Notice Frame GDPR FAQ

What is the GDPR?
The GDPR is the European Union’s new data protection law. GDPR stands for General Data Protection Regulations. It replaces the Data Protection Directive ("Directive”), which has been in effect since 1995. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data.

The principles are broadly similar to the principles in the Data Protection Act 1998 (the 1998 Act).

1998 Act: GDPR:
Principle 1 – fair and lawful Principle (a) – lawfulness, fairness and transparency
Principle 2 – purposes Principle (b) – purpose limitation
Principle 3 – adequacy Principle (c) – data ministration
Principle 4 – accuracy Principle (d) – accuracy
Principle 5 - retention Principle (e) – storage limitation
Principle 6 – rights No principle – separate provisions in Chapter III
Principle 7 – security Principle (f) – integrity and confidentiality
Principle 8 – international transfers No principle – separate provisions in Chapter V
(no equivalent) Accountability principle
The 8 basic rights of GDPR for individuals
  1. The right to access – this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
  2. The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
  3. The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
  4. The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
  5. The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
  6. The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
  7. The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
  8. The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

When will the GDPR come into effect?
The GDPR took effect on May 25, 2018. Although the GDPR became law in April 2016, given the significant changes some organizations will need to make to align with the regulation, a two-year transition period was included.

GDPR is tougher on organizations
Although the rules differ somewhat, the GDPR applies to organizations that collect and process data for their own purposes ("controllers") as well as to organizations that process data on behalf of others ("processors"). In addition, unlike the current Data Protection Directive, both controllers and processors can be held accountable for failing to comply with GDPR.

This new data protection regulation puts the consumer in the driver’s seat, and the task of complying with this regulation falls upon businesses and organizations.

The conditions for obtaining consent are stricter under GDPR requirements as the individual must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities.

This means you have to be able to prove that the individual agreed to a certain action, to receive a newsletter for instance. It is not allowed to assume or add a disclaimer, and providing an opt-out option is not enough.

Who does GDPR apply to?
The GDPR applies to companies, government agencies, non-profits, and other organizations that offer goods and services to people in the EU and that collect and analyze data tied to EU residents (personal data). The GDPR applies no matter where personal data is processed and imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles:

  1. Requiring transparency on the handling and use of personal data.
  2. Limiting personal data processing to specified, legitimate purposes.
  3. Limiting personal data collection and storage to intended purposes.
  4. Enabling individuals to correct or request deletion of their personal data.
  5. Limiting the storage of personally identifiable data for only as long as necessary for its intended purpose.
  6. Ensuring personal data is protected using appropriate security practices.

Does GDPR apply to Notice Frame?
To the extent Notice Frame processes EU personal data, yes, GDPR applies to Notice Frame.

To the extent that Notice Frame stores customer details, when emails are received or purchases of the app are made, Notice Frame will comply with the regulations under GDPR and process and use customer information only for those purposes for which consent from the customer has been obtained and Notice Frame will hold the information securely no longer than it is necessary to do so.

However the inventors of Notice Frame want to have a small as possible a footprint where holding and managing person identifiable information is concerned. As a result the development of the app and intended use of the app has been influenced by this desire to ensure customer data is safeguarded. To this end the following features apply to the app:

We have not included task sharing in the version 1 of this app and when app sharing is included in later versions, the intention is to limit this to sharing between users only (i.e. personal sharing of data, which does not involve a public platform) as the means of sharing will not involve storing customer data on any Notice Frame servers, but will be limited to customers directly emailing one another (hence from personal device to personal device).

The reason for making this choice relate to an assessment of the benefits that accrue to having an open platform where users can post and exchange task pictures vs one where task sharing is private between individuals who have given their consent to share one another's task pictures.

In our assessment, the purpose of the Notice Frame app leans more towards a personal activity and the use of images and sharing of images is one that is well established and there are many platforms that users can utilise to exchange pictures. Added to this the fact that certain tasks or events may be very personal to the user, it was felt that investing in servers and platforms to share task pictures in the initial stages of implementation, was not only economically limiting, but also went against one of the main benefits of the app - namely to encourage users to unlock their imagination by creating task pictures that really suited their personal circumstances rather than utilizing pictures created by others.

However the pending development of the desktop version of Notice Frame which is a more powerful application will make use of servers and Notice Frame Limited will adhere to the requirements of GDPR regulations.

What is personal data under the GDPR?

