GDPR – recently adopted legalization describing personal data security and how it must be regulated. It is related to European companies, but it will affect website owners and developers outside of Europe. It means that if your website gathers personal data from people in Europe (or if your code is used by sites that do), you will be under the GDPR.

What is the GDPR?

GDPR (The General Data Protection Regulation) is an EU law that went into effect starting on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and to change the data privacy approach of organizations around the world.

Recently, you have received many emails from services like Facebook with new rules on data privacy. That is because the EU is putting harsh penalties on those who do not meet the requirements.

  • Penalties

The business structures, which do not follow central GDPR regulations, can face large fines of up to 4% of a company’s annual global revenue or €20 million.

Note: Even if the GDPR has heavy fines, you will not be fined at once. The EU starts with a warning, then a reprimand, and then a suspension of data processing. Only if you continue breaking the law the EU will inflict large fines.

What does GDPR require?

GDPR is aimed at protecting users' personal data and control businesses on how they collect, store, and use this data. Personal data includes first names, last names, emails, physical addresses, cookies, IP addresses, passwords, photos, company names, and everything that describes users.

The GDPR regulation is 100 pages long. You may be acquainted with it in PDF format.
However, we gathered the essential GDPR requirements you need to know:

1. Consent
Now you can’t send complicated terms and conditions with long and unnecessary texts via emails. The GDPR requires consent to be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.

2. Breach notification
The business structures now must notify agencies about breaching data within 72 hours of first becoming aware of the violation. Data processors are required reporting their customers after first becoming aware of a data breach.

3. Right to access
The controller must provide users with a copy of their personal data, free of charge, in an electronic format. This change leads to data transparency and empowerment of data subjects.

4. Right to be forgotten
Businesses can’t sell customers’ data without their agreement. The organizations must delete users' accounts and unsubscribe them from emails if it is requested by users. The business structures must report data violations and use data protection properly.

Does Short.cm abide by GDPR?

Yes, Short.cm meets GDPR’s requirements.
Due to GDPR’s consent regulation, by creating a Short.cm account, you agree to Short.cm’s privacy policy and terms of service.

Among the types of personal data that Short.cm collects by itself or through third parties, there are cookies, email addresses, usage data, passwords, first names, last names, pictures, and company names.

The personal data is stored privately in AWS S3 in Virginia in the United States and is never shared with third-party services.