What is the GDPR?
GDPR (the General Data Protection Regulation) is a data protection law which imposes obligations onto organizations that target or collect data related to people in the EU. The GDPR applies to processing carried out by organizations operating within the EU, but also to organizations outside the EU that offer goods or services to individuals in the EU.
GDPR compliance is not optional and failing to comply can result in fines.
Where can I read more about the GDPR?
Find more information here:
What is personal data?
Personal data is information that relates to an identified or identifiable individual. An individual is identified or identifiable if you can distinguish them from other individuals.
According to GDPR, a non-exhaustive list of identifiers include:
- Identification number
- Location data
- Online identifier (IP address, cookie identifier, or other factors).
If it is possible to identify an individual directly from the information you are processing, then that information may be personal data. If it is not possible to identify an individual directly from the information you are processing, it is still necessary to consider if the individual is still identifiable, taking into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it “relates to” the individual. Whether information relates to an individual depends in different factors, including the content of the information, the purpose(s) for which you are processing it, and the likely impact or effect of that processing on the individual.
Who and what is data controller?
The data controller is the main decision-maker who decides what data to process and why. The data controller exercises control over and determines the purposes for which and the means by which personal data is processed. If a company decides “why” and “how” the personal data should be processed, it is by definition the data controller. Employees processing personal data within your organization do so to fulfil your tasks as a data controller.
The GDPR places obligations on the data controller to ensure that the controller’s contracts with its data processors comply with the GDPR.
A company is a joint controller when together with one or more organizations/subsidiaries it jointly determines “why” and “how” personal data should be processed. Joint controllers must enter into an agreement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of such agreement must be communicated to the individuals whose data is being processed.
Checklist: Are you a data controller?
- You decided to collect and/or process personal data.
- You decided what the purpose or outcome of the processing was to be.
- You decided what personal data should be collected.
- You decided which individuals to collect personal data about.
- You obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
- You are processing the personal data as a result of a contract between you and the data subject.
- The data subjects are your employees.
- You make decisions about the individuals concerned as part of or as a result of the processing.
- You exercise professional judgement in the processing of the personal data.
- You have a direct relationship with the data subjects.
- You have complete autonomy as to how the personal data is processed.
- You have appointed the processors to process the personal data on your behalf.
Checklist: Are you joint controllers?
- You have a common objective with others regarding the processing.
- You are processing the personal data for the same purpose as another controller.
- You are using the same set of personal data (e.g. one database) for this processing as another controller.
- You have designed this process with another controller.
- You have common information management rules with another controller.
What does it mean to be a data controller?
Data controllers have the highest level of compliance responsibility and must comply with and demonstrate compliance with all the data protection principles as well as the other GDPR requirements. Data controllers are responsible for the compliance of their processors.
Who and what is data processor?
The data processor processes personal data only on behalf of the controller. If you do not have any purpose of your own for processing the data and you only act on a client’s instructions, you are likely to be a processor – even if you make some technical decisions about how you process the data.
The data processor is usually a third-party external to the company. The GDPR places specific legal obligations on data processors, for instance to maintain records of personal data and processing activities, hereunder what happens to the personal data once the contract between the parties is terminated.
The duties / obligations of the data processor towards the data controller must be specified in a contract, typically the Data Processing Agreement (DPA). The data processor has legal liability if they are responsible for a data breach.
A typical activity of processors is offering IT solutions, for instance cloud storage. The data processor may only sub-contract a part of its tasks to another processor or appoint a joint processor when it has received prior written authorization from the data controller.
There are situations where an entity can be a data controller, or a data processor, or both.
Checklist: Are you a data processor?
- You are following instructions from someone else regarding the processing of personal data.
- You were given the personal data by a customer or a similar third-party, or told what data to collect.
- You do not decide to collect personal data from individuals.
- You do not decide what personal data should be collected from individuals.
- You do not decide the lawful basis for the use of that data.
- You do not decide what purpose or purposes the data will be used for.
- You do not decide whether to disclose the date, or to whom.
- You do not decide how long to retain the data.
- You may make some decisions on how data is processed but implement these decisions under a contract with someone else. You are not interested in the end result of the processing.
Example: Boyum IT Solutions has contracted a payroll company to pay wages. We have provided the payroll company with all necessary details for the salary slip and payment. The payroll company provides the IT system and/or services to pay wages, and they store our employees’ data. Here, we are the data controller, and the payroll company is the data processor.
What does it mean to be a data processor?
Data processors do not have the same obligations as controllers under the GDPR. However, if you are a processor, you do have a number of direct obligations of your own under the GDPR.
My company is not located in the European Union. Why do I have to sign the GDPR?
The GDPR imposes obligations regarding data protection onto organizations that target or collect personal data in the EU. The GDPR applies to processing carried out by organizations operating within the EU, but also to organizations outside the EU that offer goods or services to individuals in the EU.
Since Boyum IT Solutions operate from within the EU, we are obligated to put in place Data Processing Agreements with all of our partners, regardless of the nationality and location of these partners. In other words, you have to sign the Data Processing Agreement with us because we are legally obligated to have a GDPR contract with you in order to do business with you.
GDPR compliance is not optional and failing to comply can result in fines.
Why must everyone purchasing software and services from Boyum IT Solutions sign the GDPR?
Under the GDPR law, you are by definition our client. In our relationship, you are the data controller and we are the data processor. As data processors, we process personal data on behalf of you and upon your instructions. According to the GDPR law, our obligations as data processors towards you as data controllers must be specified in a contract. This is the purpose of our Data Processing Agreement.
The partner signs the GDPR with Boyum IT Solutions, but what about the customer of the partner?
The partner and the partner’s customer are also obligated to have a Data Processing Agreement, according to the GDPR law. However, the relationship and data processing activities between the partner and the partner’s customer is not Boyum IT Solutions’ responsibility. The end-customer, as data controller toward the partner, is responsible to ensure that they have a Data Processing Agreement with the partner (the end-customer’s data processor)
Can I get the contract in other languages than English?
Unfortunately, no. English is our international company language.
I have questions about the contract. Who may I contact to get clarification?
Please direct any questions to gdpr@ boyum-it.com
Can I sign the GDPR contract on paper?
Yes. Open the e-mail and click OTHER OPTIONS, download and print the contract, sign it by hand, scan and upload the file on your pc, attach it in the DocuSign e-mail and return it to Boyum IT Solutions. Only the person assigned to sign the contract can conduct this action.
What should Boyum not sign an agreement with the partner, where Boyum is the controller and the partner is the processor?
The partner does not process any personal data as part of any services delivered to Boyum IT Solutions and does not process any personal data on behalf of Boyum IT Solutions. The partner does not follow any instructions from Boyum IT Solutions regarding the processing of personal data.
Why does Boyum need to transfer personal data outside of the EU?
Boyum employs both permanent staff and freelancers who are employed in, work from, and process data in countries outside of the EU. Thus, we need to include a clause in the Data Processing Agreement which allows the data controller to accept that Boyum might transfer personal data outside of the EU as part of providing our services. For example, a partner in need of our support is serviced by one of our support agents employed outside of the EU, which necessitates that we have put in place the right to transfer the data. As part of ensuring proper and secure management of personal data, Boyum has implemented internal GDPR-compliance agreements, e.g. Records of Processing Activities, which have been signed by everyone in the company working outside of the EU.