Frequently Asked Questions


What is GDPR?

The General Data Protection Regulation (“GDPR”) is the European Union’s new privacy legislation, effective May 25, 2018. It replaces the previous Data Protection Directive 95/46/EC with more extensive protections for the privacy of EU residents.

What rights must companies enable under GDPR?

GDPR provides the following rights for EU residents :

  • The right to be informed about how personal data is used,
  • The right of access to personal data held by an organization,
  • The right to have incorrect personal data deleted or corrected,
  • The right to have personal data erased in certain circumstances (sometimes referred to as the “right to be forgotten”),
  • The right to restrict processing of their personal data or to object to such processing,
  • The right to restrict or object to automated processing of personal data, and
  • The right to receive a copy of personal data.
How do I know if the data that my organization is processing is covered by the GDPR? What is “personal data?”

GDPR regulates the collection, storage, use and sharing of “personal data.” Personal data is defined very broadly under GDPR as any data that relates to an identified or identifiable natural person. There is no distinction between a person’s private, public or work roles. Personal data can include:

Identity

  • Home address
  • Work address
  • Telephone number
  • Mobile telephone number
  • Email address
  • Passport number
  • National ID card
  • Social Security Number (or equivalent)
  • Driver’s license
  • Physical, physiological or genetic information
  • Medical information
  • Cultural identity

Finance data

  • Bank details / account numbers
  • Tax information

Online Artifacts

  • Social media posts
  • IP address
  • Location / GPS data
  • Cookies

Additionally, the processing of certain “special” categories of personal data – such as personal data that reveals a person’s racial or ethnic origin, or concerns their health or sexual orientation – is subject to more stringent rules than the processing of ordinary personal data.

What are Processors and Controllers?

A “controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A “processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

GDPR applies to both controllers and processors. Controllers must only use processors that take measures to meet the requirements of GDPR. Under GDPR, processors face additional duties and liability for noncompliance or acting outside of instructions provided by the controller.

What is processing?

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Am I allowed to transfer personal data outside of the EU?

Yes, transfer of personal data outside of the European Economic Area is permissible as long as certain conditions are met to ensure appropriate safeguards. You may need to set up a specific legal mechanism, such as a contract, or adhere to a certification mechanism in order to enable these transfers.

How is transfer of personal data outside of the EU regulated?

GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country. Appropriate safeguards can be provided for by model contract clauses. An adequate level of protection can also be confirmed by adequacy decisions such as the one that supports the EU-U.S. Privacy Shield Framework.

What is an organization’s responsibility under GDPR in response to personal data breaches?

GDPR imposes strict obligations for processors and controllers regarding notice of personal data breaches. Data processors must notify the data controller of a personal data breach without undue delay after having become aware of it. After being made aware of the breach, the controller must then notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay.

How much can companies be fined for noncompliance?

Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to comply with GDPR requirements. Additional individual remedies may also apply.

Where can I learn more about GDPR?

The rules and regulations of GDPR may be found at https://ec.europa.eu/info/law/law-topic/data-protection_en. Additionally, the International Association of Privacy Professionals maintains comprehensive resources about GDPR and privacy generally at https://iapp.org/resources/.  JAGGAER also recommends you regularly check the website of your national or lead data protection authority, as applicable, for updates and guidance.

Where can I find JAGGAER’s contractual commitments with regard to the GDPR?

Customers may find JAGGAER’s contractual commitments with regard to GDPR in the Customer Data Processing Addendum, available here.

How does JAGGAER make its employees aware of personal data protection and privacy?

JAGGAER employees are made aware of their obligations to protect customer data upon hire and are required to sign a confidentiality agreement that, among other obligations, requires employees to maintain the confidentiality of customer data. Additionally, JAGGAER conducts annual security and privacy training for its employees. GDPR awareness training has been added as a requirement for our employees. JAGGAER employees are also required to acknowledge and adhere to JAGGAER’s Code of Business Conduct and Ethics, which specifically addresses responsibilities and expected behavior with respect to the protection of customer data.

Under what basis does JAGGAER facilitate the transfer of personal data outside of the EU?

As a global company with extensive operations inside and outside the European Economic Area, it is often necessary for JAGGAER to transfer data among various business units. JAGGAER has long used the EU model clauses as a basis for transfer of data for its solutions. The EU model clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner. JAGGAER has incorporated the EU model clauses into its Data Processing Addendum.

