GDPR
CHILI publish’s approach has been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which replaced the EU Data Protection Directive and became enforceable on May 25, 2018.
If a company collects, transmits, hosts or analyzes personal data of data subjects, the GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our customers’ trust, our DPA has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR.
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is the European privacy regulation. The GDPR addresses the processing of personal data and the free movement of such data. It aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. Broadly, it sets out a number of data protection principles and requirements which must be adhered to when personal data is processed. The GDPR also established the European Data Protection Board (“EPDB”), which ensures that the data protection law is applied consistently across the EU and works to ensure effective cooperation amongst data protection authorities.
How does the GDPR apply to customers?
CHILI publish customers that collect and store personal data are considered data controllers under the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including the GDPR and uniquely determine what personal data is submitted to, and processed by, CHILI publish in accordance with the Services.
In its capacity as data processor, how does CHILI publish handle requests made by End-Users?
If CHILI publish receives a data subject request from a Customer’s End-User (i.e., a user of the CHILI publish online Services to whom a Customer has provided our Services), CHILI publish is the Processor, and CHILI publish will, to the extent that applicable legislation does not prohibit CHILI publish from doing so, promptly inform the End-User to contact our Customer (i.e. the Controller) directly about any request relating to his/her Personal Data such as access or deletion. CHILI publish will not further respond to a data subject request without Customer’s prior consent.
What are the “Standard Contractual Clauses”?
The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (“SCC”) which provide a data controller a compliant legal mechanism to transfer personal data to a data processor outside the European Economic Area (“EEA”). In addition, the parties have to assess if the personal data transferred to countries outside the EEA would be afforded an adequate level of data protection according to the GDPR requirements. The Model Clauses are appended to the CHILI publish DPA to help provide adequate protection for data transfer outside of the EEA or Switzerland.
Does CHILI publish replicate the Service Data it stores? CHILI publish periodically replicates data for purposes of archival, backup and audit logs.
Data Processing Agreement
CHILI publish offers active Customers a Data Processing Agreement (“DPA”) to reflect the parties’ agreement with regard to the processing of personal data.
What is a Data Processing Agreement (“DPA”)
CHILI publish offers customers a Data Processing Agreement governing the relationship between the Customer (acting as a Data Controller) and CHILI publish (acting as a Data Processor). The DPA facilitates CHILI publish’s customers’ compliance with their obligations under EU data protection law and contains strong privacy commitments and has been updated to confirm our compliance with the GDPR. The DPA also contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to CHILI publish outside of the European Union by our Standard Contractual Clauses. In addition, CHILI publish conducts a comprehensive assessment to determine whether the data importer in a third country, if it has not been recognized by the European Commission as offering an adequate level of data protection, can actually guarantee an adequate level of data protection as stipulated in the GDPR and in the SCC.
Additional questions about the DPA
If you have additional questions, please contact your CHILI publish Account Executive or alternatively, open a case with the CHILI publish Privacy Manager by contacting security@chili-publish.com