What is GDPR?
GDPR is the new General Data Protection Regulation of the European Union (EU).
The GDPR compliance statement provides new regulations for the protection of the personal data of residents within the European Economic Area (EEA). It will take effect on May 25, 2018.
The GDPR replaces the EU’s 1995 Data Protection Directive that required EU member states to enact their own data protection laws with certain minimum standards. The result was a patchwork of different standards and rules across the EU.
GDPR data protection creates a single legal framework for the entire EEA for handling personal data. It is directly applicable and enforceable in all EEA countries (i.e., requires no further legislation).
To whom does the GDPR apply?
The GDPR applies to Data Processors and Data Controllers whether or not they have any “establishment” within the EEA.
A Data Processor is someone who, directly or through third parties, collects, records, organizes, stores, uses, discloses, or disseminates personal data of EEA residents. A Data Controller is a Data Processor who also, directly or indirectly, whether alone or jointly with others, determines the purposes and means of the processing of such personal data.
In simple terms, “personal data” is data that, alone or in combination with other information, identifies, or is likely to identify, a living person and includes, phone number, home address, email address, job title, employment history, education and training, and financial details. The GDPR compliance statement has special rules about processing “sensitive” personal data (including ethnicity, politics, religion, health, biometrics).
Where does AllClients fit in terms of GDPR?
AllClients’ customers upload personal data of EEA residents into databases that are managed by AllClients, this makes AllClients a Data Processor for GDPR purposes.
However, AllClients has no say in what data is collected, how it is collected, or how it is shared or used. Since our customers are determining the purpose and means of processing of the data, our customers are Data Controllers for GDPR purposes. AllClients is merely processing the data on their behalf as a Data Processor.
The GDPR imposes additional obligations on Data Processors and Data Controllers who have an “establishment within the EEA. AllClients does not have any “establishment” in the EEA for GDPR purposes. AllClients does not determine whether or not our customers have an “establishment” within the EEA (whether physically or by virtue of the activities undertaken within the EEA) and therefore whether these additional obligations will apply. We recommend that our customers seek their own advice in this area.
What is AllClients doing to become GDPR compliant?
The GDPR requires Data Controllers (ie. AllClients customers) to ensure that their contracts with Data Processors contain the necessary provisions and protections required by the GDPR.
AllClients has a new Data Processing Addendum that governs the terms by which AllClients (as a Data Processor) processes data on behalf of its customers (as Data Controllers). All AllClients customers will be required to agree to these terms.
The Addendum requires AllClients customers to have GDPR compliant terms and conditions that apply to the persons whose data they collect who are protected by the GDPR (ie EEA residents) in order to ensure that such persons have all of the rights as required by GDPR (see below).
All data within the AllClients Systems is being hosted at RackSpace.com. Some of Rackspace servers are physically located outside of the EEA. Is this OK under GDPR?
Under the GDPR (and other applicable laws), personal data may only be transferred outside of the EEA when an adequate level of protection for that data is in place. By utilizing AllClients’ services, customers who collect personal data of EEA residents will be exporting that data out of the EEA to AllClients. To this end, under the Privacy Shield arrangements between the US and the EU (and Switzerland), AllClients (as a data importer) is required either to self-certify under the US Department of Commerce Privacy Shield Framework or to incorporate into its contracts with its customers certain “model clauses” (as specified in the Decision of the European Commission of 5 February 2010). AllClients has elected to become Privacy Shield Certified.
In turn, AllClients uses RackSpace (RackSpace.com) exclusively for all server and cloud service functions. Under the GDPR, Rackspace is a sub-processor for AllClients.
AllClients and Rackspace have entered into a Data Processing Agreement that incorporates all required GDPR provisions (including the model clauses) which allows both AllClients and RackSpace to import and process the relevant data exported by AllClients customers. Rackspace is also Privacy Shield certified.
Because the relationship between AllClients and our customers is GDPR compliant, does that automatically make AllClients’ customers compliant as well?
No. Data Controllers handling personal data of EEA residents are required to have terms and conditions that ensure that such persons have the requisite rights, protections and remedies, and give the necessary consents, as required by the GDPR.
Under the Addendum, AllClients customers are solely responsible for compliance with the GDPR and should consult with their own legal counsel as to how GDPR may or may not affect their business.
What is AllClients doing to help our customers (as Data Controllers) comply with the GDPR?
As noted above, under the GDPR, Data Controllers have several new duties and responsibilities to EEA residents whose data they are collecting (and that AllClients is processing). There are new requirements for collecting data on landing pages, new consent management procedures, the right for people to know what data you are collecting, the right to be forgotten, and more.
AllClients is adding new features and functionality into our CRM systems that will make it easy for our customers to comply with some of these new requirements.
Please note: GDPR CRM system compliance, for our customers (the Data Controllers) is ultimately the responsibility of our customers, not AllClients.