Additionally, JAGGAER is certified under the EU-US and Swiss-US Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, Processing, and cross-border transfer of personal data from the EU and Switzerland to the United States, respectively. Under these Privacy Shield Frameworks, JAGGAER is responsible for the processing of personal data it receives and subsequently transfers to a third party. JAGGAER complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer of liability provisions. To learn more about these Privacy Shield Frameworks and to view JAGGAER’s certification, please visit https://www.privacyshield.gov/welcome .

How does a customer (as a controller of personal data under GDPR) ensure JAGGAER (as a processor of personal data under GDPR) has appropriate technical and organizational safeguards to protect customer personal data?

Under GDPR, controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. JAGGAER is committed to having comprehensive security procedures and safeguards across our platforms and business units that are designed to protect customer personal data against (i) accidental or unlawful destruction, loss or alteration and (ii) unauthorized disclosure or access. A description of our Under GDPR, audit rights must be granted to data controllers in their contracts with data processors. JAGGAER’s Customer Data Processing Addendum includes audit rights for the benefit of our customers. JAGGAER’s standards and certifications, including International Organization for Standardization (“ISO”) certifications and the American Institute of Public Accountants (AICPA) Service Organization Controls (SOC) 2 standard, may be used by customers to help conduct their risk assessments and help validate appropriate technical and organizational safeguards are in place.

What data protection commitments does JAGGAER make?

Our Data Processing Addendums, which have been updated to ensure compliance with GDPR, describe JAGGAER’s privacy commitments to our customers and the privacy commitments of sub-processors accessing the personal data of our customers. Our customers can view and enter into a Data Processing Addendum with JAGGAER here. Any data that a customer or its users input into our software applications will only be processed in accordance with the customer’s instructions, as described in our Data Processing Addendum.

How does JAGGAER ensure subprocessors engaged by JAGGAER are compliant with GDPR, including having appropriate technical and organizational safeguards to protect customer personal data?

While JAGGAER and its affiliated companies directly conduct the majority of data processing activities required to provide JAGGAER’s software applications and services, we do engage some third-party service providers to assist in supporting our offerings. Each service provider goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy. Service providers processing data on JAGGAER’s behalf are required to enter into Data Processing Addendums with JAGGAER to ensure they are subject to the same level of protection as the agreements JAGGAER enters into with its customers and are compliant with GDPR.

What subprocessors does JAGGAER use?

A list of JAGGAER’s service providers that may process customer personal data provided by customers using our software applications (“sub-processors”) is available here. Customers will be notified of any new sub-processors and have an opportunity to object, as required under GDPR.

How does JAGGAER enable controllers to ensure the rights of data subjects?

Customers can use the administrative rights and functionality available in JAGGAER’s software applications to help access, rectify, restrict the processing of or delete any data that they or their users put into our software applications, subject to the retention by JAGGAER of user data as required or permitted under applicable law for archival or record retention purposes.

What contractual and operational commitments does JAGGAER make to ensure customers are promptly notified of any incident involving personal data, in compliance with GDPR?

As one of the original providers of cloud-based spend management solutions, JAGGAER has made commitments in its customer contracts for approximately twenty years regarding incident notification. JAGGAER maintains data security operations that ensure a response time well within the GDPR-required time period.

What expertise does JAGGAER bring to bear with respect to data privacy and protection?

JAGGAER employs security professionals in Europe and the U.S. that include some of the world’s foremost experts in information, application, and network security. This team is tasked with maintaining our security programs, developing security review processes, building security infrastructure and implementing our security and privacy policies.

Additionally, JAGGAER employs a privacy team comprised of experienced professionals in both the U.S. and Europe. JAGGAER also partners with privacy and compliance experts across the globe, including our legal privacy partner, K&L Gates LLP, whose lawyers the EU consulted when developing the EU General Data Protection Regulation (GDPR) and our legal compliance partner, Baker & McKenzie LLP, regularly ranked as the world’s strongest law firm brand in the Acritas Global Elite Law Firm Brand Index. Our privacy and compliance team is tasked with maintaining JAGGAER’s privacy and compliance programs, implementing our privacy policies and regularly engaging with customers to ensure we are meeting our customers’ privacy and compliance needs.

Who may a customer or data subject contact for any questions or comments about personal data maintained by JAGGAER, GDPR or privacy generally?

Customers and data subjects may contact the JAGGAER data privacy team, located in both the EU and the U.S., via the Data Privacy Inquiry Portal. Additionally, customers and data subjects may contact the Data Protection Officer directly at DPO@jaggaer.com.