On 25th May 2018, the EU General Data Protection Regulation (GDPR) replaces the existing 1995 EU Data Protection Directive (European Directive 95/46/EC). The GDPR will impact the way companies process EU personal data, including Bluenumber and its customers.
Bluenumber is committed to taking the steps necessary to be in compliance with the GDPR. Over the last year, we have implemented a GDPR Readiness Programme to ensure adherence with this new regulation and support our customers’ own GDPR compliance.
Below are some answers about what the GDPR means and how we have been preparing for this legislation. If you have any questions about our data privacy and security policies in general, please contact us at: [email protected]
The GDPR establishes rules for how organizations can process the personal data of data subjects who are in the European Union. While many of these rules already existed under previous EU law, some rules are now stricter. The rules reach beyond the physical borders of the EU and apply to any organisation, regardless of whether it has a physical presence in the EU, if it offers goods or services to people in the EU, or if it tracks the behaviour of those people.
Since early 2018, Bluenumber has been preparing for the GDPR with a formal compliance project headed by our Legal Counsel. Much of the preparation is happening behind the scenes but a number of initiatives will be visible to our customers. Listed below are some of the steps we have taken:
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. For this reason, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.
A controller is the organization that determines the purposes and means of processing personal data as well as the specific personal data that is collected from a data subject for processing. A processor, on the other hand, is the organization that processes the data on behalf of the controller. The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party. Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well.
Bluenumber is only a processor in relation to certain products and only in limited circumstances. For instance, in the context of our hosted software products, such as B# App (to be launched in early 2020), our customers act as the controllers, and Bluenumber acts as the processor. Please contact us if you are in doubt whether or not we are processors in relation to the Bluenumber product or services.
When acting as processors, we will only process your personal data in accordance with your instructions and we have a duty to inform you if we reasonably believe your instructions infringe upon the GDPR requirements, or other European Union or Member State data protection legislation. However, we will have no responsibility for the accuracy and the quality of the personal data that is supplied to us.
As controllers, our customers have a number of GDPR obligations to data subjects, such as expanded data privacy rights, data breach notification, and more robust consent requirements. We are committed to helping our clients comply with the GDPR and are working to enhance our products and services to support Bluenumber’s and our clients’ GDPR compliance. We will assist as required and when we are best placed to take a particular compliance measure.
Subject to the contractual relationship formed between Bluenumber and customer, we will promptly notify a customer if we receive any requests from a data subject to exercise their rights, including, without limitation, rights relating to access, rectification, restriction of processing, objection to processing, data portability (if applicable), and erasure. To the extent reasonably possible and legally permitted, we will assist customers in fulfilling their obligations to respond to a data subject request under applicable data privacy legislation.
We may permit our employees, contractors (including the employees and contractors of our affiliates) and authorised sub-processors to access personal data provided that they are bound by confidentiality covenants and only to the extent that they need access to perform services for our clients.
The GDPR does not introduce new restrictions on the transfer of EU personal data nor does it prevent transfers of EU personal data outside of the EU as long as the processors adhere to the necessary data protection regulations and safeguards.
At the end of a contract for services, upon a client’s request, we will return or securely destroy personal data. This is subject to any limitations described in the relevant data processing agreement between us and our customers as well as any restrictions prescribed by law that prevent us from returning or destroying such personal data. Clients may delete individual or organization-level personal data by using available features in the Bluenumber products and/or services, or by contacting us.
At Bluenumber, we implement and maintain many processes to ensure that Client Personal Data is kept secure. For instance, some of the measures we take include, but are not limited to:
Under GDPR, you have the right to:
In the case that requests are unfounded or excessive, in particular in the case of repeat requests, we will charge an administration fee for each repeat request for the same data. This is to cover the administration costs of multiple requests, as provided for in Article 15 of the EU GDPR policy https://gdpr-info.eu/art-15-gdpr/
Bluenumber uses industry-standard technologies and processes to monitor the IT systems supporting our products and services against security breaches. Suspected breaches are escalated internally according to established procedures. Customers who are controllers will be notified in the most expedient time possible, consistent with steps to investigate, verify, and establish the scope of the breach. Pursuant to the terms of the relevant data processing agreement, Bluenumber will cooperate with such clients to notify regulators and data subjects as required by applicable law.