GDPR Compliance Statement

The General Data Protection Regulation (GDPR) represents a significant overhaul of data protection law. It strengthens the rights of data subjects in relation to the uses that governments, businesses and other organization can make of their personal data and imposes new legal obligations on those organizations about how they hold and process personal data relating to their staff, customers, suppliers, and other stakeholders.

ProteqsIT LLC (“ProteqsIT”) and its products takes privacy very seriously and has undertaken an extensive GDPR-readiness program using both GDPR-trained internal resources and specialist external advisers. The purpose of this statement is to inform our clients about the steps that we have been taking by way of preparation.

ProteqsIT has undertaken an internal data-mapping exercise, in order to ascertain exactly what kinds of personal data we hold, the sources from which it is obtained, and how it is used. We have also undertaken a security audit to ensure that, where we hold and process personal data, there are appropriate technical and organizational measures in place to ensure that the data is protected. Our findings have been documented in order to help us comply with the GDPR’s accountability requirement.

The GDPR states that the processing of personal data is only lawful if it is done under one of the defined “lawful bases”: these include, for example, that the data subject has given consent to the processing, that the processing is necessary for the performance of a contract with the data subject, or that the processing is necessary for the purposes of the organization’s “legitimate interests”.

On the basis of the output from the information audit, ProteqsIT has identified an appropriate lawful basis for each kind of processing that we undertake, and these are documented in our privacy notices.

Our privacy notices have been updated to ensure that data subjects are properly informed about all the details that GDPR requires us to notify them about, such as the identity and contact details of ProteqsIT as the controller of the personal data; the contact details for the person responsible for data protection within the organization; the purposes of the processing, and the lawful basis for it; the “legitimate interests”, where this is the lawful basis of processing on which we are relying; and the existence of the data subject’s right (a) to request access to the personal data, (b) to request rectification or erasure of personal data, (c) to request that the processing is restricted, (d) to object to the processing and (e) to data portability.

We have developed and implemented several new policies and procedures to ensure that we are able to respond efficiently to data protection issues. These include a new Privacy Policy which directs staff as to how personal data should be used, along with procedures for dealing with:

• Subject access requests
• Requests from data subjects to exercise their other rights under the GDPR, such as the “right to be forgotten” and the right to have inaccurate data rectified.
• Personal data breach incidents
• Objections to direct marketing.

We have developed a Data Protection Addendum to our standard terms of engagement, that addresses the GDPR’s requirements about contracts between data controllers and data processors where we are handling personal data on behalf of a client. In summary, the Addendum provides that:

• ProteqsIT will only process the personal data on the client’s written instructions;
• ProteqsIT will ensure that all personnel with access to the personal data treat it in confidence;
• ProteqsIT will put in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing, and against accidental loss, destruction or damage;
• ProteqsIT will not engage a subcontractor as a third-party processor of the personal data without the client’s approval;
• ProteqsIT will assist the client in responding to requests from data subjects and in ensuring compliance with certain of the client’s other obligations under data protection law;
• ProteqsIT will delete or return personal data on termination of the relevant engagement;
• ProteqsIT will keep complete and accurate records and information to demonstrate its compliance, and allow for audits by the client or its representatives;
• ProteqsIT will inform the client if an instruction infringes data protection law; and
• ProteqsIT will not transfer any personal data outside the European Economic Area unless (a) the client’s prior written consent has been obtained, and (b) appropriate safeguards have been put in place for the personal data.

The inclusion of this Addendum means that our clients can be assured that, if ProteqsIT processes personal data on their behalf, it is being done on the basis of a contract that meets those requirements.

We will do our best to ensure that with effect from 25th May 2018, our contracts with any third-party companies that process personal data on our behalf include the relevant controller-processor clauses.