GDPR

 

Online version of the GDPR available on BioAware website.

 

 

The privacy organization in BioAware gets many questions these days about how we prepare for the GDPR (General Data Protection Regulation). On this page, you can read BioAware’s official answer to that question. The audience is any stakeholder that has basic insight in privacy and privacy law. We will not go into details about the regulation itself.

 

GDPR will apply to all members of the EU and EEA from May 25th, 2018. It will replace todays legislation regarding privacy in member countries currently subject to the EU Directive 95/46. You find many of the statutes in the GDPR in the current legislation, but the GDPR is more detailed and precise in certain areas and takes into account the challenges in the rapid evolving digital world, giving rise to privacy risks for data subjects. GDPR is first of all demanding due to its detailed transparency requirements. Any company as well as other bodies that process personal data, is also to a large extent required to document the processing, ensure the lawfulness of processing, document the existence of sufficient procedures, provide information on security measures and to ensure that sufficient data processing agreements are in place. GDPR is important because it improves the protection of European data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights.

 

BioAware has worked hard to incorporate the right attitude and knowledge about data protection and privacy in its culture.

 

BioAware cares about privacy and the topic is always on the agenda in the team meetings. The responsibility for privacy work in BioAware has been delegated to a Data Protection Officer (DPO) who reports directly to the CEO. This is an independent formal role described in the GDPR. The person appointed is the main contact point for any data subject or customer in privacy matters. The DPO facilitates the privacy work in BioAware.

 

The GDPR defines two roles that are subject to different legal obligations:

 

 

The nature of BioAware business makes us both Controller and Processor. Thus, BioAware must comply with the legislation concerning both of these roles. We are a Controller when we process data about our own employees and customer contacts/users. We are a Processor when we provide cloud services (SaaS) or other hosted IT services to our customers. In addition, we are a vendor of software that customers install and operate themselves, but this does not make BioAware a Processor. When BioAware act as Processor or software vendor, the customer using the service/software is the Controller.

 

The next chapters will explain what BioAware is doing to comply with the GDPR in the Controller and Processor roles.

 

BioAware process data about employees and customer contacts/users. In a few occasions, we may also process data about others. This is natural when running a software business. Our main efforts making sure we are compliant, are related to being transparent. Enabling our employees and customer contact persons to understand why, what, when and how their personal data are processed. Our customer contact persons will find this information in our Privacy Statement.

 

We are ensuring that all data protection agreements (DPA) with subcontractors are sufficient in terms of protecting the rights of data subjects, as well as complying with provisions for transfer of data outside the EU/EEA as set out in the GDPR.

 

Utilizing the power of digital marketing technology is key to BioAware going forward. This involves creation of interest profiles such that only relevant information can be presented to stakeholders. In addition, we will increase efficiency for stakeholders wanting to adjust their interest profiles, as well as withdrawing consent.

 

BioAware provides a range of options in the cloud-based software (SaaS) to our customers, and does also provide hosting services as well as consulting services. These occasions except for pure hire of consultants, makes BioAware a Processor. This mean that BioAware is responsible for only processing the personal data as instructed by the Controllers (the customers). Since most of our software are delivered in a one to many relation, giving the Controllers (the customers) the freedom to continuously give us instructions on how to process their personal data is not possible. This underlines the importance of agreeing with the Controller (the customer) on what these instructions are, typically in the Terms of Service or in a dedicated DPA.

 

When a customer hires a consultant from BioAware and his/her work is supervised by the customer, BioAware is not a Processor, and due to that a DPA is not necessary. Depending on the nature of the assignment, it may be wise for the parties to enter into a non-disclosure agreement though.

 

As a software vendor we also take responsibility for certain things that the Controllers themselves will have difficulties controlling. This will typically be the design of the software regarding features for correcting and erasing personal data and implementation of information security measures to safeguard data confidentiality, integrity and availability.

 

Being a provider of cloud services also mean that we use a range of subcontractors to deliver the services, and we have certain transparency obligations in this regard, as well as making sure that sufficient data processing agreements are in place. We are doing this to ensure privacy and trust throughout the chain of companies involved in processing our customers data. BioAware’s business is based on earning this trust from our customers.

 

Our main efforts making sure that we are compliant as Processor, are around these initiatives:

 

 

Further, we have published the Trust Center on bio-aware.com. This page provides customers information needed to document their processing activities as a Controller. In summary, this information seeks to outline the privacy skills and abilities of our cloud services and software products. The aim with this information is to enable Controllers (our customers) to fulfill their duties according to GDPR to safeguard privacy when using a Processor (BioAware) to process personal data on their behalf.

 

On request, a customer may also access more detailed privacy information particularly concerning security measures applied and agreements with subcontractors. Such requests may be subject to fees and non-disclosure agreements.

 

BioAware believes that awareness and competence among all our employees will have significant impact on our ability to comply with the GDPR and safeguard privacy for customers and BioAware. In order to increase awareness and understanding, we have developed courses for privacy that will be mandatory for all BioAware employees to complete in 2018. These courses will also be included in the onboarding process for new employees.

 

If you are looking for general information regarding processing of personal data in BioAware, visit bio-aware.com and read our Privacy Statement.

 

If you represent a customer being a Controller and need more information regarding data protection around software products/services, you can visit our Trust Center.

 

If you have questions directly related to a data protection agreement with BioAware, you should reach out to your primary business contact in BioAware.

 

All other inquiries should be sent to info@bio-aware.com. We will respond to such inquiries as soon as possible and make priorities based on urgency in terms of risk for data subjects.

 

Hannut, May 23rd, 2018