  • Understanding whether you are processing personal data is critical to understanding whether the GDPR applies to your activities.
  • Personal data is information that relates to an identified or identifiable individual or natural person (‘data subject’)
  • What identifies an individual or natural person could be as simple as a name or a number, email address or could include other identifiers such as an IP address or a cookie identifier, or other factors, such as one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  • If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
  • If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
  • Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
  • When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
  • It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
  • Information which has had identifiers removed or replaced in order to pseudonymous the data is still personal data for the purposes of GDPR.
  • Information which is truly anonymous is not covered by the GDPR.

If information that seems to relate to a particular individual is inaccurate (i.e. it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.

What are Processors and Controllers under GDPR?
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines purposes and means of the processing of personal data.

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf and under the direction of the controller.

What are the responsibilities of a Controller?
A controller is directly responsible for complying with data protection laws. This includes requirements to:

  • provide notice of processing to the data subject;
  • confirm legitimacy and proportionality for the processing of personal information;
  • assure that disclosures to third parties are made in accordance with appropriate contractual terms and otherwise in compliance with applicable law;
  • establish adequate measures to protect the cross-border transfer of personal information outside the EU; and
  • establish appropriate controls over processors who process personal information on the controller’s behalf, including:
  • assuring processors maintain appropriate security measures,
  • confirming the engagement of sub-processors in compliance with applicable rules, and
  • assuring adequate protections for cross-border transfers.

Is Notice Frame a Processor or Controller under GDPR?
Notice Frame is both a controller and a processor under GDPR.

For example a processor may be required to maintain records of personal data and processing activities. If the Processor is responsible for a breach, the Processor will have a legal liability. However the controller is not absolved of blame as he has a legal obligation to ensure that the contracts with processors complies with GDPR. Notice Frame, both maintains records (Processor) and takes decisions on how data is to be used (Controller).

What terms apply to use of Notice Frame?
Notice Frame is delivered pursuant to the data protection policies and procedures as a data controller, including:

  • Maintains a Privacy Statement for the IOS version of Notice Frame at https://www.apple.com/legal/privacy/ and for the Android version of the app at https://policies.google.com/privacy, that explains to consumers how Notice Frame collects and processes personal information as a data controller; and
  • Maintains appropriate processes to select, contract with, and monitor the data processing activities of vendors that process personal information on behalf of Notice Frame Limited
  • To the extent you have questions about what this means for your business, we encourage our customers to work with a legally qualified professional to discuss GDPR, how it applies specifically to their organization, and how best to ensure compliance.
  • Notice Frame Limited does have a Privacy policy which can be viewed at the link below
    https://app.termly.io/document/privacy-notice/ad3f42c5-d0b5-47c7-8e37-77eeabe717d1

Notice Frame is an app that is sold wholly within the App Store and Google Playstores

As such the terms, privacy and legal status are governed by those used in the App Store and Google Play Store

Terms

Apple (IOS) https://www.apple.com/legal/internet-services/

Android https://policies.google.com/terms

Privacy

Apple (IOS) https://www.apple.com/legal/privacy/

Android https://policies.google.com/privacy

Legal

Apple (IOS) https://www.apple.com/legal/contact/

Android https://support.google.com/legal/answers/3110420

Is Notice Frame GDPR Compliant?
Notice Frame is committed to being GDPR compliant.

How does Notice Frame comply with Data Subject Rights?
Notice Frame honors data subject rights as per below:

Data subjects can contact Notice Frame from the Notice Frame website to request the correction, or deletion of person identifiable data held on the website.

Where are Notice Frame's Servers located?

Web host providers main database is in Germany and those relating to UK are held in Gloucester

Android App Permissions Explained

Keeping your data safe and secure is very important to us. To find out more, please read our Privacy Policy.

When you download Notice Frame for Android, we ask for a range of ‘permissions.’ In this article, we'll be explaining why we ask for each permission and what each is used for:

Take Pictures and Video

This permission allows your Android phone to capture images to be used in creating your task lists. Only you and those you give access to have access to your images

Modify or delete the contents of your SD Card

This permission allows your Android phone to read the contents of your SD Card. This is important as you may wish to save your images on your SD card in order to save space on your mobile device.

Run at start up

Notice frame is an app that counts time, so to function in the background it needs to know the internal time of the mobile device.

Network Communication or Full Network Access

This Enables access to the internet, for example to link to Legal, Privacy and Terms pages on the Google and Apple websites. This permission will also be used to allow your Android phone/tablet to both receive as well as send updates/ data to and from other devices or even our servers, your data will be sent through a secure and encrypted connection.

Prevent Phone From Sleeping

This is only used if Notice Frame is open and running the Sideshow. We prevent your phone/tablet from sleeping during the Sideshow to make sure that you can enjoy keeping time on the progress of your appointments for as long as you wish to run the Slideshow.