Regulations regarding protection of personal data
There are various texts of international, european or national scope which presently apply on the protection of personal data. The most importants being :
- Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés.
- Directive 95/46/CE du Parlement européen et du Conseil, du 24 octobre 1995, relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, abrogée le 25 mai 2018 par le Règlement (UE) 2016/679.
- Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données).
- Charte des droits fondamentaux de l’Union européenne (2012/C 326/02).
- Convention pour la protection des personnes à l’égard du traitement automatisé des données à caractère personnel.
TIA commits to comply with obligations triggered by these regulations, and especially, those of the General Data Protection Regulation (GDPR).
We strongly encourage all our customers to be particularly vigilant on these compliance aspects. Other more specific regulations may also exist, in particular for certain specific categories of personal data. It is the customer’s responsibility to clearly identify the regulations applicable to his activities, in order to comply with it.
The Data Protection Officer (DPO): acting in the daily service of data protection
François Coulloudon is the DPO of TIA.
The DPO has the necessary resources to perform his role. He advises the operational staff and managers of the company, in compliance with the obligations and best practices that TIA must implement in terms of protection of personal data.
In practice, he raises awareness and regularly informs the company’s employees, answers their requests regarding the protection and processing of personal data. He also is the contact person for all customers and users wishing to have appropriate guarantees as for the measures implemented to ensure compliance with regulations, including GDPR.
The email address to contact him regarding personal data is : gdpr@teeptrak.com
GDPR
The General Data Protection Regulation (GDPR) is the legal framework for the processing of personal data in Europe, as of May 25, 2018. Unlike Directive 95/46 / EC, which until then governed such processing, the GDPR is directly applicable in the Union and does not require national transpositions. In this regard, it will promote the harmonization of legal regimes for the protection of personal data in Europe. Better still, GDPR has a principle of extraterritoriality which allows, under certain circumstances, to extend its scope of application outside European borders.
If you are a structure processing personal data, chances are high that you are subjected to GDPR’s regulations. As such, you are subject to obligations that you must comply with. The same is true for TIA which, in view of its situation, will have separate obligations: in its capacity as subcontractor or data controller.
Definitions
Understanding the real and precise stakes of a European regulation is not always easy, especially when it includes 99 articles, 173 recitals and many guidelines to clarify its interpretation. This is however essential in order to avoid any risk that may result from an overly broad or imprecise interpretation of the regulatory obligations incumbent on your structure. It is therefore essential to understand the few terms defined below:
- Personal Data : all information referring to an identified or identifiable natural person. Is considered an identifiable natural person a natural person that can be identified, directly or indirectly.
- Processing: any operation or set of operations carried out using or not using automated processes and applied to data or sets of personal data (collection, recording, transmission, storage, preservation, extraction, consultation, use, interconnection, etc.).
- Process Controller : the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of processing.
- Subcontractor : natural or legal person, public authority, department or other body which processes personal data on behalf of the controller.
TIA as a subcontractor
It is certainly in this capacity that your expectations of TIA are highest. TIA is referred to as a “subcontractor” when it processes personal data on behalf of the controller.
This is typically the case when you use TIA’s services and store personal data on a TIA infrastructure. Within the limits of its technical constraints, TIA will only be able to process the stored data according to your instructions, and this, on your behalf.
TIA’s commitments as a subcontractor
As a subcontractor, TIA commits in particular to the implementation the following actions :
- To process personal data for the sole purpose of the proper performance of the services: TIA will never process your information for other purposes (marketing, etc.).
- To not transfer your data outside the EU or outside countries recognized by the European Commission as having a sufficient level of protection: provided that you do not select an infrastructure in a geographical area outside the EU (for example our infrastructure in China).
- To keep yourself informed of any use of subcontractors who could process your personal data: to this day, no service involving access to content stored by you as part of the services is subcontracted outside the TIA group.
- To implement high security standards in order to provide a high level of security to our services.
- To notify you as soon as possible in the event of a data breach.
FAQ : Who owns the personal data used and stored by the customer as part of the services?
Data hosted by the customer as part of TIA’s services remains the property of the customer.
TIA only accesses them when necessary for the performance of the services and within the limits of its technical constraints and never uses them except to calculate, in a completely anonymous manner, the impact on the performance of its systems over time.
TIA refrains itself from any resale of such data, as well as any use for personal purposes (such as data mining, profiling or direct marketing activities).
TIA as data controller
TIA is referred to as a “data controller” when it determines the purposes and means of “its” personal data processing.
This is typically the case when TIA collects data for billing, recovery management, service quality and performance improvement, sales canvassing, business management, etc. But also when TIA processes the personal data of its own employees.
In this case, “your” data, that you store on TIA infrastructures, are not affected. On the other hand, certain information concerning you or related to your employees (identity and contact details of the TIA contact person in the context of a request for technical assistance, for example) may be. This is why TIA would like to provide you with elements of understanding of the safeguards implemented to ensure the protection of this personal data.
- To process personal data for the sole purpose of the proper performance of the services: TIA will never process your information for other purposes (marketing, etc.)
- To not transfer your data outside the EU or outside countries recognized by the European Commission as having a sufficient level of protection: provided that you do not select an infrastructure in a geographical area outside the EU (for example our infrastructure in China).
- To keep yourself informed of any use of subcontractors who could process your personal data: to this day, no service involving access to content stored by you as part of the services is subcontracted outside the TIA group.
- To implement high security standards in order to provide a high level of security to our services.
- To notify you as soon as possible in the event of a data breach.