In 2016, the European Union (EU) approved a new privacy regulation called the General Data Protection Regulation. More commonly known as the “GDPR”, it will come into force on May 25, 2018.
As a company that has always taken privacy very seriously, nothing is more important to us than the success of our customers and the protection of their personal data in the GDPR era. With customers in nearly every country in the world, Atera is taking actions to prepare for compliance with the General Data Protection Regulation (GDPR), which is due to take effect on May 25, 2018.
What the GDPR Means
The GDPR expands the privacy rights granted to European individuals and requires certain companies that process the personal data of European individuals to comply with a new set of regulations.
The GDPR is a mandatory ruling that applies to all companies that collect the data and information of EU individuals and meet certain territorial requirements. In particular, the GDPR may apply to companies that process the personal data of European individuals and have a presence in the EU (e.g. offices or establishments) and to companies that do not have any presence in the EU but target the European market (e.g. by offering goods or services to the European market) or monitor the behavior of European individuals.
We’re here to help our customers in their efforts to comply with the GDPR.
What is Atera’s take on the GDPR?
We welcome the positive changes the GDPR brings, such as the increased harmonization and the “privacy by design and privacy by default” approach. Our view is that the GDPR is not only an obligation but also an opportunity to build privacy-friendly products while increasing customer trust.
How is Atera Preparing for the GDPR?
- GDPR Strategy. We have retained outside counsel to help us understand the GDPR and prepare for the GDPR. We have closely analyzed the requirements of the GDPR. We have an internal taskforce with members of different departments that are responsible for GDPR compliance. Members of our senior management have been personally involved in the supervision of implementing our process of preparing for the GDPR. We are approaching the process of planning our GDPR compliance strategy with our engineering, product, security and legal teams, to implement the necessary procedures and practices. Our engineering, product, security and legal teams are responsible for GDPR compliance.
- Data Mapping. We mapped Atera’s data collection practices and determined Atera is a data processor and we have prepared a Data Processing Agreement to be signed by our customers who are subject to the GDPR and need to sign a DPA with us.
- Data Subject Rights. Although we are not data controllers when providing our product, we are working to make it easier for our customers to comply with requests related to data subject rights (for example, with the right to be forgotten). Customers and their users may approach us with such requests at: email@example.com. We have also adopted an internal company policy regarding data subject rights under the GDPR. We are implementing industry acceptable security measures to protect the data that we process for our customer, such as encryption techniques and 2-factor authentication.
- Data breaches. We have developed and implemented a protocol for dealing with data breaches.
Hosting - Nothing in the GDPR prevents businesses from storing data outside of the EU, provided that the hosting providers adhere to the necessary regulations and protections. This is why we host the data that we process with Microsoft Azure. Microsoft Azure has already announced that they will comply with the GDPR. They are also privacy-shield registered (consult here: https://www.privacyshield.gov/list).
Atera’s staff - Atera Networks Ltd. is a company based in Israel, which was declared by the European Commission as a country that offers adequate level of data protection (see here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en).
We only share personal data that is subject to the GDPR with vendors and partners who, like Microsoft Azure, have announced that will comply with the GDPR and have undertaken to do so.
Does the GDPR prevent a company from storing data outside of the EU?
Nothing in the GDPR prevents businesses from storing data outside of the EU, provided that the data processors adhere to the necessary regulations and protections.
Where can I learn more about GDPR?
Additional information is available on the European Commission’s website here (https://ec.europa.eu/justice/data-protection/reform/index_en.htm).
I have more questions. Who should I contact?
If you have any additional questions about the GDPR you are welcome to contact us at firstname.lastname@example.org
Disclaimer: The information in this document may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data.