GDPR Compliance

Updated : 16th December 2019

On 25th May 2018, the EU General Data Protection Regulation (GDPR) replaces the existing 1995 EU Data Protection Directive (European Directive 95/46/EC). The GDPR will impact the way companies process EU personal data, including Bluenumber and its customers.

 

Bluenumber is committed to taking the steps necessary to be in compliance with the GDPR. Over the last year, we have implemented a GDPR Readiness Programme to ensure adherence with this new regulation and support our customers’ own GDPR compliance.

 

Below are some answers about what the GDPR means and how we have been preparing for this legislation. If you have any questions about our data privacy and security policies in general, please contact us at: [email protected]

1 What does the GDPR require?

The GDPR establishes rules for how organizations can process the personal data of data subjects who are in the European Union. While many of these rules already existed under previous EU law, some rules are now stricter. The rules reach beyond the physical borders of the EU and apply to any organisation, regardless of whether it has a physical presence in the EU, if it offers goods or services to people in the EU, or if it tracks the behaviour of those people.

2 How is Bluenumber preparing for the GDPR?

Since early 2018, Bluenumber has been preparing for the GDPR with a formal compliance project headed by our Legal Counsel. Much of the preparation is happening behind the scenes but a number of initiatives will be visible to our customers. Listed below are some of the steps we have taken:

  • Assessment: We have carefully reviewed where and how our relevant services collect, use and store personal data and we are updating procedures policies, standards, governance and documentation as needed.
  • Products: We are evaluating potential new features to add to our various products to assist our customers in meeting various GDPR compliance obligations, such as notice and consent requirements, if necessary.
  • Cross-Border Transfers of EU Personal Data: Cross-border transfers of personal data will occur in relation to some of our products. In addition to ensuring our contractual commitments meet the GDPR requirements, Bluenumber has standard contractual clauses in place where necessary.
  • Employee Training and Awareness: Our employees will receive training on GDPR-specific In addition, Bluenumber will conduct ongoing awareness initiatives on a variety of topics, including data protection, security and privacy.

3 What is the difference between a controller and a processor?

If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. For this reason, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.

A controller is the organization that determines the purposes and means of processing personal data as well as the specific personal data that is collected from a data subject for processing. A processor, on the other hand, is the organization that processes the data on behalf of the controller. The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party. Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well.

4 When does Bluenumber act as a processor?

Bluenumber is only a processor in relation to certain products and only in limited circumstances. For instance, in the context of our hosted software products, such as B# App (to be launched in early 2020), our customers act as the controllers, and Bluenumber acts as the processor. Please contact us if you are in doubt whether or not we are processors in relation to the Bluenumber product or services.

5 How will Bluenumber help my company comply with the GDPR?

When acting as processors, we will only process your personal data in accordance with your instructions and we have a duty to inform you if we reasonably believe your instructions infringe upon the GDPR requirements, or other European Union or Member State data protection legislation. However, we will have no responsibility for the accuracy and the quality of the personal data that is supplied to us.

As controllers, our customers have a number of GDPR obligations to data subjects, such as expanded data privacy rights, data breach notification, and more robust consent requirements. We are committed to helping our clients comply with the GDPR and are working to enhance our products and services to support Bluenumber’s and our clients’ GDPR compliance. We will assist as required and when we are best placed to take a particular compliance measure.

6 How will Bluenumber assist my company in fulfilling data subject rights?

Subject to the contractual relationship formed between Bluenumber and customer, we will promptly notify a customer if we receive any requests from a data subject to exercise their rights, including, without limitation, rights relating to access, rectification, restriction of processing, objection to processing, data portability (if applicable), and erasure. To the extent reasonably possible and legally permitted, we will assist customers in fulfilling their obligations to respond to a data subject request under applicable data privacy legislation.

7 Who can access personal data that Bluenumber processes on behalf of its customers?

We may permit our employees, contractors (including the employees and contractors of our affiliates) and authorised sub-processors to access personal data provided that they are bound by confidentiality covenants and only to the extent that they need access to perform services for our clients.

8 Does the GDPR prevent a company from storing data outside of the EU?

The GDPR does not introduce new restrictions on the transfer of EU personal data nor does it prevent transfers of EU personal data outside of the EU as long as the processors adhere to the necessary data protection regulations and safeguards.

9 How long does Bluenumber keep personal data?

At the end of a contract for services, upon a client’s request, we will return or securely destroy personal data. This is subject to any limitations described in the relevant data processing agreement between us and our customers as well as any restrictions prescribed by law that prevent us from returning or destroying such personal data. Clients may delete individual or organization-level personal data by using available features in the Bluenumber products and/or services, or by contacting us.

10 How long does Bluenumber keep personal data?

At Bluenumber, we implement and maintain many processes to ensure that Client Personal Data is kept secure. For instance, some of the measures we take include, but are not limited to:

  1. Compliance Programme: Ongoing data protection compliance programme for ensuring adherence with applicable legislation.
  2. Security: We have robust security measures in place to ensure the resilience of our networks and we have processes in place to track data and flag data breaches.
  3. Restricted Processing: We only use Client Personal Data to provide the services which our clients request and subject to confidentiality covenants.
  4. Training: We ensure that personnel who process Client Personal Data have the necessary awareness in data protection and data security through training.
  5. Verification: We screen both employees and prospective vendors and we monitor existing vendors to ensure their integrity and compliance with applicable data protection laws and contractual obligations.

11 Procedures for Data Requests

Under GDPR, you have the right to:

  • confirm that your data is being held
  • request a copy of any personal data we have retained on you
  • request that your personal information be deleted

12 Repeat Requests

In the case that requests are unfounded or excessive, in particular in the case of repeat requests, we will charge an administration fee for each repeat request for the same data. This is to cover the administration costs of multiple requests, as provided for in Article 15 of the EU GDPR policy https://gdpr-info.eu/art-15-gdpr/

13 How does Bluenumber handle data breaches?

Bluenumber uses industry-standard technologies and processes to monitor the IT systems supporting our products and services against security breaches. Suspected breaches are escalated internally according to established procedures. Customers who are controllers will be notified in the most expedient time possible, consistent with steps to investigate, verify, and establish the scope of the breach. Pursuant to the terms of the relevant data processing agreement, Bluenumber will cooperate with such clients to notify regulators and data subjects as required by applicable law.

en_USEnglish
ja_IDJapanese id_IDBahasa Indonesia en_USEnglish