GDPR standardizes data protection laws and imposes strict new rules on controlling and processing personally identifiable information. It also extends the protection of personal data and data protection rights by giving control back to EU residents.
GDPR applies to organizations established in the EU and to those outside the EU, whose activities supply goods and/or services to people and business located within the EU.
Therefore, we are providing the below explanation and Frequently Asked Questions (FAQ) about the collection and processing of personal data related to services offered by Neogrid.
In May 2016, the European Union (EU) adopted a harmonized data protection law called the General Data Protection Regulation (GDPR). As of 25 May 2018, the GDPR will be enforced throughout all EU member states and in the European Economic Area. While the GDPR does not introduce many substantially new concepts, it significantly increases the compliance requirements of data controllers and processors regarding their handling of personal data.
As a company, Neogrid is committed to ensuring compliance with the GDPR by 25 May 2018. Neogrid has been consistent in its approach to data protection as part of its general product standards, and is now extended to reflect the new requirements of the GDPR.
Data controller: GDPR Article 4(7) states: “‘controller’ means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
In general, the controller assumes responsibility for all personal data collected and must ensure that rights of the data subject and the controller’s own legal obligations are also covered by the processor.
Data processor: GDPR Article 4(8) states: “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
In general, this refers to data processing based on the instructions of the data controller as contracted.
Neogrid as the cloud solution provider for customers and suppliers is the data processor for customers and suppliers.
The GDPR aims to harmonize data protection requirements across Europe into one single regulation. It addresses corporate bodies governed by public and private law in their capacity of either controller or processor. The new law aims to protect the rights and freedom of natural persons to enhance data subjects’ confidence in organizations that hold or process personal data, and to strengthen the EU’s internal market. To this end, the GDPR provides a uniform set of rules to govern the processing of personal data across the EU. The degree of EU-wide harmonization that is achievable by the GDPR is, however, restricted to the extent that the regulation contains so-called opening clauses that allow EU member states to set out country-specific laws and requirements for specific data processing activities. These opening clauses may therefore result in applying additional rules and obligations for data controllers and processors, but not changing or altering the original regulation.
The GDPR has a broad material scope covering the processing of personal data by automated means or in other structured form, including those intended for part of a filing system. This distinction becomes clear as the GDPR states that it does not apply where natural persons process personal data exclusively during a purely personal, private, or household activity.
Likewise, the GDPR has a broad territorial scope and applies to any activities of a data controller or processor in the EU that comprise the processing of an individual’s personal data. Central to this is whether the controller or processor is located in the EU. The GDPR also applies to controllers or processors located outside the EU where the processing serves to offer goods or services to data subjects who reside in the EU or to monitor the behavior of data subjects who reside in the EU.
The GDPR introduces several new legal requirements that may substantially affect a controller’s or processor’s business. Therefore, each controller or processor must verify which GDPR obligations apply to them and must also ascertain how to implement them accordingly.
In accordance with its general processing principles, the GDPR requires the processing of personal data to be lawful, proportionate, transparent, adequate, accurate, secure, confidential, limited in time and to designated purposes, and conducted in a responsible and accountable manner (which means applying appropriate security--including technical and organizational measures-- to ensure integrity and confidentiality).
The GDPR explicitly defines what it means by the term “personal data”: any data that relates to an identified or identifiable individual. GDPR Article 4(1) states: “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” The term clearly includes metadata or other associated data such as IP addresses, cookies, or other identifiers-- also a combination of such data – that may trace back to an individual. The GDPR has broadened the known catalog of special categories of personal data to include genetic data, biometric data if used to uniquely identify a natural person, and data related to criminal convictions and offenses.
Processing personal data will be lawful only if one of the criteria for permission, as set forth in the GDPR, is met. In the absence of direct legal allowance, organizations need consent from individuals whose data is to be processed. This consent must cover all purposes for which the organizations (intending to process the data) collect and process the data and must allow for the individual’s right to withdraw consent at any time. This means that blanket consent or global consent for various unspecified purposes is not valid for the processing of personal data.
The GDPR aims to improve accountability of those processing personal data and increase transparency of the data being processed. Despite its similarity in substance and structure to the current EU Directive, the GDPR will take a much tougher line in helping enforcement.
Under the terms of the GDPR, privacy must be built in deliberately and be adopted by default in both systems and processes. Organizations are obligated to ensure that the processing of personal data is for a specific purpose, and organizations must demonstrate that data protection is at the heart of their IT framework and solution design.
These bodies are also obligated to implement all necessary technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk of the processing for the data subjects. It is therefore necessary to analyze the organization’s internal IT asset and process landscape to identify and map data flows that include personal data. This will help to ascertain the appropriateness of the security framework.
Guided by the concept that the individual should know and always be able to identify what personal data is processed, by whom, for what purposes, and over what time period, data controllers will need to actively provide certain general and specific information; this is in accordance with the GDPR’s revised concepts of data portability and the individual’s rights to access, to refuse/object, or to be forgotten. Organizations involved in processing personal data will therefore require robust internal processes with designated roles.
Organizations must implement a host of systemic measures to reduce the risk of violation. As data controllers, customers must demonstrate to the data subject and to regulators that they comply with the applicable regulation, and as data processor, Neogrid must demonstrate the same to customers. Complexity grows when bodies need to keep track of every purpose for which personal data is being processed and when they need to ensure that all individuals have given their consent for each data processing use case. These measures must be built into existing IT infrastructures. Depending on the outcome of a company’s data protection risk assessment, measures such as the appointment of a dedicated data protection officer, the execution of privacy impact assessments, and the adoption of regular audit procedures will help to maintain compliance.
This is when something goes wrong--when the internal organizational measures have not prevented a data breach, or processing of personal data has been found to be outside lawful purpose. In the event of a data breach, data controllers need to notify the supervisory authority and the affected individuals within 72 hours of becoming aware of the situation. Data processors need to inform data controllers without undue delay after becoming aware of a personal data breach.
A. Yes, we collect and process personal data from customers and suppliers, such as:
Mobile phone number;
Language used in application. The Neogrid applications also records data related to the activities of the customer or supplier within the Neogrid environment, in order to fulfill legal obligations of Neogrid, as well as for statistical analysis for the continuous improvement of service delivery.
A. Our goal is to provide our customers with a safe, fast and reliable service. As a global service provider, we run our services with operational practices and capabilities common to many countries.
We currently store data in datacenters in the United States and Brazil. Employees and contractors located in the U.S., Europe, Japan and Brazil may have access to certain data for product development, customer support and technical support.
A. In cases where the data is transferred outside the EU, Neogrid ensures that such transfers comply with the international standard established by all applicable standards, including the General Data Protection Regulation (GDPR).
A. Yes, we are always in constant updating and seeking to meet the best data security practices.
A. You can correct or update your registration data at any time in the Neogrid platform's logged in area. If you have questions or need help, you can contact our support team through firstname.lastname@example.org.
A. Yes, you may request the deletion of your personal data via the Neogrid platform or support team. However, some data may be kept by Neogrid for a longer period due to legal requirements (e.g. for tax purposes).