The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was enacted by the European Union (EU) to regulate the processing of personal data. It came into effect on May 25, 2018, replacing the 1995 Data Protection Directive.

The GDPR represents a stringent regulatory framework designed to protect personal data and enhance privacy, emphasizing accountability and transparency from organizations that process personal data.

CMSI commitment to GDPR

CMSI (Content Management System International) demonstrates a strong commitment to GDPR (General Data Protection Regulation) compliance through various strategies and practices. The most important piece of privacy law in Europe in the past 20 years is the EU General Data Protection Regulation (GDPR), which supersedes the EU Data Protection Directive from 1995. CMSI has always respected its members' privacy, but with the new GDPR laws going into effect, it was a good idea to examine and update the organization's policies and services.

A Data Privacy Officer (DPO)

A Data Privacy Officer (DPO) is a key role within an organization responsible for overseeing the data protection strategy and ensuring compliance with data privacy regulations. An internal DPO has been appointed by CMSI to oversee GDPR compliance and to keep track of documents and records.

PERSONAL DATA PROCESSING AGREEMENT

A Personal Data Processing Agreement (PDPA) is a legal document that outlines the terms and conditions under which personal data is processed by a data processor on behalf of a data controller. It is crucial for ensuring compliance with data protection laws, such as the General Data Protection Regulation (GDPR) in the European Union. Below is a template for a PDPA. Consider this personal data processing agreement (hereafter referred to as the "DPA") as an essential component of the service order. "Data Controller" refers to Advertiser for the purposes of this DPA, and "Data Processor" refers to CMSI.

A. Since CMSI's Data Privacy Officer (DPO) can handle all GDPR-related activities, CMSI complies with legal requirements. 
 B. Carrying out effective privacy impact assessments (PIAs) for data processing and consumption 
 C. Maintain a register that lists all of the data handled by the organization, together with its storage location and authorized users. 
 D. Make agreements with data processors on data processing. 
 E. Handle contracts for data processing with data processors. 
 F. DPO can keep an eye on privacy conditions. DPO can notify and handle any data breaches that occur during a campaign. 
 G. In this manner, the DPO is consistently well-informed on the organization's data handling. 

Privacy Impact assessment (PIA)

A Privacy Impact Assessment (PIA) is a process used to evaluate and manage the privacy implications of new projects, systems, or processes that involve the collection, storage, or handling of personal data. It helps organizations identify potential privacy risks and ensure compliance with privacy laws and regulations. To find out what information Affiliates are processing and how it relates to the new GDPR, CMSI conducted a PIA.

The objective and extent of the processing of personal data: 
 The processing of personal data is done so that Data Controller can use Data Processors for advertising.
Network of publishers: 
 The processing of personal data is done so that the Data Controller may use the tracking technology provided by the Processor to administer its own publisher network and maintain records. 
How do users become members? 
 Members can join up via our website, newsletter, invitation, and social media campaign sites, among other places.

Enrolling in the online panel program: 

Prior to become a member of the Base, participants must provide a second double opt-in. After customers have given their consent, CMSI's panel providers will receive their data and they will begin receiving online surveys. 
How can participants handle their data? 
 By entering their login name and password on the relevant website, members may access their personal data management and self-promotion areas inside their own account areas.

Types of personal information 
 Under this DPA, the following types of personal data may be processed:
 Cookie ID, IP address, and advertiser's contact information, including name, phone number, email address, and social networking pages.

Publishers' and Affiliates' Obligations 
 a. Publishers are required to put precise organizational and technological safeguards in place to guarantee that personal data is processed in compliance with the guidelines set forth in the relevant data protection legislation.
 b. Unless otherwise specified by mandatory law, Publishers shall ensure that any individual having access to the personal data covered by this DPA complies with its terms and conditions, including the requirement to process the personal data only in accordance with the Advertiser's instructions.

c. Removal of personal data within the DPA's term: If Publisher receives notification from Data Processor that particular Personal Data should be erased, Publisher will ensure that Publisher quickly destroys, overwrites, or deletes the relevant Personal Data. 
 d. Publishers are responsible for making sure that all employees under their control have access to such personal information only when necessary to carry out Publishers' duties as service providers.

e. The publisher is in charge of making sure that the personal information is handled discreetly at all times. The publisher will take special care to protect personal information from any real, suspected, or anticipated threats to its security and integrity, including accidental or illegal data destruction, loss, or alteration, unauthorized disclosure of or access to personal information, and other data breaches. 
 f. From the Service Order's effective date until the Service Order's expiration, this DPA will be in full force and effect.

Right To Unsubscribe

The "right to unsubscribe" is a consumer protection mechanism that allows individuals to opt out of receiving further communications from an organization, typically in the context of email marketing, newsletters, or other subscription-based services. This right is important for maintaining user privacy and preventing unwanted or spam communications.

A member can terminate their account on their own in the member account if they choose to quit, decide they are no longer interested in remaining in the database, or decide they no longer want to receive any emails or material relating to the newsletter program. Their data will be kept on file for an additional two weeks after they have deactivated their account, following which it will be permanently deleted from the servers. Additionally, users may always opt out of our newsletters and emails by clicking the Unsubscribe link that appears underneath each one.

Allowing users to easily unsubscribe empowers them to control the communications they receive. This not only helps in reducing spam and unwanted emails but also enhances user trust and satisfaction with the organization.

By adhering to these principles, organizations can effectively respect and implement the right to unsubscribe, ensuring compliance with legal standards and fostering positive relationships with their audience.

Who is in possession of the member's data? 
 The member's data is only directly accessible to legal staff members of CMSI. They are unable to export or download any data; they can only read member data. To send newsletters or provide customer care, they require access. In addition, certain data processors have partial access to the data. To ensure that they are all GDPR compliant, CMSI has data agreements in place with each of its partners. CMSI has all of these agreements stored.

How does CMSI respond to breaches of data? 
 A data breach response plan created by CMSI is accessible on internal Google Drive and has been distributed to all staff members. The personnel will find out what to do in the event of a data breach from this paper. Any data breaches can be reported to the DPO, who will then take the appropriate action. CMSI always keeps internal sequence logging information for sporadic retrieval checks.

How is the new GDPR communicated to the staff? 
 An internal privacy policy created by CMSI has been distributed to all employees, and our DPO has also provided education on it. This paper explains privacy to the workforce and outlines the steps they should take to protect data.

A few standards: 

1. CMSI will not be held responsible for the legality of services rendered in nations where CMSI offers affiliate services. If the Publisher registered with CMSI from a country other than the one in which CMSI offers the service, or if the Publisher's website is hosted on a server in a country other than the one in which CMSI offers the service, the Publisher is solely liable for the legality of the use of the service. 
 2. For EU Campaign, this Agreement shall be interpreted and controlled by the laws of the United Kingdom. 
 3. Should a disagreement emerge from this contract; the parties shall try to resolve it through mediation using the Model Mediation Procedure or any other mediation process they may decide upon. One Party may seek mediation in writing from the other Party in order to start the mediation process in line with this provision. The mediation must happen no later than 28 days following the Notice's distribution.

if you have any particular queries concerning GDPR compliance, please write us at: support@easteureka.com