What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. The regulation outlines that EU residents will now have greater control over how their personal data is stored, processed, and used by organizations within or outside the EU or EEA. All organizations that process data of EU residents come under the purview of this regulation, irrespective of their location.
This regulation came into effect on May 25, 2018.
For more information on GDPR, see EU GDPR Official Website.
QR API’s Commitment
Trycon Technologies Private Limited (parent company of the product QR API) has always been committed to protect the data of its customers and users both through robust internal security processes and technological tools, irrespective of the location of our customers and end-users across the globe. But with GDPR coming in effect, the company will take extra measures to ensure that the QR API product is GDPR compliant.
QR API's GDPR Compliance
As a Data Controller, QR API is responsible for the way it collects, processes, and stores customer data. To ensure GDPR compliance, we have taken a series of measures to ensure that Data Subjects not only have full control over the data they share but also ensure that their data is extremely protected in every way.
Here is what QR API is doing to be GDPR compliant:
1. Full Transparency
To honor the ‘Right to be informed’ principle of GDPR, we have:
- Revamped our application interface to ensure that the customer understands in a clear and concise way at each stage what data is required and for what purpose
- Ensured that no Personally Identifiable Information (PII) of the customer can be collected without the explicit consent of the customer
2. Data Control
To honor the ‘Right of Access’, ‘Right to Rectification’, ‘Right to erasure’, ‘Right to restrict processing’, and ‘Right to Data Portability’ principles of GDPR, we have:
- Setup processes that allow customers to request a download of all data connected with them and serving such requests in a timely manner. Within a short period of time, we will be adding this feature to our application interface to make it easy for our customers to take this action on their own, without any delay
- Setup processes that allow customers to easily edit personal information (if any) anytime
- Setup processes that allow customers to request deletion of all data connected with them and serving such requests in a timely manner. Within a short period of time, we will be adding this feature to our application interface to make it easy for our customers to take this action on their own, without any delay
- Within a short period of time, we will be adding the feature that allows customers to control how often they receive transaction alerts, notifications, reports, and other content via email communication
- Ensured data minimization to ensure that we collect the exact data points we need to serve our customers in the best way possible and to eliminate all unnecessary data points
Setup processes to ensure that we retain data for a maximum period of 26 months after the customer has ceased to use our products and services through the method of non-subscription (compared to the case of ‘account delete’ where all data is erased immediately)
3. Data Security
As part of our GDPR compliance strategy, we have laid special emphasis on data security measures. Specifically, we have:
- Ensured that all data—at rest or in transit—is secured via encryption using methods such as AES256 and SSL
- Ensured that access to customers’ data is limited to select personnel only
- Ensured that access to servers and third-party applications are protected using multi-factor authentication to prevent unauthorized access
- Added a layer of registered email verification that ensures only real customers use our products and services
- Setup logging algorithms to our servers and apps to ensure investigation capabilities and accountability
- Setup processes to notify regulatory authorities and affected customers about data breaches within 72 hours