GDPR and Multi Me: A Guide
Understanding GDPR
The General Data Protection Regulation (GDPR) is a European law that strengthens individuals' rights regarding their personal data. It also imposes stricter regulations on how organisations process and manage this data, whether it’s digital or offline (paper-based).
Key GDPR Principles:
- Enhances rights: Gives individuals more control over their personal data.
- Stricter rules: Organisations must adhere to strict standards when processing data.
- Applies to all data: Covers both online and offline records.
At Multi Me, we support these regulations and are committed to giving users full control over their data. Unlike many social networks, we do not sell or share your data with third parties for profit. Our goal is to provide a safe platform that prioritises transparency and user control.
Roles and responsibilities under GDPR
The Data Subject
The data subject is the individual whose personal data is being processed. For example, if a user inputs information about you or your child into Multi Me, you or your child are considered the data subjects.
Data Controllers
A Data Controller is the person or organisation that determines how and why personal data is processed. In the context of Multi Me, organisations such as schools, care providers, or local authorities using the platform are the Data Controllers when they input and manage data about individuals on the system. They are responsible for ensuring the lawful collection and processing of this data.
Data Processors
A Data Processor processes personal data on behalf of the Data Controller. Multi Me Ltd. acts as a Data Processor for data added to the platform by organisations (Data Controllers). Multi Me also relies on trusted third-party services (e.g., Amazon Web Services) for data hosting, and these third-party services must also comply with GDPR.
When Multi Me collects personal data directly from customers (e.g., for direct purchases or account management), Multi Me also acts as a Data Controller for that specific information.
What is Personal Data?
Personal data refers to any information that can identify an individual. Examples include:
- Name and surname
- Home address
- Email address (e.g., name.surname@company.com)
- Identification card numbers
- Location data (e.g., mobile phone location)
- IP addresses and cookie IDs
- Medical information, photographs, and videos (all media stored in Multi Me is treated as personal data)
Multi Me’s GDPR compliance
Multi Me is fully GDPR compliant. As both a Data Controller (for direct customers) and a Data Processor (for users on behalf of organisations), we:
- Keep records of data processing activities.
- Maintain robust data security across our platform.
- Collect data transparently and ensure consent is given where needed.
- Ensure our third-party providers also comply with GDPR.
- Notify individuals and regulators in the event of a data breach.
Our Privacy Policy and Cookie Policy explain how we handle your data, how consent is gathered, and the security measures in place.
About families and friends using Multi Me
Families and friends using Multi Me are not considered Data Controllers or Data Processors under GDPR. However, it is important to follow good practices, such as asking permission before uploading photos or sharing personal information.
Organisations using Multi Me
When organisations like schools or care providers use Multi Me, they are responsible for ensuring GDPR compliance as Data Controllers. This means they must manage and protect any personal data they input into the platform. Multi Me Ltd. acts as the Data Processor in this scenario, processing data based on the organisation’s instructions and ensuring it is handled securely.
If organisations invite families to join, the organisation must inform families how their data will be used, as outlined in their own privacy policy.
Providers purchasing or hosting accounts for individuals
If an organisation, such as a school, purchases or hosts Multi Me accounts, they are the Data Controllers for any information added to the platform. Multi Me processes this data under their instructions, and the organisation is responsible for safeguarding and compliance.
Individuals/ families inviting organisations to join a Circle
If a school, for example, accesses the software with permission sent by the family, whether the school is a Data Controller depends on whether any information is downloaded or transferred to the school’s system. In cases where the school retains a copy of the data or adds new information about the individual into Multi Me, the school becomes the Data Controller for that data.
Providers hosting accounts for individuals and inviting families, carers or professionals to join a Circle
When a school or provider purchases/hosts Multi Me accounts and manages the data of individuals using the platform, they are the Data Controller for the data they collect. If the organisation requires Multi Me to access the data for system administration or technical support, Multi Me then acts as a Data Processor.
Families must be aware of how a school or provider uses their data if the organisation is hosting the system. This should be outlined in the school/provider’s privacy notice. The organisation is responsible for safeguarding the data, only sharing it in appropriate circumstances, and ensuring that data is deleted after a certain period, as required by GDPR.
Your questions about GDPR
If you have any questions about GDPR or how we handle data, please contact us at: privacy@multime.com. If you have questions about specific data on Multi Me, please contact the organisation or individual that added the data.
For more information on GDPR compliance, you can also visit the Information Commissioner’s Office (ICO).