Updated May 14, 2018
The General Data Protection Regulation is a new set of privacy regulations and guidelines that replaces the Data Protection Directive 95/46/EC and effective May 25, 2018.
The General Data Protection Regulation (GDPR) will require numerous changes to organizations in the way they collect and process EU personal data.
The GDPR contains a number of new protections for EU citizens and threatens significant penalties for non-compliance. In addition, there are new security, recordkeeping, access rights, and notification procedures that companies must implement to ensure compliance. Issues that are attracting particular focus include increased administrative requirements, and the need to provide the tools necessary to meet the numerous obligations on both controllers and processors.
Calibrum offers self-service products via an Application Service Provider model delivered via the Internet and using standard web browser software. Customers solely determine what data to collect, from whom and where, for what purpose, and for how long. Therefore, Calibrum does not and cannot classify or represent any Customer data. All data are processed electronically on the instructions of the Customer as required to provide the software, support, and maintenance.
Since the Customer has full control over its data, it may have special obligations to protect the data outside the scope of the protection Calibrum provides (for instance, if data were downloaded to the user’s local drive or printed). Calibrum has always agreed to safeguard all Customer data with industry best standards regardless of what that data represents.
ENABLING THE CUSTOMER TO BE GDPR COMPLIANT
Calibrum enables its Customers to be GDPR compliant. Briefly stated, that means Calibrum will:
- provide sufficient guarantees to the controller to implement appropriate technical and organizational measures designed to safeguard Customer data
- process data (that could include personal data) only to fulfil its obligations as related to the Services
- enable users to modify and delete individual data points
- enable users to modify and delete complete survey responses
- enable users to modify and delete the entire project (responses and survey definitions)
- provide security documentation that describes the processes and procedures for safeguarding the data
- sign a contract that governs the processing of EU personal data
GDPR Article 28, Section 3, requires that a contract be in place between a data controller and a data processor. For years, the Calibrum Terms of Service and Master Services Agreement have provided the fundamental legal requirements and obligations regarding data ownership, processing behavior, safeguarding data, breach notification, and more. However, if a Calibrum Customer desires to have a GDPR-specific contract, it may request it by sending an email to firstname.lastname@example.org.
This Contract appends the terms of an existing Agreement to satisfy the requirement of the GDPR Article 28, Section 3, that governs the processing of EU personal data. Once reviewed and signed, please send it to email@example.com.
Technical details for customers on GDPR compliance:
KEY PRINCIPLES OF GDPR AND RESPONSIBLE PARTIES
Both Calibrum and its Customers (controllers) are separately and jointly liable for actions or inactions that do not comply with GDPR. Thus, the GDPR requires a shared responsibility to protect an individual’s right to privacy. The table below summaries these responsibilities and is included for clarification only.
Legend: Q = Calibrum’ responsibility; C = Customer’s responsibility; S = Shared responsibility
S: Breach Notification Standards
Q: Data security and processing standards
C: Individual “unambiguous” explicit consent before data collected
C: Individual withdraws consent; requests data deletion
C: Parental consent to collect info on children
Q: Only transfer data to a country with adequate protection
C: Cross-border transfer of PII
S: Post public privacy notice
S: Follow requests from a DPA
C: Allow right to data modification and to be forgotten*
S: Provide data portability
C: Rights of notice, access, and objection
S: Clarifying role of controller and processor
S: Data breach notification
C: Collect data only for “specific, explicit and legitimate purposes”
* Calibrum enables the Customer to perform these functions. When a data controller cannot perform these functions due to insolvency or upon government request, Calibrum will perform.