Off the Record Music Sales,
General Data Protection Regulation (GDPR) was set by the Council of the
European Union and the European Parliament to strengthen and unite data
protection for all the individuals in the European Union (EU). The GDPR
concentrates to give the control back to citizens and residents over their
personal data and to simplify the regulation for International Business by
combining the regulation with the EU. The regulation documents the thought that
individual’s personal data must be protected
because it is the primary right to own security and justice among the market.
The regulation was adopted on 27
April 2016, so you must follow the regulations for the customers of OTR in the
The primary information that must
be protected by the Off the Record Music Sales (OTR) for the customers of the
European Union is “Personal Data”, the
information which can be used to identify an individual as a person by any
means. The information is
and Billing Address
§ Credit Card
§ IP and MAC
Data can be
processed if there is a minimum one lawful basis to do so. The lawful basis to
process the information are
information subject has given consent to process the data for specified
is critical for compliance with the legal obligation to the user.
is critical to protecting the important
assets of the customer or of another person.
is important for the performance of the task administrated within the public
interest or within the exercise of official authority within the controller.
is important for the legitimate interests pursued by the controller or by a 3rd
accordance with the GDPR, data processing is based on consent the controller
must determine that the data has consented to the processing of personal data. You must receive the consent for the
person through a “freely given, specified, informed and unambiguous indication
of the data’s subject agreement to the processing of personal data relating to
him or her, such as by a written statement, including by electronic means, or an
oral statement” (Art. 1 (32)). The person has right to withdraw the consent at
any time. The withdraw will not affect the lawfulness of processing data based
on the consent before its withdrawal.
Controller and Processor
to Article 4 of the EU GDPR, Controller is a natural or legal person, public
authority, agency or another body which,
alone or jointly with others, determines the purposes and means of the
processing of personal data”. The processor
is a natural or legal person, public authority, agency or another body which processes personal data on
behalf of the controller”. The controller is responsible to demonstrate
compliance with the principles related to the processing
of personal data. The processing is carried out on behalf of a controller, the
controller shall use processer by providing guarantees to implement technical
and organizational measures to meet the requirements of GDPR.
Data Breach and Notifications
processors must report personal data breaches to data controllers. Data
controllers must report the data breach to the superior authority in 72 hours
and in some cases, affected individuals. Data controllers must have an internal
for infringement will be considered on a case by case basis and will take many criteria
into consideration, like intentional nature, number of subjects affected and
previous infringements by data controller or processor.
lower level of fine up to €10
million or 2% of the company global annual turnover. This includes
infringements relating to:
protection by design and by default.
records of processing activities.
of superior authority.
§ Data breach
notification to the superior authority.
between the customers.
§ Data impact
Data relating to criminal convictions
processing of personal data relating to criminal offenses should be carried out under the control of Official
Authority or under Union or State member authorization providing safeguards for
the rights and freedom of data subjects.
that GDPR is implemented, there are necessary measures to be implanted to
prevent issues, breaches, and offenses.
§ All the data
storage devices at OTR must be encrypted with multi-factor authentication.
backups must be implemented on site and off the site. The data backups must be
encrypted, and multi-factor authentication must be implemented on the backups.
employees must be able to access the data of the customers under the GDPR
employees handling the customer’s data
must be trained and aware of the standards of processing the information upon
§ If a
customer data is compromised, it is the company responsibility to notify the
customer within the given 72 hours of the breach as per the GDPR standards.