The European Commission approved and adopted the new General Data Protection Regulation (GDPR) in 2016, which is enforceable beginning May 25, 2018. The GDPR strengthens the requirements for the security and privacy of personal data in the European Union (EU) and will harmonize EU data protection laws by applying a single data protection law that is binding on EU Member States. The GDPR will replace the existing EU Data Protection Directive (the Directive), also known as Directive 95/46/EC, as well as many but not all local laws relating to it.
Viewpoint welcomes the GDPR as an opportunity to reaffirm our commitment to the privacy and security of customer data. Compliance with the GDPR relies on a partnership between Viewpoint and our customers in their use of our software. In order to provide transparency to our customers, this document sets forth relevant information regarding how Viewpoint will comply with the GDPR as a data processor.
Who and what does the GDPR apply to?
The GDPR applies to all organizations processing “personal data” of EU data subjects where the organization is located in the EU or where the organization is located outside the EU and offers goods and services within the EU.
The definition of "personal data" has been broadened under the GDPR to include any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, by reference to an identifier such as:
- Email address
- An identification number
- Location data
- Online identifier such as IP address
- Or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What about Brexit? Will these rules still apply to companies operating in the UK?
Because the GDPR is binding only on EU Member States, after Brexit the UK will mostly not be bound to the GDPR. The UK, though, will have its own data protection law with which UK companies must comply. However, to the extent you collect and/or process personal data of EU Member State data subjects, you will still need to comply with the GDPR.
What are the differences between GDPR and the existing Directive?
There are many similarities between the GDPR and the Directive, but differences exist. Generally speaking, the GDPR provides individuals with more rights over how their personal data is collected and used. The GDPR also introduces direct obligations for data processors, whereas the current Directive holds only data controllers directly liable for data protection noncompliance. For the first time, processors will also be subject to regulatory penalties (e.g., fines) and civil claims by data subjects.
Following are some of the rights the GDPR grants to individuals:
- Right to be forgotten. While the right to erasure, otherwise known as the right to be forgotten, isn’t absolute, individuals will have the right to request deletion of their personal data held by controllers.
- Right to notice, access, correction and restriction. Individuals have the right to know what personal data controllers and processors are processing as well as the right to access, correct and restrict processing of their personal data.
- Right to portability. Individuals now have the right to obtain a copy of their personal data in a commonly used, machine-readable format.
How does the GDPR affect Viewpoint customers?
When it comes to GDPR compliance, both Viewpoint and our customers have shared responsibilities: our customers as data controllers, and Viewpoint as a data processor. To quote from the official GDPR FAQ page, “A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”
We expect our customers and their users to comply with all applicable laws and regulations in connection with the use of Viewpoint software. In particular, we expect our customers to have all rights and consents necessary to allow Viewpoint to lawfully process personal data provided by our customers to Viewpoint.
What is Viewpoint’s GDPR plan?
Viewpoint’s compliance and security program is comprehensive and based on globally accepted standards. We remain committed to keeping our customer’s data safe and secure.
As a processor, we are prepared to assist and support our customers with respect to data subject requests that our customers instruct us to address. To that point, we have updated the functional capabilities of Viewpoint for Projects, Viewpoint Field View, and Viewpoint Team in order to ensure that we are able to comply with requests related to access, correction, deletion and portability of personal data.
Does Viewpoint transfer data internationally?
The data centers used for primary and backup hosting for Viewpoint’s EU software products provided to our EU-based customers are located in the UK. However, in limited circumstances in the course of providing services to and conducting business with our EU-based customers, certain personal data may be transferred to the U.S.
If I am a customer and one of my users makes a GDPR request that requires processor assistance, how can I enlist Viewpoint’s assistance in addressing the request?
Please email us at firstname.lastname@example.org.
If I am a customer and one of my users makes a GDPR-related request directly to Viewpoint, what will Viewpoint do?
Since the customer is the data controller, we will notify the customer.
Does Viewpoint have a Data Protection Addendum (DPA)?
Yes, please email email@example.com to request a copy of our current DPA.
What if I have questions not addressed here?
We’re happy to discuss. Please contact firstname.lastname@example.org with any questions or concerns.
Viewpoint provides this material for informational purposes only. The material provided is general and in summary form and is not intended to be comprehensive. Further, it is not intended to be legal advice and should not be construed as such. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer, or other professional advisor who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship.