The European Commission adopted the new General Data Protection Regulation (GDPR) in 2016, which is enforceable as of May 25, 2018. The GDPR outlines the requirements for the security and privacy of personal data in the European Union (EU) and will harmonize EU data protection laws by applying a single data protection law that is binding on EU Member States. The GDPR replaces the EU Data Protection Directive or Directive 95/46/EC, as well as other related local laws.
Heretto values the GDPR as an opportunity to reaffirm our commitment to the privacy and security of customer data. Compliance with the GDPR relies on a partnership between Heretto and our customers in their use of our software.
This FAQ details the ways in which Heretto complies with the GDPR as a data processor, in order to provide full transparency to our Heretto customers.
Who and what does the GDPR apply to?
The GDPR applies to all organizations processing “personal data” of EU data subjects, either for organizations located in the EU or for organizations located outside the EU that offers goods and services within the EU.
The definition of “personal data” has been broadened under the GDPR to include any information relating to an identified or identifiable natural person who can be identified. This is typically referred to as Personal Identifiable Information or PII, and it includes, either directly or indirectly, reference to an identifier such as:
- Email address
- Location data
- Online identifier such as IP address
- A government-issued identification number
- Or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What are the differences between GDPR and the EU Data Protection Directive?
There are many similarities between the GDPR and the EU Data Protection Directive, but there are some key differences. Generally speaking, the GDPR provides individuals with more rights over how their personal data is collected and used. The GDPR also introduces direct obligations for data processors, whereas the current Directive holds only data controllers directly liable for data protection noncompliance. For the first time, processors will also be subject to regulatory penalties/fines and civil claims by data subjects.
Following are some of the rights the GDPR grants to individuals:
- The right to be forgotten. While the right to erasure, otherwise known as the right to be forgotten, isn’t absolute, individuals will have the right to request the deletion of their personal data held by controllers.
- Privacy by design. Heretto is required, per the GDPR, to design our systems with proper security protocols.
- The right to access, correct and restrict processing. Individuals have the right to know what personal data controllers and processors are processing as well as the right to access, correct, and restrict the processing of their personal data.
- The right to portability. Individuals now have the right to obtain a copy of their personal data in a commonly used, machine-readable format.
How does the GDPR affect Heretto customers?
With regard to GDPR compliance, both Heretto and our customers have shared responsibilities: our customers as data controllers, and Heretto as a data processor. The data controller, according to the GDPR, is “the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”
Heretto expects our customers to comply with all applicable laws and regulations in connection with the use of Heretto’s software, including allowing Heretto to lawfully process personal data provided by our customers to Heretto.
What is “personal data” as defined by the GDPR?
Personal data includes any information related to an identified or identifiable natural person (an individual or “data subject”). A data subject can be identified or identifiable, directly or indirectly by a variety of pieces of information. Examples of information that may be considered personal data include a name, ID number, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address. The definition of personal data is very broad.
How is Heretto GDPR compliant?
Heretto’s compliance and security program is comprehensive and based on globally accepted standards. Our customers’ data is our primary concern, and we are committed to keeping it safe and secure.
As a data processor, we are prepared to assist and support our customers with respect to data subject requests that our customers instruct us to address. Heretto is able to comply with requests related to access, correction, deletion and portability of personal data.
Does Heretto transfer data internationally?
The data centers used for primary and backup hosting for Heretto’s EU-based customers are located in EU. However, in limited circumstances in the course of providing services to and conducting business with our EU-based customers, certain personal data may be transferred to the U.S.
How does Heretto support data subject requests such as the right to be forgotten?
We have evaluated our policies and refined our system capabilities where necessary to accommodate data subject requests. Because Heretto is a processor across much of our business, we will also work with our customers and suppliers who act as controllers in responding to data subject requests.
What is your policy around destroying data?
We destroy data in accordance with the terms of our contracts, our retention policies, and applicable legal requirements.
If I am a customer and one of my users makes a GDPR-related request directly to Heretto, what can I expect will happen?
Since you, our customer, are the data controller, Heretto will notify you if we receive such a request.
As it relates to the GDPR, is Heretto considered a processor or a controller?
Heretto is considered a processor for the majority of its services. Heretto’s customers are considered controllers, and thus have responsibility for the requirements imposed on controllers under the GDPR, including having a lawful basis to process personal data and obtaining appropriate consent as may be required.
Does Heretto have a Data Protection Addendum (DPA)?
Yes, please email email@example.com to request a copy of our current DPA if required.
How does Brexit impact Heretto’s adherence to the GDPR?
Because the GDPR is binding only on EU Member States, after Brexit the UK is generally no longer bound to the GDPR. Heretto will work to adhere to whatever data protection laws that UK companies are required to comply with. As a Heretto customer, to whatever extent you collect or process any personal data of EU Member State data subjects, you will still need to comply with the GDPR.
What if I have questions not addressed here?
We’re happy to discuss! Please contact firstname.lastname@example.org with any questions or concerns.
Heretto is providing this FAQ for informational purposes only. The information provided is general and summarized and is not intended to be comprehensive. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer, or other professional advisors who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship. This information is not intended to be legal advice and should not be construed as such.