GDPR at Softescu governing B2B activities
As per our ISO 27001 methodology, all our projects that are subject to GDPR regulations are governed by separate contractual language that addresses the regulation. When Softescu gain access to Personal Data from our clients, we assume the role of Data Processor under the GDPR and will address the following aspects accordingly:
- Type of Personal Data
- Activities for processing Personal Data
- Rules on our personal who access the data
- Security of Processing
- Rules governing additional Subcontractors (if is the case)
- Records Of Processing Activities
- Data Protection Officer Appointment
- Rights of the Data Subjects
- Obligations Relating to the Management of Personal Data Breach
- Obligations Concerning the Privacy Impact Assessment
- Erasure / Return of the Personal Data to the Data Controller
- Audit Rights and Corresponding Obligations
- Confidentiality Obligations
- Compensations on Data Processor's Liability
- Data Breach Incident Report Form
Softescu applies the highest standards on data security, as evidenced with the ISO 9001 (Quality Assurance) and ISO 27001 (Information Management Security) deployment within the organization. You can rest assured that your data is safe with us.
GDPR - Context
The following sections provide the context and the implementation requirements of the GDPR:
On May 25th, 2018 Regulation (EU) 2016/679 of the European Parliament of 27 April 2016 came into force on the protection of individuals with regard to the processing of personal data and on the free movement of such data, also known as GDPR or Regulation. While the regulation is geared towards private individuals, it impacts also B2B activities.
The regulation introduces two entities:
- The Data Controller: processes personal data in the course of his business and decides the purposes, methods and means of processing personal data,
- The Data Processor: processes personal data on behalf of other businesses and organizations,
The Data Controller appoints the Processor to perform the processing of personal data on his / her behalf under an agreement.
Article 28 of the Regulation provides that when the processing is to be carried out on behalf of a Data Controller, the Data Controller shall only employ Processors who provide adequate assurances for the application of appropriate technical and organizational measures, so that the said processing fulfills the requirements of this Regulation and, thus, the protection of the rights of the Data Subject is ensured.
Article 28 of the Regulation also provides that processing by the Data Processor is governed by a contract or other legal act under European Union or Member State law which binds the Processor in relation to the Data Controller and determines the subject matter and the duration of the processing, the nature and purpose of the processing, the type of Personal Data and the categories of Data Subjects, as well as the obligations and rights of the Data Controller.
Definitions
The following definitions are important under the GDPR Regulation:
Personal Data: shall mean any information relating to an identified or identifiable natural person (also known as Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing: shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Natural Person: shall mean the natural person to whom the data being processed belongs and render it identified or identifiable;
Data Controller: shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Data Processor: shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
Processing Subcontractor: shall mean the natural or legal person entrusted by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller under an Agreement;
Agreement: shall mean one or more contracts signed or to be signed in the future between the Data Controller and the Data Processor, which has as its object the assignment of services by the Processor, which requires the processing of Personal Data of Natural Persons collected by the Data Controller while conducting its business activities;
Personal Data Breach: shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Personal data processing
The Processor shall process Personal Data only on the basis of corresponding recorded orders from the Controller. By way of exception, in particular, in urgent cases, processing orders from the Data Controller may also be made orally. In this case, the Data Controller shall confirm as soon as possible and in writing, by any appropriate means, the instructions given orally.
Where the processing concerns the transmission of Personal Data to a third country outside the European Union or to an international organization, the Data Processor shall also comply with the relevant instructions of the Data Controller, unless different legal requirements exist under European Union laws or the laws of the Member State to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller before processing of the legal requirement in question, unless the said law prohibits this kind of information for reasons of substantial public interest.
The transmission of Personal Data to a third country outside the European Union is prohibited unless the Data Controller has given prior explicit approval to that end, and one of the following conditions is met:
- the European Commission has resolved that an adequate level of protection of personal data is ensured in the country the Personal Data is to be transmitted;
- the transmission is to be made to the U.S.A., and the recipient of the Personal Data has acceded to and abides by the Privacy Shield Framework;
- the transmission will be governed by the standard data protection clauses issued by the European Commission.
