Korean English Spanish ?
Procedure > GDPR

GCERTI Roadmap to Compliance for General Data Protection

Owner and Data Controller
15F, #88, Eunpyengo-ro, Eunpyeong-gu, Seoul, Korea
Owner contact email: gcerti@gcerti.com


1. Introduce a GDPR

The GDPR (General Data Protection Regulation), which entered into force in April 2016 following its publication in the Official Journal of the European Union, is applicable from May 2018 and is mandatory in all its elements and directly applicable in each of the Member States. A major component of the GDPR relates to being transparent and providing accessible information to individuals about the collection and use of their personal data.

Regulatory focus
The regulation establishes rules concerning the protection of physical people with regard to the treatment of personal data, as well as rules concerning the free movement of such data.
Protects the rights and the fundamental freedoms of the physical people, in particular the right to the protection of personal data.

Lawful Basis
Under the GDPR, all companies and organizations must have a lawful basis for all processing and storage of personal data. Some companies or organizations might qualify for an exemption or derogation (another fancy way to say exemption). Without one, or a lawful basis, processing or storing personal data is considered “prima facie unlawful.”

2. What is Personal Data?

- Any information relating to an identified or identifiable natural person (‘data subject’);
- An identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  • Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
  • Looks, appearance and behaviour, including eye colour, weight and character traits.
  • Workplace data and information about education, including salary, tax information and student numbers.
  • Private and subjective data, including religion, political opinions and geo-tracking data.
  • Health, sickness and genetics, including medical history, genetic data and information about sick leave.
    - Examples – Names, Address, NI numbers, E-mail addresses, IP Addresses, CCTV images


3. Definition of certification scope

Certification audit performed. This will evaluate the implementation of the technical standard, including the effectiveness of the organization’s procedures.

- A certificate valid for 3 years is issued upon satisfactory result
- Surveillance audits to verify that the procedures continue to fulfil the requirements of the standard and monitor the continual improvement
- Re-certification after 3 years to confirm the continued conformance and effectiveness of the procedures as a whole


4. GCERTI Roadmap for General Data Protection

4-1) How GCERTI collects and uses personal data. It applies to the following:

- Potential and certified clients of GCERTI for the engagement of any types of certification services;
- Delegates attending GCERTI training courses;
- Subcontractors (trainers, auditors, technical experts and/ or report reviewers) to be engaged/engaged by GCERTI, and
- Other stakeholders/ interested parties for any further business dealings.

Who is data protection certification for?
Organizations with employees are directly affected by the GDPR requirements for record keeping, but all organizations processing the personal data of “natural persons” resident in the EU for professional or commercial reasons are considered “controllers” or “processors” (who may manage data on behalf
of the controllers) fall within the scope of the regulation. The processing of any data relating to an EU citizen “data subject” is within scope, regardless of where the processing organization is incorporated, registered or listed.

The data lifecycle approach to the regulation means data protection is no longer a problem for the IT or marketing department, but one requiring a holistic approach across the organization.

  1. REGULATION (EU) 2016/679
  2. As envisaged in GDPR article 42
  3. There are some exceptions for public bodies processing data in order to enforce public security or the prevention, investigation, detection or prosecution of criminal offences

4-2) Types of Data collected

GCERTI collects personal data directly from agency when receiving the information ask for the GCERTI services or approached by employee or representative of GCERTI. This is usually done through GCERTI enquiries mailbox, intra net, face to face, telecommunication (skype) and/or email with GCERTI employee or with GCERTI representative.

Data to be collected may include but not limited to the following:

- Full name, age, job title, phone number, email address, residential address, office address, identification number, passport number;
- CV, academic certificates and all of training certificates, history of auditing and/or training experiences, professional registration, consulting experiences;
- Financial and transactional data such as credit card details for payment of service/ course; and invoices
- Any information that has voluntarily shared with GCERTI such as feedback and opinions of GCERTI services.

4-3) Purposes for Using the Data

GCERTI can use the personal data that may include but not limited to the following:

- Prepare a proposal regarding the certification services or training courses offered by GCERTI;
- Prepare a subcontractor agreement for the engagement of audit, training, report review, technical advice services;
- Perform qualification of trainers, auditors, technical experts and/ or report reviewers;
- Prepare audit plan, audit reports for the certification service rendered;
- Register of delegates and updating to relevant system;
- Deal with any complaints or feedback; and
- Meet compliance and regulatory obligations and as required by accreditation bodies, training partners, and/ or local authorities.

