GitLab treats every users' data the same regardless of their local regulations because we take privacy seriously. Still, there are some privacy laws that get a lot of attention, so we want our team members to understand what they are about. Below are some explanations of laws you may have already heard of.
The General Data Protection Regulations came into effect in the European Union in May 2018. Anyone who handles personal information of Europeans must comply. In the European Union, privacy of personal information is a personal right belonging to the owner of the information and cannot be commoditized, utilized, processed without that person’s consent. The European Union (EU) and European Economic Area (EEA) diligently try to preserve the rights of their citizens but such efforts were without coordinated and express direction – until now. The GDPR reflects a unified approach to handling personal, sensitive information in the EU/EEA.
The regulation is implemented in all local privacy laws across the entire EU and EEA region. It applies to all companies selling and storing personal information about citizens in Europe, including companies on other continents.
Data that can directly or indirectly identify a person is covered by GDPR. GDPR provides citizens of the EU and EEA with greater control over their personal data and assurances that their information is securely protected. According to the GDPR directive, personal data is any information related to a person such a person's
The right to access – Individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered.
The right to be forgotten – Individuals can withdraw their consent from a company to use their personal data; they have the right to have their data erased.
The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
The right to be informed – this covers any gathering of data by companies. Individuals must be informed before data is gathered. Individuals must opt in for their data to be gathered, and consent must be freely given rather than implied.
The right to have information corrected – Individuals can have their data updated if it is out of date, incomplete or incorrect.
The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
The California Consumer Protection Act (CCPA) took effect on January 1, 2020. Similar to GDPR, CCPA is intended to protect person information and also articulates the rights that California consumers have regarding their information. CCPA applies specifically to residents of California.
The definition of Person Information in CCPA is very similar to GDPR's definition of Personal Data: "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The rights to disclosure of data collected and sold. Consumers have the right to request access to their personal information and to ask how their data is used by the company after it has been gathered. If the information is being shared or sold, this must be disclosed when requested.
The right to deletion. Consumers can request a company delete their personal information.
The right to opt out of sales of Personal Information. If a company sells personal information, consumers have the right to opt out.
The right to non-discrimination. If a consumer exercises their rights under CCPA, the business may not discriminate against the consumer. For instance, they company cannot deny service or charge different rates to a consumer who exercises their rights under CCPA.