The European Commission adopted the new General Data Protection Regulation (GDPR) in 2016, which is enforceable as of May 25, 2018. The GDPR outlines the requirements for the security and privacy of personal data in the European Union (EU) and will harmonize EU data protection laws by applying a single data protection law that is binding on EU Member States. The GDPR replaces the EU Data Protection Directive or Directive 95/46/EC, as well as other related local laws.
Heretto values the GDPR as an opportunity to reaffirm our commitment to the privacy and security of customer data. Compliance with the GDPR relies on a partnership between Heretto and our customers in their use of our software.
The FAQ details the ways in which Heretto complies with the GDPR as a data processor, in order to provide full transparency to our Heretto customers.
Who and what does the GDPR apply to?
The GDPR applies to all organizations processing “personal data” of EU data subjects, either for organizations located in the EU, or for organizations located outside the EU that offers goods and services within the EU.
The definition of “personal data” has been broadened under the GDPR to include any information relating to an identified or identifiable natural person who can be identified. This is typically referred to as Personal Identifiable Information or PII, and it includes, either directly or indirectly, reference to an identifier such as:
- Email address
- Location data
- Online identifier such as IP address
- A government-issued identification number
- Or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What are the differences between GDPR and the EU Data Protection Directive?
There are many similarities between the GDPR and the EU Data Protection Directive, but there are some key differences. Generally speaking, the GDPR provides individuals with more rights over how their personal data is collected and used. The GDPR also introduces direct obligations for data processors, whereas the current Directive holds only data controllers directly liable for data protection noncompliance. For the first time, processors will also be subject to regulatory penalties/fines and civil claims by data subjects.
Following are some of the rights the GDPR grants to individuals:
- The right to be forgotten. While the right to erasure, otherwise known as the right to be forgotten, isn’t absolute, individuals will have the right to request deletion of their personal data held by controllers.
- Privacy by design. Jorsek is required, per the GDPR, to design our systems with proper security protocols to protect our customers’ data.
- The right to access, correct and restrict processing. Individuals have the right to know what personal data controllers and processors are processing as well as the right to access, correct and restrict processing of their personal data.
- The right to portability. Individuals now have the right to obtain a copy of their personal data in a commonly used, machine-readable format.
How does the GDPR affect Heretto customers?
Both Heretto and our customers have shared responsibilities with regard to GDPR compliance: our customers as data controllers, and Heretto as a data processor. The data controller, according to the GDPR, is “the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”
Heretto expects our customers to comply with all applicable laws and regulations in connection with the use of Heretto’s software, including allowing Heretto to lawfully process personal data provided by our customers to Heretto.
How is Heretto GDPR compliant?
Heretto’s compliance and security program is comprehensive and based on globally accepted standards. Our customers’ data is our primary concern, and we are committed to keeping it safe and secure.
As a data processor, we are prepared to assist and support our customers with respect to data subject requests that our customers instruct us to address. Heretto is able to comply with requests related to access, correction, deletion and portability of personal data.
Does Heretto transfer data internationally?
The data centers used for primary and backup hosting for Heretto’s EU-based customers are located in EU. However, in limited circumstances in the course of providing services to and conducting business with our EU-based customers, certain personal data may be transferred to the U.S.
If I am a customer and one of my users makes a GDPR-related request directly to Heretto, what can I expect will happen?
Since you, our customer, are the data controller, Heretto will notify you if we receive such a request.
Does Heretto have a Data Protection Addendum (DPA)?
Yes, please email firstname.lastname@example.org to request a copy of our current DPA if required.
How does Brexit impact Heretto’s adherence to the GDPR?
Because the GDPR is binding only on EU Member States, after Brexit, the UK is generally no longer bound to the GDPR. Heretto will work to adhere to whichever data protection laws that UK companies are required to comply with. As a Heretto customer, to whatever extent you collect or process any personal data of EU Member State data subjects, you will still need to comply with the GDPR.
What if I have questions not addressed here?
We’re happy to discuss! Please contact email@example.com with any questions or concerns.
Heretto is providing this FAQ for informational purposes only. The information provided is general and summarized and is not intended to be comprehensive. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer, or other professional advisors who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship. This information is not intended to be legal advice and should not be construed as such.