Lawful Basis for Collecting Personal Information
The GDPR defines the lawful grounds for data processing where one of the following applies:
- Has the Content of the data subject
- Processing is necessary for :

  • The Performance of contract with the data subject (or to enter into a contract)
  • Compliance with a legal obligation
  • Protect the vital interests of a data subject or another person
  • Performance of task carried out in the public interest or in the exercise of official authority vested in
    the controller
  • Purposes of legitimate interests (eg : commercial interests, individual interests or broader societal benefits) May include clients (dg : service announcements, product recalls)

4-4) GCERTI Share the Data

  • GCERTI employees via access to client files
  • Each agency can see only their own information.
  • IT service providers to set up and maintain GCERTI systems;
  • GCERTI authorized representatives for the conduct of certification services;
  • Accreditation bodies and/ or local authorities as required.

4-5) Retention Time

Personal Data shall be retained and stored for as long as reasonably necessary to fulfil the original purposes for which it has been collected, and to comply with applicable accreditation, legal and regulatory obligations, a longer retention period may be required or permitted.

Agreement with Agency : 6 years
Employment records : 6 years
Contracts, declarations of interest : 6 years
Audit report : 3 years
Mailing : One year after last action
Invoices : 10 years
Logo requests : Two years from last action

4-6) GCERTI protects the privacy

GCERTI observe the strict security procedures in the storage and disclosure of information to prevent unauthorized access, loss or destruction of personal data. These may include but not limited to the following:

1) Physical Security :
- keeping offices and storage units locked;
- keeping server rooms or cabinets locked;
- cabling desktop machines and laptops to desks;
- implementing clean desk policies;
- ensuring that fire and burglar alarms are in place and that they are functioning correctly;
- ensuring that GCERTI equipment such as hard drives and old laptops, computers and mobile devices are securely disposed of at end of life.
  (Computers, Photocopiers, Mobile telephones, Digital cameras, Storage media)

2) Technical Security :
- ensuring that all computing devices such as PCs, mobile phones, and tablets are using an up-to-date operating system;
- ensuring all computing devices are regularly updated with manufacturer’s software and security patches;
- using antivirus software on all devices;
- implementing a strong firewall;

3) Organizational Security :
- provide training and awareness programs on security and privacy, make sure GCERTI employees, subcontractor, and GCERTI representatives understand the importance and means by which they must protect personal data
- documenting data collection and retention policies;
- ensuring the use of strong passwords by having a password policy in place that is enforced;
- documenting data back-up policies;

4) Personnel Security: individual employee, subcontractor, service provider, representative, training partner and
so on is obliged by GCERTI Confidentiality Agreement

4-7) The Rights of Personal Data

Personnel Data may exercise certain rights regarding their Data processed by the Owner.
- Access to personal information (Managing personal data requests) : You have the right to request what personal data GCERTI hold about you subject to GCERTI right to identity verification.

- Correction and deletion: You have the right to correct or amend your personal data if it is inaccurate or needs to be updated. You may also have the right to request the deletion of your personal information, however this may not be always possible if it is due to legal requirements and other obligations to keep such data. If GCERTI is asked to delete your data, GCERTI may keep some minimal information about you to be able to demonstrate that GCERTI has fulfilled its obligations.

- Filing a complaint: Any complaints about GCERTI adherence to the practices described in this Roadmap shall be addressed as described here.

GCERTI reserves the right to update this Roadmap from time to time and this Roadmap was first established in June 2018.

GCERTI undertakes to collect and protect personal data in accordance with GDPR (European Union’s General Data Protection Regulation) data privacy requirements.

GCERTI offers the management system services to the organizations, in relationship to the business context and the sector of affiliation:
- gap analysis on the GDPR
- certification of the professional figures in comparison to the norm UNI 11697
- training
- IT services certifications according to ISO 27001, ISO 20000 and ISO 22301 standards.

If you have questions or concerns about your privacy, please write to us:
- By email at gcerti@gcerti.com
- In writing, to the relevant GCERTI authorized representative, using the email address from the contact directory of GCERTI website at www.gcerti.com