being processed. The data controller (RedJade Client) should provide an email address or phone number for subjects to contact them to allow them to be restricted from processing – this process must be easy for the subject.

Article 20: Right to data portability
All data regarding a subject is available within RedJade recruiting is available on export by a RedJade Client recruiting manager. The data controller (RedJade Client) should provide an email address or phone number for subjects to contact them to obtain data – this process must be easy for the subject. Additional subject data is available by contacting RedJade directly at privacy@redjade.net.

Article 21: Right to object
See above points regarding deleting, updating and anonymizing data.

Article 25: Data protection by design and default
Data protection by design and default is the responsibility of the data controller, specifically by implementing appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. RedJade provides overall security for its infrastucture and the SaaS services provided.

Article 28: Use of other processors or sub-processors by RedJade on behalf of the data controller
RedJade informs its clients about the use of sub-processors (see Privacy Policy) in relation to the collection and storage of personal data. Sub processors used will meet the requirements of the GDPR. RedJade clients must accept sub-processors as part of the provided SaaS service (AWS and Mailchimp).

Article 32: Security information
Contact us at privacy@redjade.net for any security information and see our Data Security Policy.
Data Subject Rights

Breach Notification
Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. Notification must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

Right to Access
Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose from the data controller. Additionally, the controller is bound to provide a copy of the personal data in an electronic format free of charge.

Right to be Forgotten
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data when he/she requests this. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subject withdrawing their consent.

Data Portability
Data portability consists of the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

Privacy by Design
Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Privacy by design calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.

Disclaimer
The materials available on this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your counsel to obtain advice with respect to any particular issue or problem.