General Data Protection Regulation 2018 (GDPR)
Last Revision: May 21, 2018
AnyRoad’s GDPR approach
This is meant to give an overview about GDPR and what steps AnyRoad is taking. However, this information is not meant to be legal advice in any way and we suggest that you consult a legal professional if you have any questions about GDPR for your business.
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on April 14, 2016. The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The General Data Protection Regulation (AVG or English GDPR General Data Protection Regulation) and AnyRoad fully supports the strict privacy standards that will be stipulated in the regulation policy. AVG is a new law that will take effect on May 25, 2018. The regulation is intended to attract and strengthen data protection law for all business in the European Union as well as foreign businesses that offer services for EU – based clients.
What is AnyRoad doing about the GDPR?
What does this mean for our Clients and their customers (participants)?
General GDPR information
Since 2017, AnyRoad has worked closely with a team of advisers to identify improvements and requirements for our products. We have a responsibility to protect the privacy of our Clients (and their customers), something that has always been important to us. We want to ensure that we comply with both EU and international privacy laws.
AnyRoad has two roles involving GDPR. AnyRoad acts as a data controller for personal data of its Clients (the companies that we work with). Additionally
AnyRoad acts as a processor (CPU) of the personal data received by AnyRoad’s Clients, as well as third party data concerning their customers. This means that AnyRoad must support its Clients to ensure the processing of personal data remains secure and our primary responsibility is to ensure that we adequately protect all data of our Clients and their customers. In addition, we will assist our Clients in responding to requests for inspection, removal or alteration of personal data.
To ensure both, AnyRoad has sought ways to continually optimize the processing of personal information and data. Additionally, AnyRoad is preparing to take the necessary technical measures to meet the new rights of people under GDPR regulation. Currently, you can find all updates and information on GDPR on this page, and we will continue to update this page with any details regarding the necessary steps we are taking with respect to GDPR compliance.
AnyRoad is committed to your data privacy.
AnyRoad takes data privacy very seriously, and we view GDPR as a timely opportunity to further our commitment to data protection for the benefit our Clients and their customers.
We’re excited that GDPR is here, as we know it will help reinforce awareness of permission-based communications, more clear uses of personal data, and will help build trust between brands, Clients, and customers in the EU.
As a trusted partner, our priority is ensuring that our Clients have confidence in our platform, and that the data they collect with AnyRoad is processed securely and in accordance with GDPR requirements.
Every AnyRoad Client also has the responsibility to ensure that they are acting in accordance with the new GDPR legislation. As data controllers also, AnyRoad Clients are responsible for maintaining the lawful processing of personal data of their customers. To meet these standards, we recommend (at minimum) following steps:
2. Ensure those who provide you with access to their data give the opportunity to receive a copy of their personal data or, under certain circumstances, allow you to correct or delete their personal information.
3. You are required to sign an agreement for the processing of all parties who process personal data on behalf of your company to agree on the purposes for which these processors may use the personal information, including to AnyRoad.
4. You must ensure that stored personal information is accurate and protected.
5. You must not track personal information for longer than necessary, or the period stipulated in any agreement.
6. Be prepared if any stakeholders make a notice of act (within 72 hours) in the event of any data breach.
Please note that the above is not comprehensive and we recommend you seek legal advice for more information on any implication of the GDPR that may affect your business.
What is GDPR?
The GDPR is a new law aimed at EU citizens to give more control over their data. It will replace the Data Protection Directive of 1995. The GDPR deals with the collection, storage, transmission, and use of personal data. Personal data means any information that relates to a person (called data subject). For EU citizens, it means they will have more control over their data. It is regulating how businesses must process and store the personal data they collect.
Who does the GDPR affect?
The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU citizens. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What is personal data?
Under GDPR, personal data is any information relating to an identified or identifiable natural person. This person is referred to as the “data subject”. This includes the obvious data such as name, address, email address and phone number but also IP-address or data specific to the physical, physiological, genetic, economic, cultural or social identity of that natural person.
What is processing of personal data?
Processing means anything you can do with personal data and includes viewing, storing, changing, transferring and even deleting personal data.
What is the difference between a controller and a processor of personal data?
The controller is the person who determines the purpose and means of processing of personal data. The processor is a person who processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have jointly agreed upon. Under GDPR, AnyRoad is the controller of personal data of its employees and the personal data that directly concerns the contact persons of the brands we work with. AnyRoad is a processor of the personal data that clients are receiving from its customers.
What are AnyRoad’s Clients’ obligations under GDPR?
Under GDPR, the Clients are the controller of the personal data of their customers. This means that as controllers, they are required to process data in accordance with GDPR. Some of the key points are:
1. Determine what personal data is processed and for what purposes
2. Accommodate Clients’ rights in relation to the processed data
3. Ensure that the processed personal data is protected adequately
4. Establish a clear process to identify and report data breaches within the timeframes set out in GDPR
5. Conclude a data processing agreement with all third parties who process personal data on AnyRoad’s behalf
What is in GDPR about processing personal data?
GDPR prescribes that in processing personal data the following principles should be taken into account:
1. Personal data must be processed in a matter that is fair and transparent towards the data subject
2. Personal data may be collected for purposes that have been communicated to data subject and for which you have a legitimate purpose
3. Personal data must be accurate and kept up to date; inaccurate data must be corrected or erased without delay
4. Personal data must be kept no longer than necessary
5. Personal data must be handled in a secure way
What are AnyRoad’s obligations towards its Clients under GDPR?
