GDPR stipulates that processing by a processor must be governed by a contract that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

Where Alvaria acts as processor under GDPR, Alvaria will enter into the legally required data processing agreements (DPA) with the controller (the customer). This will ensure that the customer maintains the control over the data and that Alvaria processes data only under the instructions of the customer and not for any other purposes.

Alvaria provides language in its standard contract templates that fulfils the GDPR requirements, including:

• Terms regarding the support provided to customer in cases where the individuals exercise their rights to access, delete or correct the personal data held about them,
• Standard Contractual Clauses to safeguard possible data transfers to countries outside the European Economic Area (EEA) (please see also FAQ “Where does Alvaria process EU personal data?” below),
• Details of the respective processing activities and Alvaria’s technical and organizational security measures (so called TOMS).

Alvaria has already reached out to our existing EU customers to supplement existing customer agreements with DPAs. If you have not received Alvaria’s DPA by now although you have commissioned Alvaria with data processing services, please reach out to [email protected].

Should a non-EU customer process EU personal data by the means of Alvaria products, that customer will have to notify Alvaria in which case we will add appropriate regional DPA to the contract. Should a non-EU customer process non-EU personal data in the context of Alvaria’s establishments in the EU, that customer will have to notify Alvaria in which case we will add appropriate regional DPA to the contract.

Alvaria does not anticipate that updates or modifications to Alvaria products will be specifically required for customers to remain compliant with GDPR. Our goal is to support customers in addressing the requirements of GDPR within the capabilities of their currently-deployed product releases (assuming that a support contract is in place for a product that is not end of life). If this changes for unexpected or compelling reasons, you will receive direct notification and advance notice through standard support channels.

Alvaria will provide product-specific guidance during the first half of 2018 (extending through Summer 2018) as our product delivery teams continue their assessments and implementations of GDPR’s data protection principles, program build requirements, and response mechanisms for data subject’s rights under GDPR. Access to this documentation will be made available within the Alvaria Customer Care Community.

Alvaria is reaching out to EU customers to provide them with the required written data processing provisions along with a brief explanation in an email. Customers can email [email protected] with further questions or concerns at any time. Of course, Alvaria customers can also reach out to their account team or Alvaria Customer Care for further assistance and clarification.

Alvaria has not increased any fees for its products and services as a result of GDPR. Our baseline approach assumes that Alvaria’s obligations as a processor and assistance services required by GDPR are free of charge and are provided as part of your active Alvaria support. There may be exceptional cases where a Professional Services engagement will be necessary, or where Alvaria will ask for cost reimbursement for additional support activities provided by Alvaria to the customer to enable the customer to meet its obligations as a controller under GDPR.

Alvaria encourages customers to take ownership of their own GDPR readiness plans (including Alvaria products and services that are in scope). Planning should start with getting a team formed (with full executive support) to identify all systems where the organization stores personal data, creating a data inventory. Alvaria will assist the customer in complying with GDPR regarding the processing of personal data by means of Alvaria’s products and services and may also assist customers in conducting Data Protection Impact Assessments (DPIAs) as further specified in Alvaria’s standard contracts.

Customers as controllers are the main responsible party under GDPR and must make sure that personal data has been obtained lawfully, that individuals are informed about the processing of their data, that the personal data collected is proportional and the personal data is used only for the purpose(s) for which it was collected.

Yes. Alvaria provides technical and organizational security measures for protection of the security, confidentiality and integrity of personal data as set forth in Alvaria’s TOMS documentation.

Customers must make sure that they choose suppliers like Alvaria that ensure safeguards for the protection of personal data, including the implementation of adequate technical and organizational measures, but must not forget that customers’ own IT infrastructure and other organizational assets play an essential role.

The implementation of adequate technical and organizational measures by Alvaria for its products and services will help customers to minimize the impact of a data breach or a data loss. However, Alvaria is not responsible for the customer’s own technical and organizational measures or IT infrastructure.

Yes. Alvaria has updated its Alvaria partner agreements as appropriate and will provide partners with DPAs for channel partners in time for GDPR.

Due to its global service architecture, in some cases personal data will be securely transferred to countries outside the EEA for centralized processing operations. Remote access to EEA-based data from authorized Alvaria personnel based in US and India may also be required.

To ensure an adequate level of data protection, Alvaria also offers Standard Contractual Clauses (controller-processor) (“SCC”) between customers in the EU and Alvaria Inc., USA.

Alvaria provides products and services that involve products and services of sub-processors, including Alvaria-affiliated companies and third party suppliers. A current list of sub-processors for specific products and services is available upon customer request. Alvaria will enter into written agreements with the sub-processor in accordance with GDPR. Alvaria may remove, replace or appoint suitable and reliable further sub-processors in its sole discretion but will inform customers about any changes to the list of sub-processors in accordance with our DPA.

Customers can email [email protected] with questions or concerns. Of course, Alvaria customers can also reach out to their account team or Alvaria Customer Care for further assistance and clarification.