On 25-May-2018 the European General Data Protection Regulation (GDPR), will become effective.
GDPR changes the way organisations handle personal data of European Union citizens, and non-compliance with GDPR can cost hefty fines to the Organisation.
This is to inform ADDA Users that the ADDA suite – ADDA ERP and ADDA GateKeeper are GDPR ready.
If you are part of Managing Committee / Board of your Association, please review this Blog Post to know your responsibilities to ensure the Association is GDPR ready.
Table of Contents
Our Community is not in Europe, why do we need GDPR readiness?
All organisations that store or process the Personal Data of any EU citizen must comply by the GDPR.
Many Residential Communities in highly Cosmopolitan pockets around the world have Owners or Tenants who may be EU Citizens.
You may be storing their Personal Data on ADDA ERP, any other online database, or even in Offline database such as excel sheets.
Most Communities have Visitors with EU Citizenship.
You may be storing their Personally identifiable data on ADDA GateKeeper, any other online database, or more frequently in Paper Registers.
It is important that your Association is not caught unaware regarding the handling of Personal Data of EU Citizens.
What does an Association need to do for GDPR readiness?
1. Understand your Role – Data Controller
For the below Data, if collected and stored by you, you are the “Data Controller” as per GDPR definitions.
a) Owners/Tenants Data
b) Association Staff Data/ Vendor Data
c) Domestic Staff Data
d) Visitor Data
The Controller decides the Purposes and Means of processing Personal Data.
2. Understand your chosen Portal’s Role – Data Processor
You may choose a Portal like ADDA to store and process all the above data.
Such Portal is called a “Data Processor” in GDPR terminology. A Processor is responsible for processing personal data on behalf of the Controller.
3. Get complete assurance that the Data Processor is not sharing any Personal Data from your Portal to ANY third party without your consent or explicit awareness.
From ADDA you have this awareness in our ToS (Data Privacy section).
If you find the ToS of any other provider ambiguous w.r.t Data Privacy and Security, ask for clarity.
4. Know your Lawful Basis for Processing the Personal Data of each Segment
a) Owner/Tenant Data
The Lawful basis in case the Data is stored in ADDA ERP: Legal Obligation
The Lawful basis in case the Data is stored in ADDA GateKeeper: Vital Interests
b) Association Staff Data / Vendor Data
Lawful basis: Contract
c) Domestic Staff Data (may include Tutors)
Lawful basis: Public Task
d) Visitor Data
Lawful basis: Public Task
5. Know each Individual Right of EU Citizen under GDPR and how you can be ready for them
All GDPR related requests are to be raised to the data controller, the Associations. Please validate the request first based on below guidelines. There are also a few key areas for which you might require ADDA team’s help. They are mentioned in line with the “Rights” below:
a) Right to be Informed
As per this Right, the Individual has the right to be informed of the purpose for processing of their personal data, retention period and who it will be shared with.
For Owners/Tenants, the ADDA ToS will cover this. They will be informed of the purpose of processing, retention period and who their data will be shared with.
For Staff/Domestic Staff, their enrollment process in “Staff Management” of ADDA will cover it.
For Vendors, their enrollment process in “Vendor Management” of ADDA ERP will cover it.
For Visitors, the ADDA ToS will cover this, also the ADDA GateKeeper Red Board placed outside each Gate and visible to Visitors is upgraded with this information.
b) Right of Access
Users can make a request (Verbal or Written) to view their Data stored. You have one calendar month to respond to their request.
This request will come to the Association.
If the request is Verbal, please ensure you lodge a Helpdesk Ticket on ADDA to document the request.
Once you have ascertained that the requestor is an EU citizen (hence has lawful right) and you are indeed storing their personal data, you can raise a query to ADDA. All personal information of the requester, which are stored in ADDA will be sent to the requester.
c) Right to Rectification
An individual can make a request (Verbal or Written) to rectify their data stored. You have one calendar month to respond to their request.
This request will come to the Association.
This feature to rectify data is already available in ADDA for Owners/Tenants, Staff, Domestic Staff and Vendors.
In case of Visitors, the Association may evaluate the legitimacy of this request against the Controller’s Obligations under the accuracy principle of the GDPR. This means that if a Visitor wishes to rectify their data you can refuse it if it is detrimental to the lawful purpose of storing or processing the data – Incident Investigation.
d) Right to Erasure
An individual can make a request for erasure of their personal data (verbally on written). You have one calendar month to respond to their request.
This request will come to the Association.
This needs to be handled on case basis.
Owner/Tenant Data
Association can refuse this request as it conflicts with Legal Obligation, while the Owner/Tenant is associated with the Association. I.e., they are either owning a property in the Association, residing there, or owes unpaid Dues to the Association.
However, once there are no Legal Obligations – e.g., the Owner has sold or Tenant has vacated and there are no unpaid Dues or Objections from the Association, the Association must uphold this Right to Erasure.
After ascertaining the legitimacy of the request and the identification of the Individual as EU Citizen, Head to the relevant Page on ADDA Admin to delete the data of a Deactivated user.
Staff/Vendor/Domestic Staff Data
Association can refuse this request while the Staff is employed with the Association or the Domestic Staff works within the premises.
However, if the Staff/Domestic Staff is no longer in the employment of the Association or any Member respectively, the Right to Erasure must be upheld.
Right to Erasure can be denied if the Data is lawfully classified as “Criminal Offence Data”.
Visitor Data
Association can refuse this request if stipulated storage duration as per the lawful purpose of it (Incident Investigation), has not expired.
Upon Expiry of the stipulated storage duration, the Right to Erasure must be upheld.
Right to Erasure can be denied if the Visitor Data is lawfully classified as “Criminal Offence Data”.
In case of valid requests to the Association, from the Association you can raise a request to us and the ADDA team will make sure that the individual’s data is anonymized in the system.
e) Right to Restrict Processing
If an Individual restricts the processing of their personal Data you are permitted to store the data but not use it.
While we can not think of many use-cases for this request to Owners Associations, perhaps for Individuals who have requested for Data Erasure, the Association may discuss with them and convert the request to Restrict Processing.
On receiving a valid request, you can consider deactivating the individual in ADDA, which will restrict processing of any personal data.
f) Right to Data Portability
This Right allows the Individual to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The Association can raise a request to ADDA (after ascertaining the user’s identity as EU citizen). We will be sending the user all personal data in csv format for purposes of data porting.
g) Right to Object
This is the Right of an Individual to object to the data processing under certain circumstances. Individuals have an absolute right to stop their data being used for Direct Marketing.
In case you refuse this Right due to Lawful basis to continue processing, you can provide the justifying information to the Individual.
In case of a valid concern, an Association can raise a request to ADDA, on behalf of the EU citizen. We will provide the user option to opt out of any marketing related communications.
h) Rights related to automated decision making including profiling
We have not identified any use case for this Right in the Association context.
The ADDA Advisory team for GDPR will be available to answer any questions you as the Board/Managing Committee/OA Management company may have in this regard.
As mentioned above, for queries from your EU members related to Right of Access/Data Potability, Right to Erasure, Right to Object, where you need ADDA’s help, please raise a support ticket.
Select Category: Work Request Non Accounting > Other. Our team will guide you. (Please attach a proof of EU citizenship for concerned member)
NOTE: Those of us who are not EU Citizens may appreciate the data protection provided by GDPR and wish they become applicable on Users of all Citizenships.
However, while it is not, let us ensure we do not overload our Association’s limited resources with GDPR queries. Let us help our Associations abide by the Laws that are relevant, and respect their limited time and resources.