By now, I’m sure your email account is littered with mass emails from services across the globe talking about GDPR implementation. Time for a pile-on, because here at WeFoster we have also completed a full services and internal structural scrutiny to make sure we are in compliance with GDPR.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and will apply a single data protection law throughout the EU.
Data protection laws govern the way that businesses collect, use, and share personal data about individuals. Among other things, they require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and ensure appropriate security protections are put in place to protect the personal data they process.
Who does the GDPR apply to?
The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition, and includes data that is obviously personal (such as an individual’s name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).
Does the GDPR apply to an individual developer?
Yes, if the individual developer is a customer of WeFoster and they are processing the personal data of EU individuals when using our products and services.
What is WeFoster’s role under GDPR?
We act as both a data processor and a data controller under the GDPR.
WeFoster as a data processor:
When customers use our products and services to process EU personal data, we act as a data processor. For example, we will be a processor of EU personal data and information that gets uploaded onto a WeFoster container. This means we will, in addition to complying with our customers’ instructions, need to comply with the new legal obligations that apply directly to processors under the GDPR.
Our Commitment as a Data Processor Includes:
- Processing personal data solely for the purposes of carrying out the services correctly: WeFoster will never process your information for any other purposes (marketing, etc.).
- Informing you if we have enlisted a subcontractor to process your personal data: to date, no services involving any access to data you have stored as part of the service have been subcontracted outside of WeFoster.
- Applying strict security standards to provide a high level of security for our customers.
- Reporting any data breach to you without “undue delay.”
- Helping you meet your regulatory obligations, by providing you with comprehensive information on our services.
WeFoster as a data controller:
We act as a data controller for the EU customer information we collect to provide our products and services and to provide timely customer support. This customer information includes things such as customer name and contact information.
Our Committment as a Data Controller Includes:
- Limiting data collection to what is strictly necessary: as part of these efforts, when you order a service, you only enter the details needed for WeFoster to provide invoicing and support services, and to fulfil our own legal obligations concerning data retention.
- Not using gathered data for any purposes other than those for which it was collected.
- Conserving personal data for a limited and proportionate time. So as an example, the data processed in order to manage the relationship between the customer and WeFoster (surname, first name, postal address, email address, etc.) is retained by WeFoster for the entire duration of the contract and thirty-six (36) months afterwards. At the end of this period, the data is deleted on all platforms and backups.
- Not transferring this data to third parties other than WeFoster Service Providers acting as part of the performance of the contract.
- Implementing appropriate technical and organisational measures to ensure a high degree of security.
WeFoster Service Providers:
- Our infrastructure partner S5 receives email addresses to connect the hosting container to the correct user account via a secured API call.
- Our infrastructure partner OVH is where your sites are hosted inside Docker containers. More info about their compliance can be found HERE