What is GDPR?

General Data Protection Regulation (GDPR) is the most comprehensive data protection law of the European Union. It has been in effect since 2018 and imposes a wide range of data protection duties on EU companies and global companies working in the EU market.

GDPR covers whenever someone handles data that could identify a person. It is an EU regulation that is directly applicable to every single EU member state, in addition to any other national data protection laws. It applies everywhere throughout the EU as if it were a national law. It also applies to the European Economic Area (EEA), encompassing the EU, Norway, Iceland, and Liechtenstein.

Not only have EU and EEA countries aligned their national laws with the GDPR, but EU candidate countries have also conformed to this regulation. Furthermore, the influence of this pivotal EU law extends globally, with many nations worldwide adopting its standards for data protection.

The GDPR requires businesses to:

  • Have a legal basis for the processing of personal data, which in most cases means consent
  • Inform data subjects about the processing activities
  • Process only the minimum amount of data and only for the purposes it has been collected for
  • Implement adequate data security measures to prevent data breaches
  • Have written contracts with data processors
  • Conduct data protection impact assessments, if necessary
  • Appoint a Data Protection Officer and legal representative in the EU, if required, and others.

It also grants data subjects with rights, such as:

  • Right to be informed
  • Right to access
  • Right to delete
  • Right to correction
  • Right to object
  • Right to restrict
  • Right to data portability
  • Right not to be part of automated decision-making.

MergeBase and the GDPR

MergeBase, as a Canadian entity, is primarily governed by Canadian data protection laws. However, the General Data Protection Regulation (GDPR) scope extends to MergeBase in specific circumstances. This European regulation becomes relevant for our company when we are involved in handling the personal data of individuals residing in the European Union (EU). This typically occurs when we engage with EU-based customers or customers that process EU residents’ data or when our website attracts visitors from the EU.

In terms of processing personal data, our approach is twofold. Firstly, we process personal information as part of fulfilling contractual obligations with our customers. This means that when we enter into a business relationship, the handling of personal data is a necessary component of delivering our services as agreed upon in the contract. Secondly, we also process data based on the explicit consent obtained from our website users. This consent-based approach is particularly relevant for casual website visitors who are not engaged in a contractual relationship with MergeBase but whose data we might still process.

Our services do not involve processing personal data on behalf of our customers, which means that we are usually not a data processor. If, in the future, we do process personal data categories on behalf of a customer, we will adhere strictly to GDPR guidelines. This includes entering into a data processing agreement with the customer and ensuring that both parties understand and comply with their respective obligations under the GDPR.

On top of that, we implement adequate data security measures to keep the data safe and to prevent data breaches. These measures are designed to safeguard personal data against unauthorized access, disclosure, alteration, and destruction. Our commitment to data security is a cornerstone of our operations, aimed at preventing data breaches and maintaining the trust of our customers and website users.

Our privacy practices are described in detail in our privacy policy.

How Does MergeBase Help You Comply with the GDPR?

The GDPR mandates that companies implement comprehensive data security measures to protect personal data. The EDPB guidelines elaborate on this requirement, detailing the necessary steps for data protection and legal compliance.

MergeBase’s services do not involve processing data on behalf of our clients. They are specifically designed to reduce the risks associated with cyberattacks and data breaches, which is in line with the GDPR’s emphasis on proactive data security measures.

Recognizing these obligations, MergeBase positions itself as a key player in your data security strategy. Our services are not just about compliance; they aim to surpass the stringent data security standards set by the GDPR and outlined in the EDPB guidelines.

Additionally, MergeBase is equipped to address any security-related queries you might have, whether it’s during Data Protection Impact Assessments or in responding to data subject requests.