GDPR: what you should know as a Combell customer
The General Data Protection Regulation (GDPR) has far-reaching consequences. But what are the implications of this new European regulation for your relationship with Combell?
Key principles of the GDPR
Over the last few months, almost everyone in the sector has been talking about the fact that a new major European regulation, called General Data Protection Regulation (GDPR), will come into force on 25 May 2018. Meanwhile, you are probably familiar with its key principles:
- The same rules apply to the whole EU; if data from EU citizens are processed by businesses outside of the EU, the GDPR still applies
- The definition of “personal data” is now broader: it includes data types such as IP addresses and sensitive data such as data concerning a person’s health or cultural identity
- The collection of data is subject to strict regulations, which means you cannot purchase or create lists of information any way you like: users must provide explicit consent and are allowed to access their data and have them erased
- In the past, data breaches were usually disregarded, but today heavy fines can be imposed. If the collected data are processed incorrectly, if a serious data breach is not notified or if the company did not undergo risk assessment, a fine of 2% of annual turnover can be imposed. For more severe infringements, the fine can be up to 4% of annual turnover or up to an amount of 20 million euros, whichever is higher.
New definitions: Data Processor, Data Controller and Data Subject under the GDPR
It is not easy to understand how this new regulation will affect the relationship between you and Combell, because both Combell and your company (as a Combell customer) alternately assume different roles, as set out in this regulation.
- Data Controller = the owner of the data, the person who collects the data. As a Combell customer, you e.g. collect names, addresses and payment information of your users, which makes you a Data Controller.
- Data Processor = the organisation where the data is stored, or which processes them, in a manner defined by the Controller. As a Combell customer, you ask us to back up the data of your users; in this case, Combell is the Processor. The Processor remains responsible for the correct application of the GDPR when the Processor appoints a third party (the sub-processor) to process the data.
- Data subjects = the persons whose personal data are processed.
The obligations of Combell customers as Data Controllers under the GDPR
The first thing you need to do is check if you are allowed to process the data. That means data collection and processing occurs because
- it is part of the obligations of a contract;
- you have received explicit consent from the data subject (no opt-out!);
- you are meeting a legal obligation;
- it is relevant for the personal safety or health of the data subject;
- it is in the public interest or in your legitimate interest (e.g. to be able to identify people responsible for hacking, fraud, etc.)
Next, you also need to ascertain that the data are well protected. If you want to meet the ISO 27001 requirements, you will have to work with an Information Security Board and/or a Security Officer, in order to draw up a Risk Assessment report.
And finally, you should notify a data breach immediately. In such cases, the following rules shall apply:
- A data breach is any breach of security (leaks, hacks…) resulting in data being destroyed, lost, altered, unlawfully disclosed or accessed by unauthorised persons.
- You must notify the breach
- to the data subjects (your customers)
- to the authorities.
- for Belgium: the website of the Commission for the protection of privacy
- for the Netherlands: the online notification to the Dutch Data Protection Authority
- You need to notify the breach within 72 h. The GDRP is aware that, during this period, you probably do not have all the information gathered about the incident. However, your first notification should include the following information:
- the nature of the breach
- the number of data subjects concerned
- the likely consequences of the breach for the data subjects concerned
- the measures you have already taken
- the extra measures you plan to take
“As of 25 May 2018, you will have to notify data breaches within 72 hours on pain of (heavy) fines. We will help you identify the data sets you are responsible for.” (Veerle van Hecke, GDPR Data Controller at Combell)
The obligations of Combell as a Data Processor under the GDPR
Combell is the Processor of the data you collected as a Data Controller. We therefore have several obligations, such as:
- keeping logs of your data we process (e.g. making backups)
- notifying you about breaches on your data sets that are hosted on a platform managed by us (the Data Controller) and assist you in making the notification to the Data Subjects (the extent of this help may depend on the service package you purchase)
- making sure that Sub-Processors (third parties we hire to process the data) operate in accordance with the GDPR
“You and Combell need to agree on the roles (Processor or Controller under the GDPR) of each party in advance when it comes to data hosted on a platform managed by Combell.” (Frederik Poelman, Managing Director at Combell)
The Combell customers as Data Subjects under the GDPR
Finally, you should also remember that Combell processes personal data about you, our customer – a (technical) contact from your company, for instance. In this role, as a Data Subject, you have the rights listed below, and it is our duty as a Data Controller and Processor to react thereto as described below:
- You have the right to have your data erased, e.g. when the personal data are no longer necessary in relation to the purposes for which they are collected. In that case, not only will we have to erase the data from our systems, but we will also have to ask any other subcontractor to erase the data from their systems.
- You have the right to request information about these data, such as the period for which your data will be stored, the purposes of their processing, and the information about the persons/organisations that can access your data.
- You have the right to access your data (at reasonable intervals) and have them rectified. You can also transfer your data to another Processor. Depending on the circumstances, Combell will give you secure access to your data or deliver you a copy thereof in an industry-standard format, such as a csv file.
Keep in mind that in case of a data breach, the GDPR requires you to notify the incident within 72 hours after having become aware of it. The extent to which Combell will assist you depends on the technological and organisational measures set out in your service package. Have a quick word about this with your account manager!
For feedback or questions about your specific situation (e. g. a private cloud solution), feel free to contact us.