SCENARIO
Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based
company that allows anyone to buy and sell cryptocurrencies via its online platform.
The company stores and processes the personal data of its customers in a
dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on
the platform. They then must successfully pass a Know Your Customer (KYC) due
diligence procedure aimed at preventing money laundering and ensuring
compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by
reading a disclaimer written in bold and ticking a checkbox on a separate page in
order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms
of service also include a privacy policy section, saying, among other things, that if a
customer fails the KYC process, its KYC data will be automatically shared with the
national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including
whether they have any criminal convictions, whether they use recreational drugs or
have problems with alcohol, and whether they have a terminal illness. While
providing this data, customers see a conspicuous message saying that this data is
meant only to prevent fraud and account takeover, and will be never shared with
private third parties.
The company regularly conducts external security testing of its online systems by
independent cybersecurity companies from the EU. At the final stage of testing, the
company provides cybersecurity assessors with access to its central database to
review security permissions, roles and policies. Personal data in the database is
encrypted; however, cybersecurity assessors usually have access to the decryption
keys obtained while running initial security testing. The assessors must strictly
follow the guidelines imposed by the company during the entire testing and auditing
process.
All customer data, including trading activities and all internal communications with
technical support, are permanently stored in a secured AWS S3 Glacier cloud data
storage, located in Ireland, for backup and compliance purposes. The data is
securely transferred to the cloud and then is properly encrypted while at rest by
using AWS-native encryption mechanisms. These mechanisms give AWS the
necessary technical means to encrypt and decrypt the data when such is required
by the company. There is no data processing agreement between AWS and the
company.
Should Jane modify the required GDPR rights waiver for non-European residents?
The GDPR applies to the processing of personal data of data subjects who are in the EU, regardless of their nationality or residence. This means that non-EU residents who are physically located in the EU are protected by the GDPR, and EU residents who are outside the EU are not. However, this does not mean that non-EU residents who are outside the EU can be asked to waive their GDPR rights by a company that is subject to the GDPR. The GDPR does not allow such waivers, as they would undermine the essence of the fundamental rights and freedoms of data subjects. The GDPR also requires that data subjects are provided with clear and transparent information about the processing of their personal data, and that they give their consent freely, specifically, informedly and unambiguously. A blanket waiver of GDPR rights does not meet these criteria, and would therefore be invalid and unenforceable.
* GDPR Article 3 - Territorial scope1
* GDPR Article 7 - Conditions for consent2
* GDPR Article 25 - Data protection by design and by default3
* GDPR Recital 171 - Relationship with previously concluded agreements4
Coral
6 months agoAlethea
6 months agoJoana
6 months agoCarey
7 months agoFrancine
7 months agoSherell
7 months ago