GDPR

At Axero, we understand the importance of putting privacy and data protection in the hands of our customers.

Axero offers a Data Processing Addendum that incorporates the model clauses to our EU/EEA customers. You can access the addendum here.

If you have questions about the Data Processing Addendum, please submit a support case or contact your account representative for details.

What is the GDPR?

The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations. The full text of the GDPR can be found here.

GDPR increases the responsibilities for organizations and businesses in how they collect, use, and protect personal data. At the center of the new law is the requirement for organizations and businesses to be fully transparent about how they are using and protecting personal data, and to be able to demonstrate accountability for their data processing activities.

We welcome GDPR at Axero

At Axero, we understand the importance of putting privacy and data protection in the hands of our customers, so we will be in compliance with the GDPR by May 25th, 2018. We have carefully examined the relevant provisions of the GDPR and we’re closely following applicable GDPR guidance issued by regulatory authorities. The GDPR strengthens individuals’ privacy rights through tighter controls over the processing of their personal data, significant expansion of their rights over their data, and increased transparency into the nature, purpose, and use of it.

Axero’s commitment to GDPR compliance

In preparation for GDPR, we formed a core team from each area of Axero’s business units, coordinated by our Data Protection Officer (DPO). The representatives in this group are charged with ensuring that all the requirements of GDPR are addressed across all teams.

What steps are we taking at Axero?

Data collection and processing audit

We have reviewed our sales, marketing, customer support activities, and all of our product suite to identify where we are collecting and processing customer data. Based on this, we have validated our legal basis for collecting and processing that personal data. We have also ensured that we are applying the appropriate safeguards across our entire infrastructure to fully protect this data.

Third-party vendors audit

We reviewed our arrangements with our third-party vendors and have asked them to validate their GDPR compliance, including asking them to have all vendor agreement updates in place by May 25th, 2018.

Updated Terms of Service and Privacy Policy

We’re updating our Terms of Service and Privacy Policy. These updated versions will outline what personal data we’re collecting and processing, why we collect it, how we use it, who we share it with, and how long we store it for. As always, we aim to keep the language in our Terms of Service and Privacy Policy as clear as possible.

Data access, portability, and deletion

We make it easy to support your organization and give your people the ability to access, handle, and delete their personal data. You’ll always have full control over your own data, including autonomy in how you process your organizations information, because we operate on a self-service basis through the Communifire product. We also ensure that all of your data is easily exportable in a commonly used and computer readable format. If at any time you need assistance with exporting data, please contact us. We are happy to help you.

Security breach management

As part of our Axero Security and Risk Management Policies, we have processes in place in the unlikely event of a data breach; we’ve updated these to further comply with the GDPR regulations.

How GDPR may apply to you

If you market to the EU, collect or process data on persons in the EU, have employees in the EU or frequently send your staff to the EU, GDPR may apply to you. As an intranet solutions provider, Axero solutions provides you with tools that may impact your compliance. We offer our customers a Data Processing Addendum to ensure that we are receiving personal data lawfully and in accordance with your instructions. We also strongly urge that you review and document your data collection and use practices to ensure that, if GDPR applies to you, you comply with the law and have the proper privacy policy, and if needed, consents in place to ensure that your intranet data collection practices comply with the law.

We’re here to help

We know that navigating GDPR can seem challenging, but we’re here to help. If you have any questions or concerns regarding how we protect your personal data, please don’t hesitate to reach out to us at axerosolutions.com.

Frequently asked questions

Does the GDPR apply to me?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of people in the EU or Switzerland, the GDPR will apply to you.

Does GDPR require personal data to be stored in the EU?

No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU remain largely unchanged. The GDPR permits transfers of personal data outside of the EU subject to certain conditions. The EU-U.S. Privacy Shield continues to be one valid way to ensure adequate safeguards are in place for personal data transfer from the EU to the U.S. The EU model clauses and Binding Corporate Rules also remain valid mechanisms to lawfully transfer personal data. Axero offers a Data Processing Agreement that incorporates the model clauses to our EU/EEA customers transferring the personal data of people in the EU to the United States for us to process in connection with our services.

If you supply your own Privacy Policy for your employees/members in your Communifire installation.

While Axero can’t provide legal advice as to what information you should include in your privacy policy, this is what we can tell you:

Regulations like the European Union General Data Protection Regulation (GDPR) requires that you disclose third party service that collects personal data on data subjects, including employees.

Further, if you use Axero services to collect information to monitor the use of the services of your employees or members you must have a legitimate business purpose to do so and/or as consent, especially if they are located in the European Union, which has stronger worker privacy protections.

Compliance with law, ensuring employee safety, and collecting information in the context of providing employment/membership may constitute a legitimate business purpose.

As a processor, Axero merely processes the information we collect on your behalf to provide the service in accordance with your instructions—but you are liable as a data controller. We recommend working with legal counsel and privacy experts to make sure that you have the necessary disclosures in your privacy notices and consents to operate our services to fit your needs within the law.

If at any time you need assistance, please contact us. We are happy to help you.

_____

DISCLAIMER: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Axero has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. You may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.