General Data Protection Regulation
Effective May 2018, the General Data Protection Regulation (GDPR) was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
GDPR is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It’s primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.
Not necessarily. The requirements of the GDPR apply to the physical location of the person whose data is being used, rather than their citizenship. If an EU citizen purchases an item while traveling or living in the United States and their data is then stored by an American company, in U.S.-based computer servers — the GDPR would not apply.
Conversely, if an American citizen is living or staying in the EU for an extended period, the GDPR can apply to the usage of his or her data. U.S. citizens who are living in the United States are not subject to these requirements.
A data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data controllers are key decision-makers. They have the overall say and control over the reason and purposes behind data collection and the means and method of any data processing.
Some data controllers may be governed by a statutory obligation to collect and process personal data. According to Section 6(2) of the 2018 Data Protection Act, if an organization is under such an obligation and processes personal data for compliance, it will be classed as a data controller.
A private company or any other legal entity – Including an incorporated association, incorporated partnership, or public authority.
An individual person – Such as a partner in an unincorporated partnership, a sole trader, or any self-employed professional.
A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
An organization that processes data on behalf of a data controller like cloud service providers. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Xano will typically act as the data processor for any person data made available by your customers.
The GDPR applies to all organizations based inside or outside the EU that processes personal data of EU individuals. According to the European Commission Personal data is any information relating to an identified or identifiable natural person.
- Xano clients will usually act as the data controller for any personal data made available to Xano.
- Xano is a data processor for any personal data made available by our customers.
Xano offers a GDPR compliant DPA - Data Processing Agreement, allowing customers with GDPR contractual obligations. GDPR compliant DPA is available for Launch, Scale, Enterprise & Agency Plans by filling out this request form.
Please note GDPR requirements will be covered only for the customers that sign the DPA and acquire a GDPR compliant plan. All other plans will not cover GDPR requirements.