The General Data Protection Regulation (GDPR) is a European data protection regulation adopted by the EU Commission. It replaced the EU Data Protection Directive, also known as Directive 95/46/EC. The GDPR became effective on May 25, 2018 and applies to both individuals and businesses. It regulates the way in which personal data of citizens in the European Union should be handled.

We would like to provide you with answers to some of the questions that we hear time and time again from our customers. We also want to provide an update on what Liberation Technology Services has done to comply with GDPR and what services we offer to our customers to help them meet their compliance obligations. We recommend that you seek your own legal advice to determine exactly how the GDPR and Brexit impacts your business.

FAQS ABOUT GDPR

Is Liberation Technology Services a controller or a processor of Customer Data?

Under the GDPR, a “controller” determines why and how personal data is processed. A “processor” processes personal data on behalf of the controller. Generally, Liberation Technology Services has limited knowledge of the data that our customers process via the hosting infrastructure or customer configuration (“Customer Data”). In addition, we only process Customer Data in accordance with our customer’s instructions. Therefore, Liberation Technology Services is a processor or sub-processor of Customer Data.

Will GDPR change the way Liberation Technology Services treats customer data?

Liberation Technology Services continues to treat Customer Data with the required level of sensitivity and confidentiality.

Liberation Technology Services will continue to take appropriate steps to ensure that we do our part to comply with the relevant provisions in the GDPR.

Under GDPR, can an EU customer continue to host personal data outside of the EU/EEA?

Provided certain legal mechanisms are in place, EU customers can host personal data outside of the EU. Personal data may be transferred outside of the EU and the EEA when an adequate level of protection for that data is guaranteed.

To help achieve this level of protection, Liberation Technology Services has taken the proactive step of including a Data Processing Addendum that incorporates the applicable Standard Contractual Clauses into our Master Services Agreement. Compliance with data protection laws, however, is a shared responsibility which is why we generally require our customers to secure and encrypt in transit and at rest certain data stored on or transmitted using Liberation Technology Services services. We also require customers to take suitable steps to otherwise prevent Liberation Technology Services’s ability to access certain data where our access to the premises, systems, or networks owned or operated by the customer may result in its exposure.

Won’t I be in breach of the data protection laws if Liberation Technology Services transfers my personal data outside the EU/EEA?

The current laws allow Liberation Technology Services to process personal data and therefore support your services from outside the EEA if there are adequate transfer protections in place. Compliance with relevant data protection law, however, is a shared responsibility as addressed in our Master Services Agreement.

Will the Data Protection laws/GDPR apply when Britain leaves the EU?

The key data protection law on EU data transfers is the GDPR. The Information Commissioners Office (ICO) has provided specific guidance on data protection in relation to Brexit and we would strongly recommend customers reviewing the ICO’s guidance. This guidance is available at: https://ico.org.uk/for-organisations/data-protection-and-brexit/ In June 2021, the European Commission adopted two adequacy decisions for transfers of personal data to the United Kingdom. These decisions allow the free movement of data between the EEA and the UK. For further information, please see: https://www.gov.uk/government/news/eu-adopts-adequacy-decisions-allowing-data-to-continue-flowing-freely-to-the-uk.

I heard that the European Court of Justice recently invalidated the EU-US Privacy Shield Framework. How does that impact my existing agreement with LTS? How do I get a version that removes the Privacy Shield and includes the updated Standard Contractual Clauses that were adopted in June 2021? Customers who need to incorporate the revised provisions into their agreement can do so by following the instructions here.

What services does Liberation Technology Services offer to help me comply with GDPR?

First, review the GDPR to determine whether it applies to your organization. If GDPR applies, make sure that you implement appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with GDPR.

Please feel free to reach out to a representative at Liberation Technology Services so that we can help tailor a solution to fit your business needs. While we cannot ensure that your company is GDPR-compliant, we do offer many products and services that can help you meet some of the GDPR requirements. You should always work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization and how best to ensure compliance.

How do I update my current agreement with Liberation Technology Services in light of GDPR?

We have a new Data Processing Addendum that will meet the requirements of the GDPR. Customers who need to incorporate GDPR provisions into their agreement can do so by following the instructions here.