Updated October 1, 2019
The General Data Protection Regulation (“GDPR”) seeks to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, share, and eliminate personal data. It will have a significant impact on businesses around the world. GDPR extends the protections of the 1995 EU Data Protection Directive.
Simplus is excited about the GDPR and the strong data privacy and security principles that it emphasizes. At Simplus, we believe the GDPR is an important milestone in the data privacy landscape, and we are committed to maintaining compliance with the GDPR and to supporting the rights and freedoms of individuals and their control over their personal data. Below we distinguish the role of Simplus as a Data Controller and/or a Data Processor, and how Simplus is compliant with these obligations.
Simplus’ GDPR preparation started in 2018, when we assembled an internal cross-functional team and began reviewing (and updating where necessary) our policies, processes, procedures, data systems, and documentation to ensure our capability to meet our obligations both where we act as a Data Controller on our own behalf and when we act as a data processor for the information our customers provide and/or process. While much of our preparation happened behind the scenes, we also worked on many initiatives that are visible to our customers.
It’s important to remember that for our customers, Simplus is the Data Processor, and any data that a customer and its users submit to Simplus will only be processed in accordance with the customer’s instructions. When you entrust your data and processing with Simplus, you remain the sole owner of all data stored or processed within our services.
Simplus and our affiliate companies sometimes utilize third-party contractors to assist us with supplying services to our customers. The Simplus team has reviewed existing contractors who may have access to the infrastructure where personal data is processed, or the personal data itself, and have updated current contracts with stronger provisions where necessary. Additionally, we have enhanced our third-party risk management programs to address specific GDPR concerns and requirements going forward, such as the implementation of specific hardware and software requirements to protect private data.
Simplus provides all the necessary protections for our applicable data subjects. Below we address some of the other most important changes that came from GDPR (in effect from 25 May 2018).
While the previous EU legislation (the 1995 EU Data Protection Directive) governed entities within the EU, the territorial scope of the GDPR is far wider because it applies to non-EU businesses who either market their products to people in the EU, collect information of people in the EU, or who monitor the behavior of people in the EU. With an international presence, Simplus has taken all the necessary precautions to ensure we protect customers and prospective customers in compliance with the policies and procedures handed down by GDPR.
Whenever a data subject submits their personal information to a data controller, they need to ensure they do so with consent and understanding. GDPR has introduced new standards for what this type of consent entails, which calls for consent that is “freely given, specific, informed and unambiguous.” This means that data controllers must give clear language, meaning previous “opt-out” via silence or automatic check marks will not be allowed and must be replaced by a “statement or a clear affirmative action.”
Two new GDPR rules make it easier for users to remove stored information from data controller databases or to demand a copy of their stored information from processors.
The right to withdraw consent requires data controllers to remove data subjects’ personal data. If this data is held by a data processor, then the processor must ensure the data controller can perform this action. The right to data portability allows the demand of any information stored about a data subject to be handed over in a common copy format.
SGDPR enhances previous rights of data subjects (who always had the right to access data). Data controllers can no longer charge data subjects for accessing their data. Though there are some circumstances where organizations can refuse a data access request, refusal policies must be clearly spelled out and data controllers must prove if a request meets the refusal policy criteria spelled out.
The new DPIA stipulation concerns building data privacy “by design”. This means that a company must assess how any new projects, technologies or initiatives, may impact the privacy of individuals to ensure preemptive changes to avoid potential privacy issues.
Simplus has a DPO in place to ensure all compliance efforts are made in accord with GDPR. The DPO typically deals with activities that involve processing personal data on a large scale and are helpful in overseeing how vendors’ security practices comply with GDPR or to inform third-party vendors of any data subject requests.
Data controllers must review and update their privacy statements, internal data policies, and privacy notices so that they meet GDPR standards. Simplus will continue to ensure all documentation meets the necessary GDPR requirements.
Under new GDPR guidelines, data controllers must notify their country’s supervisory authority of data breaches with 72 hours of finding (unless the data is encrypted or anonymized).
We’ve revised our Master Services Agreement (MSA) and our Data Processing Addendum/Agreement (DPA) to include clauses expected due to the GDPR such as; assistance complying with data subject rights requests (when applicable), supervisory authority breach notice obligations, data protection impact assessments and audits, and the return or destruction of data unless otherwise required by law. Upon request, we will review and consult with our Customer’s business-specific needs around the DPA. Please send an email to [email protected] to request a copy of Simplus’ DPA or with any other DPA related questions.
At Simplus, staff must regularly (not less than annually) complete information security training. We have supplemented this regular training with GDPR specific and general privacy awareness training content. In addition to these training requirements, Simplus conducts ongoing awareness communications on a variety of topics, including, phishing, information security, and privacy. Furthermore, all Simplus employees are required to sign a confidentiality agreement that survives beyond the employment relationship.
The European Commission and the GDPR recognize several mechanisms to facilitate the lawful transfer of personal data outside the European Economic Area (EEA) including Standard Contractual Clauses/Model Clauses, adequacy decisions and the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. Simplus has self-certified to both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield regimes and lawfully transfers EU/EEA personal data to the United States of America pursuant to our Privacy Shield Certification or Data Protection Agreements (incorporating the Standard Contractual Clauses/Model Clauses) as applicable.
Simplus’ Data Privacy Office has procured applications to assist in the management of our privacy program and implemented systems and processes to maintain records of data processing, data inventories and data flows suitable to demonstrate compliance with our obligations under Article 30 of the GDPR.
If you have specific questions about the GDPR and how it applies to Simplus’ services or operations, you can contact our Data Privacy Office at:
10 W. Broadway
Salt Lake City, UT 84101