General Data Protection Regulation
Tejari & the General Data Protection Regulation
Effective 25 May 2018, the EU General Data Protection Regulation (“GDPR”) replaced the 1995 EU Data Protection Directive. GDPR (i) strengthens the rights that individuals have with respect to their personal data and (ii) imposes new obligations on organizations processing the personal data of individuals residing in the EU. Tejari is committed to helping ensure our customers’ compliance with GDPR.
What does GDPR mean for our customers and Tejari?
Our customers’ users enter certain personal data into our software applications: primarily business contact information when logging in. Under GDPR, our customer is a “data controller” and a data controller’s responsibilities include: (i) determining the purposes and means of processing personal data and (ii) implementing appropriate technical and organizational measures to ensure and demonstrate that any personal data processing is performed in compliance with GDPR. Under GDPR, Tejari, is a “data processor” and a data processor’s responsibilities include processing personal data in accordance with the limits of processing set forth by the data Controller. Accordingly, Tejari must also implement appropriate technical and organizational measures to protect personal data and be able to provide assurances to our customers that we are only processing personal data in accordance with our customers’ instructions. To accomplish these goals, Tejari has implemented a comprehensive GDPR compliance program to provide the necessary safeguards and documentation to support our customers’ GDPR compliance efforts.
What does GDPR require?
GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles: (1) personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (2) personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (3) processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed; (4) personal data must be accurate and, where necessary, kept up to date; (5) personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and (6) personal data must be processed in a manner that ensures appropriate security for the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Frequently Asked Questions
Tejari has compiled this list of Frequently Asked Questions so that our customers may familiarize themselves with the basics of GDPR and how Tejari’s compliance efforts enable our customers to comply with GDPR.
Where can you learn more about GDPR?
The rules and regulations of GDPR are available at https://ec.europa.eu/info/law/law-topic/data-protection_en. Additionally, the International Association of Privacy Professionals maintains comprehensive resources about GDPR and privacy generally. For additional guidance, Tejari recommends you regularly (1) check the website of your national or lead data protection authority under GDPR, as applicable, (2) monitor updated regulatory guidance as it becomes available and (3) consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
Data Processing Addendum
Tejari’s Customer Data Processing Addendum provides contractual assurances for our customers that Tejari is utilizing the appropriate technical and organizational measures and sets forth the terms under which Tejari can process personal data on behalf of our customers to enable both Tejari and our customers to meet our respective obligations under GDPR.
Under GDPR, any services providers accessing personal data from our customers are considered “sub-processors.” Click here for a list of sub-processors providing services to Tejari that may require them to process certain forms of personal data provided by our customers when using our software applications and services. These processing activities may include accessing, storing, handling or otherwise using the personal data in order to provide services to our customers.
Additional Questions and Comments:
Customers may contact our data privacy team (located in both the EU and the U.S.), via the Data Privacy Inquiry Portal for any questions, comments, concerns or requests regarding how Tejari manages personal data our about our GDPR compliance program. Additionally, you may contact Tejari’s Data Protection Officer directly at DPO@jaggaer.com.
Have you accepted our GDPR-updated Data Processing Addendum? If not, you can do so by following the instructions here.