What specific rights do individuals have in relation to the personal data that is processed under GDPR?
An individual has the following rights (each of which are explained later in this document):
• Right of information and access
• Right to rectification
• Right of portability
• Right to object
• Right to erasure
• Right to restriction of processing
The controller of the personal data is responsible for addressing these requests; but AnyRoad, as a processor, will assist its Clients in that regard. Any request from a Client in relation to the above-listed rights should be followed up within one (1) month of the request. If it concerns complex or substantial requests, the term might be extended by an additional month.
What does the right to information and access to personal data mean?
Upon request, individuals must be informed about the personal data that is being processed. Copy of the personal data undergoing processing shall be provided, free of charge. In addition, the following information must be provided:
• The purposes of processing
• The categories of data processed
• The recipients or categories of recipients
• The envisaged retention period, or, if not possible, the criteria used to determine this period
• The individual’s rights in relation to personal data
What does the right to rectification of personal data mean?
An individual may require incorrect personal data to be rectify.
What does the right of portability of personal data mean?
An individual may require personal data to be provided in a structured, commonly-used and machine-readable form so that it may be transferred to another data controller without undue burden.
What does the right to object to processing of personal data mean?
An individual does not have the right to object to the processing of personal data in general but may object to the following processing activities:
• Processing for direct marketing purposes
• Processing for scientific, historical, research or statistical purposes
What does the right erasure of personal data mean?
It means that an individual may require a controller to have personal data deleted if the processing fails to satisfy the requirements of GDPR. This may be the case under the following circumstances:
• When the personal data is no longer necessary for the purpose for which it was collected
• Where an individual withdraws prior consent and there is no justification for the processing
• Where an individual objects to controller’s basis for processing data
• When the data is otherwise unlawfully processed
What does the right to restriction of processing of personal data mean?
This right gives an individual an alternative to the right of erasure and allows the individual to require data to be restricted from further processing when the processing is challenged. Such challenge may occur if the individual disputes the accuracy of data or has objected to the processing. Restriction means that the controller may only store the data and may not further process it unless the individual gives consent, or the processing is necessary for legal claims.
How is AnyRoad helping its Clients with the data subject rights of customers?
AnyRoad will assist Clients with appropriate technical and organizational measures with responding to requests. This means that if a request is received from a customer, Clients can easily redirect it to AnyRoad for additional assistance.
How is AnyRoad protecting the personal data it processes?
AnyRoad has taken both technical and organizational measures to ensure that all the data that we process is adequately protected.
What is a data breach?
Any incident where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data.
What does AnyRoad do in the event it suffers a data breach?
AnyRoad has an internal data breach policy in place which enables it to adequately react in the event of a data breach. AnyRoad’s actions are, briefly, the following:
1. Identify the source of the data breach
2. Contain the breach and take all necessary measures to protect data
3. Notify the involved data controller without undue delay after becoming aware of the data breach
4. Asses to what extent measures need to be taken to prevent a similar data breach in the future
It is the controller’s obligation to notify the supervisory authorities without undue delay and, where feasible, within 72 hours after becoming aware of the breach. A notification is not necessary if the breach is unlikely to result in a risk to the rights and freedom of EU citizens.
It is also the controller’s obligation to notify the individuals who are affected by the data breach. The notification is not necessary if the breach is unlikely to result in a high risk for the rights and freedoms of the individuals or if appropriate technical and organizational protection where in place at the time of the incident.
Does AnyRoad use sub-processors?
AnyRoad uses several subprocessors such as AWS and Mandrill to process transactions and communications and to store (and protect) our data. For these services AnyRoad has entered into an agreement (DPA) with these sub-processors to ensure that they process the personal data with at least the same level of security as we do.
Is AnyRoad transferring data outside the European Economic Area?
AnyRoad is using AWS servers in the USA to store data from Clients relating to bookings and communication that happen through AnyRoad. GDPR requires that if data is transferred outside the European Economic Area (EEA), AnyRoad shall ensure that the recipient of the data is protected with the same level of protection that processors inside the EEA are bound by. The European Commission has recognized the certification under the EU-US Privacy Shield Principles as a form of adequate protection. AnyRoad is currently certified under such Privacy Shield.
Do AnyRoad’s Clients need to sign an additional agreement with AnyRoad before May 25, 2018?
GDPR requires that a control enters into a data processing agreement with each processor. AnyRoad will act as a processor for the personal data received from our client’s customers because it is stored in AnyRoad’s software products. AnyRoad will be offering its Clients to sign the standard data processing agreement. In this agreement, AnyRoad sets out the purposes for which it may process Client’s personal data and the measures taken to protect such data. If you are in need of a Data Protection Addendum, please reach out to firstname.lastname@example.org
What is a Data Processing Agreement?
A data processing agreement sets out the relationship between the controller and the processor. It describes what personal data the processor may process on behalf of the controller and for what purposes it shall do so. It also describes the technical and organizational measures that the processor has taken to make sure that his processing activities meet the requirements of GDPR and that the rights of the individuals are adequately protected.
How long can personal data be kept?
GDPR does not give a specific term in regard to keeping the personal data but indicates that personal data should be retained no longer than necessary in relation to the purpose for which such data is processed. There is also an exception to keep certain personal data longer if it is required to do so by law.