Please note this blog post does not constitute legal advice and is intended, and should be used, for general information purposes only.
Controller — “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” This is you, the business operating in the EU or dealing with EU customers.
Processor — “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This is your cloud storage provider and/or data protection vendor such as Acronis.
Personal data — “any information relating to an identified or identifiable natural person.” This is the focal point and the reason for the entire GDPR.
Data subject — the person identifiable by the personal data. These are the people who may ask you to reveal, edit or delete the personal information that you store about them on your servers. You will have to answer every request in a timely manner or risk hefty fines.
Right to be forgotten —data subjects have “the right to have his or her personal data erased and no longer processed.” People may request that you delete all their personal data stored on your servers. At this stage, it is not clear if the right to be forgotten also means removing data from backups, because certain types of storage media, for example, tapes, do not allow deleting bits of data without destroying the entire backup. Your business may also be subject to certain backup retention policies for archiving and legal purposes.
Personal data breach — “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” You will have to report data breach incidents to “the supervisory authority” within 72 hours after becoming aware of it.
Service contract — a service agreement between controller and processor.
Data Protection Officer (DPO) — a new position in your company who will be responsible for all issues related to the protection of personal data.
Please note this blog post does not constitute a legal advice and is intended, and should be used, for general information purposes only.