Our Lawyers Are Making Us Say This: This microsite is neither legal advice for your company in complying with GDPR/other data privacy laws nor a magnum opus on EU/EEA data privacy. What we are providing is background information to help you better understand how Amelia has addressed some important legal points. This legal content is not the same as legal advice, where an admitted attorney applies the law to your specific circumstances, and you must consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In summary, you may not rely on this microsite as legal advice, nor as a recommendation of any particular legal understanding.
- Data Subject: A person who lives in the EU
- Personal Data: Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info)
- Controller: A company/organization that collects people’s personal data and makes decisions about what to do with it. If you’re collecting personal data and are determining how it will be processed (for example, using IPcenter to collect information about ticket submitters or AMELIA to chat with customers), you’re the Controller of that data and must comply with applicable data privacy legislation accordingly.
- Processor: A company/organization that helps a controller by “processing” data based on its instructions but doesn’t decide what to do with data. For example, Amelia is the processor of the data if you have an Amelia-hosted AMELIA system interacting with your employees and/or customers. We don’t control how you collect or use the data; we merely process it on your behalf and on your instruction.
- Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data Protection Officer (DPO): A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert
- Data Privacy Impact Assessment (DPIA): A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing
- Supervisory Authority: Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities)
- Third Countries: Countries outside the EU, such as the United States of America, Japan, or India
- Standard Contractual Clauses: The SCCs, a/k/a “model clauses” are standardized contract language (approved by the European Commission) that is one method of permission for controllers/processors to send personal data to third countries. The SCCs are included in our Standard Data Processing Agreement)
Frequently Asked Questions
What was the DPD – what was the law before GDPR?
Although the DPD will be replaced by the GPDR, it sets out the eight data protection principles which the GDPR builds on. These rules govern how organizations should treat personal data and are set out below:
- Obtain and process the personal data fairly
- Keep it only for one or more specified and lawful purposes
- Process it only in ways compatible with the purposes for which it was given to you initially
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of his/her personal data to any individual, on request.
The DPD is a Directive, which is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.
A Regulation on the other hand, such as the GDPR, is a binding legislative act which applies in its entirety across the EU.
Will “Brexit” impact or affect GDPR compliance for companies with operations in the UK?
In June 2016, a majority of UK voters voted in favour of leaving the EU in the "Brexit" referendum. In March 2017, the UK Government gave notice to leave the EU under Article 50 which triggered the commencement of the Brexit negotiations and meant that the UK will leave the EU on the earlier of (a) withdrawal terms being agreed or (b) the expiry of two years from giving notice (31 March 2019). For our UK customers, this means that you’ll need to work on your compliance as if Brexit never occurred.
As of right now, the UK Information Commissioner’s Office (ICO) is issuing guidance and regulations on GDPR compliance and Parliament is continuing to implement legislation to comply with GDPR.
If you’re based outside the UK but have vendors or affiliates in the UK with whom you share personal data, you’ll also need to keep an eye on developments in this area. When the UK leaves, cross-border data flows may not automatically have adequate safeguards and therefore additional projections may be required to protect data you transfer to the UK.
How Are Individual Rights Being Affected by GDPR?
Individuals already have a lot of rights which protect their personal data under the DPD, but the GDPR significantly strengthens these rights such that data subjects can now:
- obtain details about how their data is processed by an organization or business;
- obtain copies of personal data that an organization holds on them;
- have incorrect or incomplete data corrected;
- have their data erased by an organization, where, for example, the organization has no legitimate reason for retaining the data;
- obtain their data from an organization and to have that data transmitted to another organization (Data Portability);
- object to the processing of their data by an organization in certain circumstances;
- not to be subject to (with some exceptions) automated decision making, including profiling.
Will Data Now Need to be Stored in the EU?
No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, if the personal data is "adequately protected", data may be transferred abroad.
The EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as "white listed countries"), so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g., the Model Clauses) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification. (And yes, Amelia is Privacy Shield certified.)
Is Amelia Updating its Legal Documentation to Comply with GDPR?
Will Amelia Products Be Able to Comply with the Right to Erasure?
Yes, we’re going to offer the technology and ability to do so. When one of your data subjects asks you to delete them from your records, you'll have the ability to do so quickly and easily.
Keep in mind that just because a data subject (one of your customers) requests a deletion does not override legal or regulatory reasons to preserve data, and you may be required to keep certain records despite a request to be forgotten.
If you’re already an Amelia customer or partner, please contact your account manager if you have any further questions, comments, or suggestions. If you don’t yet have a business relationship with Amelia, please drop us a line via the contact us button in the right-hand corner of each page.