GDPR Frequently Asked Questions
What Is GDPR?
The General Data Protection Regulation (“GDPR”) is the European Union’s new privacy legislation, effective May 25, 2018. It replaces the previous Data Protection Directive 95/46/EC with more extensive protections for the privacy of EU residents.
What Rights Must Companies Enable Under GDPR?
GDPR provides the following rights for EU residents :
- The right to be informed about how personal data is used,
- The right of access to personal data held by an organization,
- The right to have incorrect personal data deleted or corrected,
- The right to have personal data erased in certain circumstances (sometimes referred to as the “right to be forgotten”),
- The right to restrict processing of their personal data or to object to such processing,
- The right to restrict or object to automated processing of personal data, and
- The right to receive a copy of personal data.
How Do I Know If The Data That My Organization Is Processing Is Covered By The GDPR? What Is “Personal Data?”
GDPR regulates the collection, storage, use and sharing of “personal data.” Personal data is defined very broadly under GDPR as any data that relates to an identified or identifiable natural person. There is no distinction between a person’s private, public or work roles. Personal data can include:
- Home address
- Work address
- Telephone number
- Mobile telephone number
- Email address
- Passport number
- National ID card
- Social Security Number (or equivalent)
- Driver’s license
- Physical, physiological or genetic information
- Medical information
- Cultural identity
- Bank details / account numbers
- Tax information
- Social media posts
- IP address
- Location / GPS data
Additionally, the processing of certain “special” categories of personal data – such as personal data that reveals a person’s racial or ethnic origin, or concerns their health or sexual orientation – is subject to more stringent rules than the processing of ordinary personal data.
What Are Processors And Controllers?
A “controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A “processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
GDPR applies to both controllers and processors. Controllers must only use processors that take measures to meet the requirements of GDPR. Under GDPR, processors face additional duties and liability for noncompliance or acting outside of instructions provided by the controller.
What Is Processing?
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Am I Allowed To Transfer Personal Data Outside Of The EU?
Yes, transfer of personal data outside of the European Economic Area is permissible as long as certain conditions are met to ensure appropriate safeguards. You may need to set up a specific legal mechanism, such as a contract, or adhere to a certification mechanism in order to enable these transfers.
How Is Transfer Of Personal Data Outside Of The EU Regulated?
GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country. Appropriate safeguards can be provided for by model contract clauses. An adequate level of protection can also be confirmed by adequacy decisions such as the one that supports the EU-U.S. Privacy Shield Framework.
What Is An Organization’s Responsibility Under GDPR In Response To Personal Data Breaches?
GDPR imposes strict obligations for processors and controllers regarding notice of personal data breaches. Data processors must notify the data controller of a personal data breach without undue delay after having become aware of it. After being made aware of the breach, the controller must then notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay.
How Much Can Companies Be Fined For Noncompliance?
Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to comply with GDPR requirements. Additional individual remedies may also apply.
Where Can I Learn More About GDPR?
The rules and regulations of GDPR may be found at https://ec.europa.eu/info/law/law-topic/data-protection_en. Additionally, the International Association of Privacy Professionals maintains comprehensive resources about GDPR and privacy generally at https://iapp.org/resources/. Tejari also recommends you regularly check the website of your national or lead data protection authority, as applicable, for updates and guidance.
Tejari’s GDPR Compliance
Where Can I Find Tejari’s Contractual Commitments With Regard To The GDPR?
Customers may find Tejari’s contractual commitments with regard to GDPR in the Customer Data Processing Addendum, available here.
How Does Tejari Make Its Employees Aware Of Personal Data Protection And Privacy?
Tejari employees are made aware of their obligations to protect customer data upon hire and are required to sign a confidentiality agreement that, among other obligations, requires employees to maintain the confidentiality of customer data. Additionally, Tejari conducts annual security and privacy training for its employees. GDPR awareness training has been added as a requirement for our employees. Tejari employees are also required to acknowledge and adhere to Tejari’s Code of Business Conduct and Ethics, which specifically addresses responsibilities and expected behavior with respect to the protection of customer data.
Under What Basis Does Tejari Facilitate The Transfer Of Personal Data Outside Of The EU?
As a global company with extensive operations inside and outside the European Economic Area, it is often necessary for Tejari to transfer data among various business units. Tejari has long used the EU model clauses as a basis for transfer of data for its solutions. The EU model clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner. Tejari has incorporated the EU model clauses into its Data Processing Addendum.