The Data Processor acknowledges that the Data Controller has full control over her Personal Data and determines any particular feature of the processing to which the Personal Data will be submitted. If the Data Processor ignores the instructions of the Data Controller and determines alone the scope, they render themselves the Data Controller for the purposes of implementing the Regulation and the legal framework on the protection of Personal Data.
Securing the Personal Data
The Data Processor shall also implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
- pseudonymization and encryption of Personal Data,
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services,
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident,
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
Processing of data by subcontractors of the Data Processor
When the Data Processor hires another processor to perform specific processing activities on behalf of the Data Controller, the same data protection obligations defined in the agreement between the Data Processor and the Data Controller shall also apply to the other processor, in particular so as to provide sufficient assurances over the application of appropriate technical and organizational measures in order for the processing to comply with the requirements of the GDPR Regulation.
Keeping a log on the processing activities
It is important that the Data Processor will keep a log of all the processing activities performed on behalf of the Data Controller:
- the name and contact details of the Data Processor and the Data Controller on whose behalf Processing is performed;
- the name of the Data Protection Officer (DPO), if appointed either on a voluntary basis or on a mandatory basis in accordance with the relevant provisions of Regulation;
- the categories of Processing carried out on behalf of the Data Controller;
- where applicable, transmissions of Personal Data to a third country, including the identification of that third country, and, in the case of transmissions without a decision on adequacy or appropriate safeguards, including company binding regulations, evidence of the fulfillment of the conditions referred to in the second subparagraph of Article 49(1);
- a general description of the technical and organizational security measures described in Article 32 (1) of the Regulation.
Data Protection Officer
The Data Processor is required to assess whether it is required under the Regulation to appoint a Data Protection Officer. If a Data Protection Officer is appointed, her/his contact details will be immediately disclosed to the Data Controller.
The Data Protection Officer of the Data Processor will work with the Data Controller on all matters concerning the Processing of Personal Data that takes place on behalf of the Data Controller.
In case where the Data Controller decides to appoint a Data Protection Officer, even though she is not under such obligation under the Regulation, the latter must undoubtedly have documented expertise in the law and the practices of data protection, as well as evidenced ability under common experience to fulfill the tasks referred to in Rule 39 of the Regulation.
In case where a Data Protection Officer is not appointed, the Data Processor has the obligation to appoint a member of its staff who will have at least basic knowledge of the Regulation and national data protection laws, and who will be responsible for ensuring compliance with the obligations provided under the applicable national and European framework for the protection of Personal Data. This role can also be outsourced to external advisors.
Obligations in case of a data breach
The Data Processor shall carry the explicit obligation to inform the Data Controller of any data breach incident involving Personal Data belonging to the Data Controller and which comes to the attention of either the same or a third party - Processing subcontractor.
Informing shall take place immediately without any undue delay, and in any case no later than 24 hours from the time on which it first became apparent that the breach had taken place.
The Data Processor shall provide all the necessary information using the form annexed in Schedule II herein, in order to enable the Data Controller to comply with the obligations imposed by the Regulation on the disclosure of a Personal Data Breach to the Data Protection Authority, and to disclose the Personal Data Breach to the Natural Persons - Data Subjects affected by the breach, which may pose a high risk for their rights and freedoms.
The information to be provided by the Data Processor to the Data Controller includes at least the following:
- a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects affected, as well as the categories and approximate number of records of Personal Data affected;
- communication of the name and contact details of the person handling the breach incident, if it is different from the Data Protection Officer;
- a description of the possible consequences of the Personal Data Breach;
- a description of the taken or proposed measures to address the Personal Data Breach and, where appropriate, measures to mitigate its possible adverse effects.
For more information on how GDPR can impact your organisations, contact us at office (at) softescu.com . We will be glad to help!