Alvaria Preparations for the EU’s General Data Protection Regulation
On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) became effective, replacing existing EU data protection laws based on the 1995 EU Data Protection Directive. The GDPR strengthens privacy rights for EU individuals and extends the scope of responsibilities for businesses processing personal data of EU individuals.
Alvaria has taken the steps necessary to comply with the legislation and equipped our customers to do the same by the May 25th effective date.
Under the direction of Alvaria’s global GDPR project team, Alvaria closely analyzed the requirements of the GDPR and is made the necessary modifications to its products and services, contracts, and documentation to support GDPR compliance for our customers.
Alvaria conducted a full information audit and data mapping exercise covering all personal information on data subjects processed by Alvaria in its role as controller and processor. This effort included all processing activities undertaken by Alvaria by itself and on behalf of customers through Alvaria’s products and services. The level of detail included, but was not limited to, the purposes of processing, data subjects, categories of personal data, lawful bases for processing, location of data and retention periods.
Alvaria will provide product-specific guidance during the first half of 2018 (extending through Summer 2018) as our product delivery teams continue their assessments and implementations of GDPR’s data protection principles, program build requirements, and response mechanisms for data subject’s rights under GDPR.
Access to this documentation will be made available within the Alvaria Customer Care Community.
Commonly Asked Questions
This FAQ focuses on typical questions asked by Alvaria customers when considering the implications of GDPR on their use of Alvaria’s products and services that involve processing of personal data.
GDPR stipulates that processing by a processor must be governed by a contract that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
Where Alvaria acts as processor under GDPR, Alvaria will enter into the legally required data processing agreements (DPA) with the controller (the customer). This will ensure that the customer maintains the control over the data and that Alvaria processes data only under the instructions of the customer and not for any other purposes.
Alvaria provides language in its standard contract templates that fulfils the GDPR requirements, including:
- Terms regarding the support provided to customer in cases where the individuals exercise their rights to access, delete or correct the personal data held about them,
- Standard Contractual Clauses to safeguard possible data transfers to countries outside the European Economic Area (EEA) (please see also FAQ “Where does Alvaria process EU personal data?” below),
- Details of the respective processing activities and Alvaria’s technical and organizational security measures (so called TOMS).
Alvaria has already reached out to our existing EU customers to supplement existing customer agreements with DPAs. If you have not received Alvaria’s DPA by now although you have commissioned Alvaria with data processing services, please reach out to [email protected].
Should a non-EU customer process EU personal data by the means of Alvaria products, that customer will have to notify Alvaria in which case we will add appropriate regional DPA to the contract. Should a non-EU customer process non-EU personal data in the context of Alvaria’s establishments in the EU, that customer will have to notify Alvaria in which case we will add appropriate regional DPA to the contract.
Alvaria does not anticipate that updates or modifications to Alvaria products will be specifically required for customers to remain compliant with GDPR. Our goal is to support customers in addressing the requirements of GDPR within the capabilities of their currently-deployed product releases (assuming that a support contract is in place for a product that is not end of life). If this changes for unexpected or compelling reasons, you will receive direct notification and advance notice through standard support channels.
Alvaria will provide product-specific guidance during the first half of 2018 (extending through Summer 2018) as our product delivery teams continue their assessments and implementations of GDPR’s data protection principles, program build requirements, and response mechanisms for data subject’s rights under GDPR. Access to this documentation will be made available within the Alvaria Customer Care Community.
Alvaria is reaching out to EU customers to provide them with the required written data processing provisions along with a brief explanation in an email. Customers can email [email protected] with further questions or concerns at any time. Of course, Alvaria customers can also reach out to their account team or Alvaria Customer Care for further assistance and clarification.
Alvaria has not increased any fees for its products and services as a result of GDPR. Our baseline approach assumes that Alvaria’s obligations as a processor and assistance services required by GDPR are free of charge and are provided as part of your active Alvaria support. There may be exceptional cases where a Professional Services engagement will be necessary, or where Alvaria will ask for cost reimbursement for additional support activities provided by Alvaria to the customer to enable the customer to meet its obligations as a controller under GDPR.
Alvaria encourages customers to take ownership of their own GDPR readiness plans (including Alvaria products and services that are in scope). Planning should start with getting a team formed (with full executive support) to identify all systems where the organization stores personal data, creating a data inventory. Alvaria will assist the customer in complying with GDPR regarding the processing of personal data by means of Alvaria’s products and services and may also assist customers in conducting Data Protection Impact Assessments (DPIAs) as further specified in Alvaria’s standard contracts.
Customers as controllers are the main responsible party under GDPR and must make sure that personal data has been obtained lawfully, that individuals are informed about the processing of their data, that the personal data collected is proportional and the personal data is used only for the purpose(s) for which it was collected.
Yes. Alvaria provides technical and organizational security measures for protection of the security, confidentiality and integrity of personal data as set forth in Alvaria’s TOMS documentation.
Customers must make sure that they choose suppliers like Alvaria that ensure safeguards for the protection of personal data, including the implementation of adequate technical and organizational measures, but must not forget that customers’ own IT infrastructure and other organizational assets play an essential role.
The implementation of adequate technical and organizational measures by Alvaria for its products and services will help customers to minimize the impact of a data breach or a data loss. However, Alvaria is not responsible for the customer’s own technical and organizational measures or IT infrastructure.
Yes. Alvaria has updated its Alvaria partner agreements as appropriate and will provide partners with DPAs for channel partners in time for GDPR.
Due to its global service architecture, in some cases personal data will be securely transferred to countries outside the EEA for centralized processing operations. Remote access to EEA-based data from authorized Alvaria personnel based in US and India may also be required.
To ensure an adequate level of data protection, Alvaria also offers Standard Contractual Clauses (controller-processor) (“SCC”) between customers in the EU and Alvaria Inc., USA.
Alvaria provides products and services that involve products and services of sub-processors, including Alvaria-affiliated companies and third party suppliers. A current list of sub-processors for specific products and services is available upon customer request. Alvaria will enter into written agreements with the sub-processor in accordance with GDPR. Alvaria may remove, replace or appoint suitable and reliable further sub-processors in its sole discretion but will inform customers about any changes to the list of sub-processors in accordance with our DPA.
Customers can email [email protected] with questions or concerns. Of course, Alvaria customers can also reach out to their account team or Alvaria Customer Care for further assistance and clarification.
These FAQ’s are provided for the purposes of information only and do not provide legal advice. Aspect therefore encourages customers to seek legal advice about the legal permissibility of the processing of personal data by customer by way of using Aspect’s products and services.
Click here for a downloadable version of the above FAQs.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR will come into effect across the EU on May 25, 2018.
Read more: General Data Protection Regulation (GDPR) Definition | Investopedia https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp#ixzz59ZKoeunY