Additionally, Tejari is certified under the EU-US and Swiss-US Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, Processing, and cross-border transfer of personal data from the EU and Switzerland to the United States, respectively. Under these Privacy Shield Frameworks, Tejari is responsible for the processing of personal data it receives and subsequently transfers to a third party. Tejari complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer of liability provisions. To learn more about these Privacy Shield Frameworks and to view Tejari’s certification, please visit https://www.privacyshield.gov/welcome .
How Does A Customer (As A Controller Of Personal Data Under GDPR) Ensure Tejari (As A Processor Of Personal Data Under GDPR) Has Appropriate Technical And Organizational Safeguards To Protect Customer Personal Data?
Under GDPR, controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Tejari is committed to having comprehensive security procedures and safeguards across our platforms and business units that are designed to protect customer personal data against (i) accidental or unlawful destruction, loss or alteration and (ii) unauthorized disclosure or access. A description of our Under GDPR, audit rights must be granted to data controllers in their contracts with data processors. Tejari’s Customer Data Processing Addendum includes audit rights for the benefit of our customers. Tejari’s standards and certifications, including International Organization for Standardization (“ISO”) certifications and the American Institute of Public Accountants (AICPA) Service Organization Controls (SOC) 2 standard, may be used by customers to help conduct their risk assessments and help validate appropriate technical and organizational safeguards are in place.
What Data Protection Commitments Does Tejari Make?
Our Data Processing Addendums, which have been updated to ensure compliance with GDPR, describe Tejari’s privacy commitments to our customers and the privacy commitments of sub-processors accessing the personal data of our customers. Our customers can view and enter into a Data Processing Addendum with Tejari here. Any data that a customer or its users input into our software applications will only be processed in accordance with the customer’s instructions, as described in our Data Processing Addendum.
How Does Tejari Ensure Subprocessors Engaged By Tejari Are Compliant With GDPR, Including Having Appropriate Technical And Organizational Safeguards To Protect Customer Personal Data?
While Tejari and its affiliated companies directly conduct the majority of data processing activities required to provide Tejari’s software applications and services, we do engage some third-party service providers to assist in supporting our offerings. Each service provider goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy. Service providers processing data on Tejari’s behalf are required to enter into Data Processing Addendums with Tejari to ensure they are subject to the same level of protection as the agreements Tejari enters into with its customers and are compliant with GDPR.
What Subprocessors Does Tejari Use?
A list of Tejari’s service providers that may process customer personal data provided by customers using our software applications (“sub-processors”) is available here. Customers will be notified of any new sub-processors and have an opportunity to object, as required under GDPR.
How Does Tejari Enable Controllers To Ensure The Rights Of Data Subjects?
Customers can use the administrative rights and functionality available in Tejari’s software applications to help access, rectify, restrict the processing of or delete any data that they or their users put into our software applications, subject to the retention by Tejari of user data as required or permitted under applicable law for archival or record retention purposes.
What Contractual And Operational Commitments Does Tejari Make To Ensure Customers Are Promptly Notified Of Any Incident Involving Personal Data, In Compliance With GDPR?
As one of the original providers of cloud-based spend management solutions, Tejari has made commitments in its customer contracts for approximately twenty years regarding incident notification. Tejari maintains data security operations that ensure a response time well within the GDPR-required time period.
What Expertise Does Tejari Bring To Bear With Respect To Data Privacy And Protection?
Tejari employs security professionals in Europe and the U.S. that include some of the world’s foremost experts in information, application, and network security. This team is tasked with maintaining our security programs, developing security review processes, building security infrastructure and implementing our security and privacy policies.
Additionally, Tejari employs a privacy team comprised of experienced professionals in both the U.S. and Europe. Tejari also partners with privacy and compliance experts across the globe, including our legal privacy partner, K&L Gates LLP, whose lawyers the EU consulted when developing the EU General Data Protection Regulation (GDPR) and our legal compliance partner, Baker & McKenzie LLP, regularly ranked as the world’s strongest law firm brand in the Acritas Global Elite Law Firm Brand Index. Our privacy and compliance team is tasked with maintaining Tejari’s privacy and compliance programs, implementing our privacy policies and regularly engaging with customers to ensure we are meeting our customers’ privacy and compliance needs.
Who May A Customer Or Data Subject Contact For Any Questions Or Comments About Personal Data Maintained By Tejari, GDPR Or Privacy Generally?
Customers and data subjects may contact the Tejari data privacy team, located in both the EU and the U.S., via the Data Privacy Inquiry Portal. Additionally, customers and data subjects may contact the Data Protection Officer directly at DPO@jaggaer.com.