Voted in 2016 by the EU Parliament, the new General Data Protection Regulation becomes enforce­able on May 25, 2018. This new reg­u­la­tion is an essen­tial change in European data pro­tec­tion law, and replace the EU Data Protection Directive (Directive 95/46/EC) as well as the local laws relat­ing to data pro­tec­tion.

We, as a host­ing provider, are involved in the GDPR and ensure our ser­vices are com­pli­ant with the terms of the reg­u­la­tion by May 2018. As we already claim, we strong­ly believe in pri­va­cy, and we encour­age ini­tia­tives that increase the fun­da­men­tal right of pri­va­cy for all cit­i­zens of the World.

To get our cus­tomers informed about what is the GDPR, and how it applies to always­da­ta ser­vices, here’s our digest about it.

Lexicon

The GDPR itself intro­duces some terms that may need some expla­na­tion. Here’s a lex­i­con of what is in use in the reg­u­la­tion, our TOS, and this arti­cle as well.

Personal Data
It defines any infor­ma­tion relat­ed to an iden­ti­fied or uniden­ti­fied nat­ur­al per­son indi­vid­u­al­ly. It includes as well as civ­il data (birth­date, address, etc.) as tech­ni­cal data (IP, GPS coor­di­nates, etc.)
Data Controller
The Controller is a nat­ur­al or legal per­son, pub­lic author­i­ty, agency, or any body which deter­mines the pur­pos­es and means of the pro­cess­ing of per­son­al data. It is the one who decides what to do with the data.
Data Processor
The Processor is any body which process­es the per­son­al data on behalf of the Controller
DPO
The Data Protection Officer (DPO) is the per­son who, inside any com­pa­ny, ensure data pro­cess­ing oper­a­tion com­pli­ance with all applic­a­ble European reg­u­la­tions. The DPO is entire­ly inde­pen­dent of the oth­ers company’s oper­a­tions.
Subcontractor
Any part­ner that, for pur­pos­es of the per­son­al data pro­cess­ing, are man­dat­ed by the data proces­sor and may have access to per­son­al data trans­mit­ted by the proces­sor. It must be GDPR com­pli­ant too, and the client must have been informed that the sub­con­trac­tor may access its per­son­al data.

What is the GDPR?

The General Data Protection Regulation (GDPR) is the new European pri­va­cy law that replaces any exist­ing law about data pri­va­cy in the EU ter­ri­to­ry. It takes prece­dence on any local law as well as the EU Data Protection Directive. It doesn’t intro­duce sig­nif­i­cant changes but is intend­ed to enhance and har­mo­nize EU data pro­tec­tion laws for any EU cit­i­zen. It applies world­wide if your data is locat­ed inside the EU, or if your ser­vice manip­u­lates EU citizen’s per­son­al data. It becomes enforce­able on May 25, 2018.

It main­ly describes some top­ics:

Protection

Any process of per­son­al data is pro­hib­it­ed unless express­ly per­mit­ted.

Isolation

Companies may only col­lect and process per­son­al data for spe­cif­ic pur­pos­es. They must be clear­ly out­lined, and the future use of the data must be doc­u­ment­ed.

Data minimization

Companies must col­lect as lit­tle data as pos­si­ble, and as much as nec­es­sary. It also means that “blind” data col­lec­tion for unspec­i­fied future pur­pos­es is pro­hib­it­ed.

Transparency

The data pro­cess­ing should be under­stand­able and com­pre­hen­si­ble to any­one that is con­cerned. Companies are required to pro­vide crys­tal clear infor­ma­tion about what data they use, and for what pur­pos­es they use it.

Confidentiality

Companies need to ensure and prove that they tech­ni­cal­ly pro­tect the per­son­al data of their clients and employ­ees. It means that data must be pro­tect­ed against unau­tho­rized pro­cess­ing, alter­ation, theft, destruc­tion, etc.

Who does the GDRP apply to?

The GDPR applies to any com­pa­ny or orga­ni­za­tion oper­at­ing in the EU, or pro­cess­ing EU citizen’s per­son­al data.

