GDPR, or General Data Protection Regulation, is the most comprehensive EU data privacy law in over 20 years. It strengthens users’ rights regarding their personal data and its purpose is to harmonize data privacy laws across Europe.
This new law replaces the Data Protection Directive 95/46/EC, which was introduced in 1995 when only 1% of Europeans had access to the Internet. Given that in 2016, 85% of European households had access to the internet, the old Data Protection Directive clashed with the realities of modern day internet use.
The EU General Data Protection Regulation is a major new European data protection law that came into effect on 25 May 2018.
At its core, the GDPR is about peoples' right to view, change, access and understand what is done with their data. It provides necessary and important empowerment for everyone who uses online services. For these reasons, we understand and support the goals of the GDPR and see it as the beginning of building a global data protection standard that will benefit everyone.
Trust and security have always been key components of our core values. Cobot takes users’ security and privacy very seriously (both for space operators and members) and avoids any unnecessary data exposure. While we are committed to making Cobot as secure and transparent as possible, we also encourage all of our users to take ownership of their data, ask questions, and work with us to improve our product.
The GDPR defines personal data as any piece of information that can be used on its own or in conjunction with other data to directly identify a natural person. This means, for example, that once your space begins storing members’ names, emails, physical addresses, phone numbers, or other personal data of so-called EU Data Subjects, you are processing EU personal data under the GDPR.
Personal data also includes, but is not limited to, information about hobbies, memberships or payment details, as well as physical, economic, cultural or social identity.
In a nutshell, the new data protection law applies to all companies that process personal data of Data Subjects residing in the European Union, regardless of the companies’ location.
Although most of the information online refers to the data protection of “EU citizens,” the GDPR uses the term “Data Subject” instead of “Citizen” or “Resident,” meaning any “natural person whose personal data is processed by a ‘controller’ or ‘processor,” “regardless of their nationality or residence.”
Most likely, yes. This privacy overhaul has significant implications for every organization that deals with EU Data Subjects (meaning both EU residents and citizens), regardless of where that data is processed, therefore, it will have a global impact. Moreover, while there is a great deal of uncertainty about the GDPR outside of the EU, you should keep in mind that the GDPR may set the standard for privacy regulations in other countries too, which could give you a competitive advantage in the future.
Our team is building all the necessary features that will enable you to lawfully add and process your member data. For example, consent requests must be made in intelligible and easily accessible forms. Furthermore, consent must be distinguishable from other matters and be easy to withdraw. Our new features will enable you as space administrators to inform your members more clearly about the purpose of your data requests and their processing.
In addition to this, your members will have control over the information they give you. Cobot’s new features are accounting for the right of members to obtain confirmation as to whether or not their personal data is being processed, where it is processed, and for what purpose (also known as the “right to access”).
At Cobot, these principles have already been guiding our development standards, and the new regulations defined by the GDPR will add even more data protection features to our product:
The GDPR has different requirements depending on how you handle personal data, and handling personal data is a joint responsibility.
“Data Controllers” are organizations that collect data and decide why, how, and for how long that data is processed.
“Data Processors” are organizations that carry out the data processing on behalf of a Data Controller. Here at Cobot, we’ve been updating our product according to the GDPR regulations to make sure that we provide you with mechanisms to help you lawfully process and keep your members’ data. Still, there will be a few things that Cobot can’t take care of for you, because it concerns how you manage your space and how you relate to your members.
As a Data Processor, we will implement the necessary features, but coworking space operators — as Data Controllers — will need to take the new requirements into account as well when on-boarding new members and processing their information.
We (Upstream-Agile GmbH), have contracts with core services that we pay for (Amazon, Salesfoce (Heroku), Intercom, Google, etc.) and others were possible. If you are using these services outside of or via an integration with Cobot (Google in particular), then the data is processed under the EU-Privacy Shield. You are not able to create a contract (Data Processing Agreement) unless you use their business service. This then falls under your responsibility if you are using their accounts and services.
Please note that this post is for informational purposes only, and should not be relied upon as legal advice. The GDPR is undeniably very complex, and while we want to help our users prepare for the change, GDPR could affect your business outside of how you use Cobot. We encourage all our users to educate themselves and have added a few links above to this effect. If you have further questions and want a precise overview of how the GDPR might affect your space, we recommend seeking the advice of a specialised lawyer.