WorldBrainWave is fully compliant with GDPR (General Data Protection Regulation).
The EU’s General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), approved by the European Parliament in 2016, is the most important change within data protection regulation in 20 years. It replaces the Data Protection Directive 95/46/EC and local law and regulations across the EU/EEA. The new regulation is designed to strengthen the individual’s rights to privacy and harmonize data privacy laws across Europe.
What does GDPR require from you as a user / customer?
In general, GDPR requires you to:
- Document and assess all processing of personal data and the systems being used. The purpose and lawfulness of the processing should be defined and you should make sure you do not process personal data that is not needed for the defined purpose.
- Ensure the organisational and technical security of the processing, and be able to demonstrate it. Assess your internal processes for data retention and security, and document it. Ensure that your own technology can provide sufficient technical security, and document it.
- When you are using third-party services, like ours, to collect and process personal data, you need to make sure that the data processing requirements are compliant with GDPR. You are in control of the management of your study data and therefore fully responsible for keeping this data safe. WorldBrainWave can never be held responsible and/or liable for any damages caused by using our services. Once data is collected, copied or downloaded from the site, the user is responsible for the data.
- When acquiring personal data, it is wiseful to perform a risk analysis – a Data Protection Impact Assessment (DPIA). It will help you in documenting compliance.
- Particpants (or data subjects) have stronger rights under GDPR. Preferably, our users / customers need to have a process in place for taking data subject requests, and for assessing the validity of the requests.
- A particularly important data subject right is transparency and information. Make sure the information to your participants on everything required under GDPR is easily accessible, including how they can exercise their rights. If your participants are under the age of 18 (‘minors’), you should make sure this information is available to parents too.
- Review our policy, which purpose is to regulate the rights and duties pursuant to the European Data Protection Legislation, including the GDPR regulations, applicable to the data controller in connection with our service.
If you are located in the European Union, you have certain additional rights with respect to your personal information under the General Data Protection Regulation, including the following:
- The right of access to your personal information or provided information as a user / customer or as a participant, respondent or data study subject.
- The right of erasure of personal data as a user / customer or as a participant, respondent or data study subject.
- The right to rectify your personal information if it is incorrect or incomplete.
- The right to withdraw your consent to our processing of your personal information at any time (if our processing is based on consent).
- The right to object to our processing of your personal information (if processing is based on legitimate interests).
- The right to object to our processing of your personal information for direct marketing purposes.
- The right to receive your personal information from us in a structured, commonly used and machine-readable format, and the right to transmit your personal information to another controller without hindrance from us (data portability).
You may contact us at firstname.lastname@example.org to exercise any of the above rights. We may request specific information from you to confirm your identity, and in some circumstances, we may charge a reasonable fee for access to your personal information. Furthermore, if you believe that our processing of your personal information is inconsistent with your data protection rights under the GDPR and we have not adequately addressed your concerns, you have the right to lodge a complaint with the data protection supervisory authority of your country. For purposes of the GDPR, we are a ‘controller’ and you are a ‘data study subject.’