What role alwaysdata will endorse in the GDPR context?

always­da­ta can be con­sid­ered both as a data proces­sor and a data con­troller. The for­mer because most fre­quent­ly we just “pro­cess­ing” our customer’s data behalf of their con­trol, as we host your apps, web­sites, and ser­vices; the lat­ter because we also own infor­ma­tion about our clients in our sys­tem, i.e., for your con­tracts infor­ma­tion.

alwaysdata commitments as a processor

  • We won’t process any data with­out the explic­it order of the data con­troller.
  • Data are kept inside EU; pro­vid­ed cus­tomers do not select a loca­tion in a geo­graph­i­cal area out­side the EU. This loca­tion may evolve, always under the con­troller of the cus­tomer itself.
  • We inform cus­tomers of any enlist­ed sub­con­trac­tor which access their data, which data is con­cerned and for what pur­pos­es.
  • We apply secu­ri­ty stan­dards to pro­tect data life­cy­cle.
  • We will report pub­licly any inci­dent in case of data breach with­out undue delay.
  • We pro­vide doc­u­men­ta­tion to prove our con­for­mi­ty to GDPR.

alwaysdata commitments as a data controller

  • We lim­it the per­son­al data col­lect­ed to what is strict­ly nec­es­sary when you order a ser­vice, for billing or sup­port pur­pos­es.
  • We only use per­son­al data to what it is con­trac­tu­al­ly intend­ed.
  • We do not keep data when it’s not rel­e­vant.
  • We do not trans­fer data out­side of EU with­out your explic­it con­sent.
  • We imple­ment appro­pri­ate tech­ni­cal mea­sures to ensure a high degree of secu­ri­ty on per­son­al data.

alwaysdata’s security measures

We dis­tin­guish two kinds of secu­ri­ty mea­sures: those who con­cern the data stored by the cus­tomer, and the secu­ri­ty of the infra­struc­tures that store the infor­ma­tion.

About data stored by our cus­tomers, the cus­tomer itself is sole­ly respon­si­ble for its data, by ensur­ing the secu­ri­ty of its ser­vice, web­site, appli­ca­tion, and what­ev­er it deploys on the always­da­ta infra­struc­ture.

About alwaysdata’s infra­struc­tures, we are com­mit­ted to ensure opti­mal secu­ri­ty. It means that phys­i­cal access to the sys­tems is strong­ly reg­u­lat­ed; soft­ware are mon­i­tored, patched, and updat­ed with secu­ri­ty releas­es; and we use tech­ni­cal devices to pre­vent attacks and intru­sions.

What has alwaysdata been doing to prepare for GDPR

always­da­ta was already com­pli­ant with the 95/46/EC Directive; we have built on the exist­ing. We main­ly worked on a new ver­sion of our TOS to ensure they have reflect­ed our oblig­a­tions regard­ing the GDPR. Technically, we have been fol­low­ing the Privacy by Design prin­ci­ples since we start­ed, and we have nev­er col­lect­ed any infor­ma­tion we didn’t explic­it­ly need. We have been GDPR com­pli­ant for a while now. Time for the com­pli­ance gig!

The principles of Privacy by Design and Privacy by Default

We already have design and devel­op­ment process­es that are Privacy by Design and Privacy by Default com­pli­ant. Privacy has been one of our main con­cerns for a while now; you can see a talk giv­en by m4dz, our tech evan­ge­list, at the last Breizhcamp 2018 edi­tion, about Privacy by Design[fr].

Extensive information rights, and right to deletion

We already delete per­son­al data at account dele­tion. We keep noth­ing on alwaysdata’s side, except what is need­ed for legal aspects, like data trans­ac­tions and logs, for a lim­it­ed amount of time.

The right to data portability

Our already avail­able for a while API allows you to access all your infor­ma­tion stored in the alwaysdata’s sys­tem. You can also ask us about your per­son­al data by send­ing a mail to contact@alwaysdata.com.

No linking of consents

We do not trans­mit any infor­ma­tion to any sub­con­trac­tor rather than the infor­ma­tion men­tioned in our TOS for sup­port pur­pos­es, with­out your explic­it con­sent.

What must customers do?

As far as always­da­ta is con­cerned, you have noth­ing to do besides read­ing and accept our new TOS. We also strong­ly encour­age our cus­tomers and part­ners to start prepar­ing for the GDPR now. If you already have robust secu­ri­ty and good data pri­va­cy prac­tices, the shift should be sim­ple.

You can access our new TOS here. Feel free to ask in the com­ments if you have any ques­tion about the EU Data Protection in always­da­ta.