Voted in 2016 by the EU Parliament, the new General Data Protection Regulation becomes enforceable on May 25, 2018. This new regulation is an essential change in European data protection law, and replace the EU Data Protection Directive (Directive 95/46/EC) as well as the local laws relating to data protection.
We, as a hosting provider, are involved in the GDPR and ensure our services are compliant with the terms of the regulation by May 2018. As we already claim, we strongly believe in privacy, and we encourage initiatives that increase the fundamental right of privacy for all citizens of the World.
To get our customers informed about what is the GDPR, and how it applies to alwaysdata services, here’s our digest about it.
The GDPR itself introduces some terms that may need some explanation. Here’s a lexicon of what is in use in the regulation, our TOS, and this article as well.
- Personal Data
- It defines any information related to an identified or unidentified natural person individually. It includes as well as civil data (birthdate, address, etc.) as technical data (IP, GPS coordinates, etc.)
- Data Controller
- The Controller is a natural or legal person, public authority, agency, or any body which determines the purposes and means of the processing of personal data. It is the one who decides what to do with the data.
- Data Processor
- The Processor is any body which processes the personal data on behalf of the Controller
- The Data Protection Officer (DPO) is the person who, inside any company, ensure data processing operation compliance with all applicable European regulations. The DPO is entirely independent of the others company’s operations.
- Any partner that, for purposes of the personal data processing, are mandated by the data processor and may have access to personal data transmitted by the processor. It must be GDPR compliant too, and the client must have been informed that the subcontractor may access its personal data.
What is the GDPR?
The General Data Protection Regulation (GDPR) is the new European privacy law that replaces any existing law about data privacy in the EU territory. It takes precedence on any local law as well as the EU Data Protection Directive. It doesn’t introduce significant changes but is intended to enhance and harmonize EU data protection laws for any EU citizen. It applies worldwide if your data is located inside the EU, or if your service manipulates EU citizen’s personal data. It becomes enforceable on May 25, 2018.
It mainly describes some topics:
Any process of personal data is prohibited unless expressly permitted.
Companies may only collect and process personal data for specific purposes. They must be clearly outlined, and the future use of the data must be documented.
Companies must collect as little data as possible, and as much as necessary. It also means that “blind” data collection for unspecified future purposes is prohibited.
The data processing should be understandable and comprehensible to anyone that is concerned. Companies are required to provide crystal clear information about what data they use, and for what purposes they use it.
Companies need to ensure and prove that they technically protect the personal data of their clients and employees. It means that data must be protected against unauthorized processing, alteration, theft, destruction, etc.
Who does the GDRP apply to?
The GDPR applies to any company or organization operating in the EU, or processing EU citizen’s personal data.
What role alwaysdata will endorse in the GDPR context?
alwaysdata can be considered both as a data processor and a data controller. The former because most frequently we just “processing” our customer’s data behalf of their control, as we host your apps, websites, and services; the latter because we also own information about our clients in our system, i.e., for your contracts information.
alwaysdata commitments as a processor
- We won’t process any data without the explicit order of the data controller.
- Data are kept inside EU; provided customers do not select a location in a geographical area outside the EU. This location may evolve, always under the controller of the customer itself.
- We inform customers of any enlisted subcontractor which access their data, which data is concerned and for what purposes.
- We apply security standards to protect data lifecycle.
- We will report publicly any incident in case of data breach without undue delay.
- We provide documentation to prove our conformity to GDPR.
alwaysdata commitments as a data controller
- We limit the personal data collected to what is strictly necessary when you order a service, for billing or support purposes.
- We only use personal data to what it is contractually intended.
- We do not keep data when it’s not relevant.
- We do not transfer data outside of EU without your explicit consent.
- We implement appropriate technical measures to ensure a high degree of security on personal data.
alwaysdata’s security measures
We distinguish two kinds of security measures: those who concern the data stored by the customer, and the security of the infrastructures that store the information.
About data stored by our customers, the customer itself is solely responsible for its data, by ensuring the security of its service, website, application, and whatever it deploys on the alwaysdata infrastructure.
About alwaysdata’s infrastructures, we are committed to ensure optimal security. It means that physical access to the systems is strongly regulated; software are monitored, patched, and updated with security releases; and we use technical devices to prevent attacks and intrusions.
What has alwaysdata been doing to prepare for GDPR
alwaysdata was already compliant with the 95/46/EC Directive; we have built on the existing. We mainly worked on a new version of our TOS to ensure they have reflected our obligations regarding the GDPR. Technically, we have been following the Privacy by Design principles since we started, and we have never collected any information we didn’t explicitly need. We have been GDPR compliant for a while now. Time for the compliance gig!
The principles of Privacy by Design and Privacy by Default
We already have design and development processes that are Privacy by Design and Privacy by Default compliant. Privacy has been one of our main concerns for a while now; you can see a talk given by m4dz, our tech evangelist, at the last Breizhcamp 2018 edition, about Privacy by Design[fr].
Extensive information rights, and right to deletion
We already delete personal data at account deletion. We keep nothing on alwaysdata’s side, except what is needed for legal aspects, like data transactions and logs, for a limited amount of time.
The right to data portability
Our already available for a while API allows you to access all your information stored in the alwaysdata’s system. You can also ask us about your personal data by sending a mail to email@example.com.
No linking of consents
We do not transmit any information to any subcontractor rather than the information mentioned in our TOS for support purposes, without your explicit consent.
What must customers do?
As far as alwaysdata is concerned, you have nothing to do besides reading and accept our new TOS. We also strongly encourage our customers and partners to start preparing for the GDPR now. If you already have robust security and good data privacy practices, the shift should be simple.
You can access our new TOS here. Feel free to ask in the comments if you have any question about the EU Data Protection in alwaysdata.