The GDPR is the new data protection legislation which becomes applicable in the European Union starting May 25th, 2018, replacing the previously existing European rules and regulations.
The GDPR sets out a unified legal framework for the protection of EU natural persons with regard to the processing of their Personal Data.
Personal Data (“Personal Data”), as defined in article 4.1 of the GDPR, means any information relating to an identified or identifiable natural person.
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. These identifiers include, but are not limited to, email addresses, physical addresses, IP addresses etc.
eFront has always taken the protection of its clients’ data very seriously and is actively working on becoming compliant with the GDPR. A task force has been setup to review eFront’s internal processes in order to understand in detail which measures should be implemented to ensure compliance with the GDPR.
eFront has put in place a Data Processing Agreement (“DPA”) to provide, in accordance with the applicable data protection laws, a contractual framework for the collection and the processing of Personal Data of its clients, who act as data controllers when using the eFront technology and services to which they subscribed. In this respect, the DPA sets out the technical and organizational measures which eFront has implemented in order to protect the Personal Data of its clients.
eFront Technology is not meant to collect and process Personal Data.
When the collection and processing of Personal Data does happen, eFront, as a data processor, collects and processes, under clients’ instructions, clients’ Personal Data through the eFront technology subscribed to by clients, which may include software as a service (SaaS), mobile applications and software hosted by eFront (“eFront Technology”), as well as while providing to clients maintenance and support services and related professional services, if applicable. Therefore, the processing and collection of clients’ Personal Data by eFront is only done under the instructions of the clients and for the purposes of making the functionalities and associated services to which the clients subscribed available to them.
eFront has always built its technology with the objective of safeguarding the security and confidentiality of Personal Data of its clients. The eFront Technology includes a functionality enabling clients to define which Personal Data can be used and to allow them to limit the collection of Personal Data to the specific purpose of the data processing defined by clients. Whenever necessary, Personal Data fields can be configured. The storage of Personal Data can be limited, and clients responding to data subject requests are able to manually access the data, add, rectify, delete or export the data. With the GDPR, eFront will continue to work on improving its products with the view of providing standard functionalities allowing clients to comply with their privacy by design obligations.
eFront implements and maintains an information security management system to secure its clients’ Personal Data that is processed by eFront in the framework of the services subscribed to by clients. Where clients’ Personal Data is hosted by eFront, eFront relies on the technical and organizational measures implemented by Amazon Web Services, which offer various features to secure clients’ Personal Data.
eFront is also ISO 27001 compliant and SOC 2 Type II audited. The technical and organizational measures are detailed in the DPA which is attached to eFront’s general terms and conditions.
For clients located within the European Economic Area (“EEA”), the servers hosting the clients’ Personal Data are located within the European Union. For clients located outside the EEA, the servers are located outside the EEA, but the location may vary either depending on the clients’ specific requests, which are determined during contract negotiations.
eFront is Privacy Shield certified to secure the transfer of clients’ Personal Data to the United States. Clients also have an option to enter into Standard Contractual Clauses for the transfer of Personal Data outside the EEA. Finally, eFront is currently working on implementing Binding Corporate Rules to secure all transfers within the eFront group.
eFront may appoint sub-processors as described in the DPA. In case eFront appoints a new sub-processor during the term of a client’s agreement, the client will be able to object to such sub-processing in accordance with terms and conditions set out in the DPA.
Although the appointment of a DPO is not an obligation for eFront under the GDPR, eFront aims at providing clients with a single point of contact to address any data protection issues.
Under the GDPR, eFront has to comply with its obligations as the data processor. eFront will circulate a variation letter to vary the terms of all agreements with the existing client-sin order to reflect its obligations under the GDPR.