GDPR General Data Protection Regulation
The General Data Protection Regulation (GDPR) is the new legal framework of data protection law across the EU and is due to come into force on 25th May 2018. Contrary to Directive 95/46/EC, which governed this processing prior to this point, the GDPR has direct effect within the Union and does not need to be transposed at national level. In this way, it will aim to harmonise laws governing the processing of personal data across Europe. Even better, the GDPR enshrines a principle of extraterritoriality, which means that, in certain circumstances, the scope of its application can be extended beyond the frontiers of Europe.
If you are an organisation that processes personal data, you are highly likely to be governed by the provisions of the GDPR. In this regard, you are subject to obligations and must abide by them. The same is true of Quality NOC, which, in view of its situation, is bound by different obligations, in its capacity as a processor and as a data controller.
Understanding the real, specific issues at stake in European regulations is not always an easy task, especially when the regulation in question contains 99 articles, 173 recitals and numerous lines of guidance on how it will apply. Understanding these issues is nonetheless essential in order to avoid any risks that may arise from an excessively broad or imprecise interpretation of your organisation’s regulatory obligations. A proper understanding of the terms defined below is therefore essential:
- Personal data: any information relating to an identified or identifiable real person. An identifiable real person is defined as any real person who can be directly or indirectly identified.
- Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, transmission, storage, conservation, extracting, consultation, use, disclosure by transmission and so on.
- Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Quality NOC as a processor
It is undoubtedly in this last scenario that you will deal the most frequently with Quality NOC. Quality NOC is classed as a “processor” when it processes personal data on behalf of a data controller.
This will typically be the case when you use the services of Quality NOC. Within the limit of its technical restrictions, Quality may process any data stored solely in accordance with your instructions, and on your behalf.
Quality NOC’s commitments as a processor
As a processor, Quality NOC commits to:
- Processing personal data solely for the purposes of carrying out the services correctly: Quality NOC will never process your information for any other purposes (marketing, etc.).
- Keeping your data inside the EU and only in countries recognised by the European Union as offering a sufficient degree of protection, provided that you do not select a datacentre located in a geographical area outside the EU.
- Informing you if we have enlisted a subcontractor to process your personal data: to date, no services involving any access to data you have stored as part of the service have been subcontracted outside the Quality NOC Group.
- Applying strict security standards to provide a high level of security for our customers.
- Reporting any data breach to you without “undue delay”.
- Helping you meet your own regulatory obligations, by providing you with adequate documentation of our services.
FAQ: Quality NOC as a processor
Who owns the personal data used and stored by the customer as part of the services?
Quality NOC will not access or use this data except where necessary in order to perform the services, within the limits of its technical restrictions.
Quality NOC undertakes to refrain from selling on this data and from using it for personal purposes (such as data mining, profiling or direct marketing).
When may Quality NOC access the data stored and used by the customer as part of its services?
- In order to implement services, particularly to improve the support provided to customers when they contact the Quality NOC helpline. In this situation, access to data will be limited, thanks to specific authorisations and specific control and security measures.
- To comply with legal obligations or as part of legal and/or administrative requests. These requests are very strictly regulated.
Access as part of a request from judicial and/or administrative authorities:
In order to act in accordance with the regulations that are in force, Quality NOC is obliged to answer requests from judicial and/or administrative authorities. Since requests for access are covered by a strict legal framework, Quality NOC will not authorise these requests until we have ensured that they are valid and substantiated. Moreover, unless prohibited by the request or by law, Quality NOC undertakes to inform the customer as soon as possible in the event that such a request is made. Requests issued from a third-party country will not be handled unless there is an underlying international agreement, such as a treaty for mutual legal assistance, in force between the third-party country applicant and the Union or a Member State.
Quality NOC as a data controller
Quality NOC is classed as a “data controller” when we determine the purpose and method of “our” personal data processing.
This is typically the case when Quality NOC collects data for billing, managing accounts receivable, improving the quality of services and performance, sales prospecting, commercial management, etc. But it is also the case when Quality NOC collects personal data on its own employees.
In this scenario, ‘your’ data – the data that you store on Quality NOC’s services – is not affected. On the other hand, certain information concerning you or concerning your employees (the identity and contact details of your contact person at Quality NOC as part of a request for technical assistance, for example) may be. This is why Quality NOC is keen to explain the guarantees put in place to ensure that this personal data is protected. Quality NOC commits to:
- Limiting the data collected to what is strictly necessary: as part of this approach, when you order a service, you enter only the data required by Quality NOC for billing or support purposes, or to make sure we meet our own legal obligations on data conservation..
- Only using the data it collects for the purpose for which it was collected.
- Conserving personal data for a limited and proportionate time. For example, data processed for the purpose of managing relations between a customer and Quality NOC (surname, first name, postal address, email address, etc.) is conserved by the company for the full duration of the contract and for thirty-six (36) months thereafter. At the end of this period, the data is deleted from all media and backups.
- Not transferring this data to third parties other than companies associated with Quality NOC and acting as part of the performance of the contract.
- Implementing appropriate technical and organisational measures to ensure a high degree of security.