Our Obligation to the General Data Protection Regulation (GDPR)
LAST UPDATED: FEBRUARY 21, 2018
The General Data Protection Regulation (GDPR) came into effect in all Member States of the European Union (EU) on 25 May 2018. The GDPR is intended to strengthen data protection for all individuals within the EU, and all organizations conducting business within the EU (regardless of the organization’s location) will be expected to comply with these regulations when dealing with EU residents.
Key decision-makers within Televerde are fully aware of the changes to the EU data protection legislation. A “data protection task force” has been appointed to conduct a data audit and a data protection risk assessment of our EU and Non-EU-data business’ worldwide and to design improvements to our standard procedures and/or documentation.
We are in the process of developing and executing a training plan to educate our employees on the importance of GDPR and of any changes being introduced to the business to comply with the GDPR.
We are auditing all categories of personal data controlled and processed by Televerde and on behalf of our Customers, to determine at which point Televerde is the data controller processor and/or co-controller. This includes reviewing our processes for acquiring, holding, accessing and sharing personal data, as well as revising our data retention policies.
We are conducting this audit across the globe in relation to our business, setting GDPR as our bar to ensure complete data protection for our Customers.
Communicating Privacy Information
We are revising our privacy notices to ensure that these comply with the additional information requirements which will be required by the GDPR. We are also reviewing our standard operating procedures to ensure that all privacy notices are made available to the relevant individuals in a timely manner.
We are also reviewing our contracts with suppliers, partners and customers to assess any new data protection requirements.
In some instances, Televerde has no direct relationship with the individuals whose personal data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to Televerde’s Client (the data controller).
The rights of individuals with respect to their personal data will be enhanced by the GDPR, so we are revising our standard operating procedures as well as our data storage and IT systems to ensure that we will be able to comply with any exercise of such rights. We are developing procedures to respond to a request for access to personal data, an objection to processing or a request for deletion of data.
Subject Access Requests
We are developing and/or implementing our processes around providing access to personal data in the event of a subject access request to ensure that we can comply within the new (shorter) timeline. In connection to this, we are updating our standard operating procedures around data storage and data retention to ensure we are not holding unnecessary personal data.
Lawful Basis For Processing Personal Data
As part of our data audit, we have identified the categories of personal data we hold and what processing activities we undertake, and we have determined the lawful justification for each. In general, most of our processing activities as data controller or co-controller are required in the performance of a contract or in the legitimate interests of our business (without having an undue impact on the fundamental rights and freedoms of the individuals involved). Additionally, we act as data processor for many of our customers, so we are revising our data processor contracts for compliance with the GDPR.
Our privacy notices will be updated to specifically explain the lawful basis of our processing activities.
In the limited circumstances where we will need to rely on consent of the data subject for the processing of personal data, we will have all appropriate procedures for seeking, recording and managing consent in accordance with the enhanced requirements of the GDPR.
In the course of doing business, we do not process any personal data relating to children, and our services are not directed towards children. As we may process personal data relating to children on behalf of our customers, we are reviewing our data processor contracts and our standard operating procedures to ensure compliance with the additional safeguards afforded to children and their personal data.
We will update our privacy notices based on client requirements.
We take data breaches very seriously, so although we already have a data breach procedure in place, we are updating and improving all processes for detecting, investigating and reporting data breaches.
Data Protection Impact Assessments
If we decide through the course of our project to implement new initiatives which would require a data protection impact assessment, we will follow our standard operating procedures for future use to ensure that we consider the privacy impact on individuals as part of our overall assessment of new projects.
Data Protection Officer
We have appointed a Data Protection Officer to ensure our ongoing compliance with data protection regulations.
Televerde operates in the EU, therefore we have decided to leverage the European Commissioners Office as our lead supervisory authority. We operate with the EU and do transfer data outside of the EU to our Data Centers located in the US. We have implemented the proper security controls to minimize access to personal data throughout our organization.
If you have any additional Compliance questions, please feel free to email firstname.lastname@example.org