NetLicensing is excited about the GDPR and the strong data privacy and security principles that it emphasizes
- What is the GDPR?
- Do you need to comply with the GDPR?
- Does it matter whether you are a controller or a processor?
- How NetLicensing comply with the GDPR?
- How can NetLicensing assist in your GDPR compliance efforts?
The GDPR is effective on May 25, 2018, and setting a high bar for global privacy rights and compliance. We prepared our business and compliance processes for the GDPR to take effect, and this guide is intended to help our customers/vendors do the same.
Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.
What is the GDPR?
The General Data Protection Regulation, a European privacy law approved by the European Commission in 2016. The GDPR replaced a prior European Union privacy directive known as Directive 95/46/EC, which has been the basis of European data protection law since 1995.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data.
The GDPR was adopted in April 2016 and is effective on May 25, 2018.
Who does it affect?
The scope of the GDPR is very broad. The GDPR affects all organizations established in the EU, and all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR applies to any organization processing personal data of EU citizens - regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors.
What is considered “personal data”?
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data now includes not only data that is commonly considered to be personal in nature (e.g. social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioural data, location data, biometric data, financial information, and much more. This means that, for NetLicensing vendors, at least a majority of the information that you collect about your end-customers can be considered personal data under the GDPR. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual.
Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your NetLicensing vendor account.
What does it mean to “process” data?
Per the GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR. This means, for example, that if any of your NetLicensing data entities (e.g. Licensee, License, Transaction) contains the email address, name, or other personal data of any EU citizen, then you are processing EU personal data under the GDPR.
Keep in mind that even if you do not believe your business is affected by the GDPR, the GDPR and its underlying principles may still be important to you. European law tends to set the trend for international privacy regulation, and increased privacy awareness now may give you a competitive advantage later.
Do you need to comply with the GDPR?
You should consult with legal and other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however, if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you.
Does it matter whether you are a controller or a processor?
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in.
A controller is an organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.
A processor is an organization that processes the data on behalf of the controller.
The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party.
Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor and to familiarize yourself with your responsibilities accordingly.
In the context of the NetLicensing application and our related services, in the majority of circumstances, our customers/vendors are acting as the controller. Vendors, for example, decide what information from their end-customers is uploaded or transferred into their NetLicensing account. NetLicensing is acting as a processor by performing these and other services for our customers/vendors.
How NetLicensing comply with the GDPR?
NetLicensing is excited about the GDPR and the strong data privacy and security principles that it emphasizes, many of which NetLicensing instituted long before the GDPR was enacted. At NetLicensing, we believe that the GDPR is an important milestone in the data privacy landscape, and we are committed to be compliant with the GDPR.
We are constantly reviewing (and updating where necessary) all of our internal processes, procedures, data systems, and documentation to ensure that we are compliant with the GDPR. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our vendors. We are, among other things:
- Updating our Data Processing Agreement to meet the requirements of the GDPR in order to permit you to continue to lawfully use EU personal data with NetLicensing and permit NetLicensing to continue to lawfully receive and process that data;
- Analyzing all of our current features and processes to determine whether any improvements or additions can be made to make them more efficient for those vendors subject to the GDPR;
- Evaluating potential new GDPR-friendly features to add to our services.
In addition, we addressing any requests made by our customers/vendors/end-customers related to their expanded individual rights under the GDPR:
- Right to be forgotten: You may terminate your NetLicensing account at any time by contacting us via email below, in which case we will permanently delete your account and all data associated with it.
- Right to object: You may opt out of the inclusion of your data in our data science projects simply by contacting us via email below.
- Right to rectification: You may access and update your NetLicensing account settings at any time to correct or complete your account information. You may also contact NetLicensing at any time to access, correct, amend or delete information that we hold about you.
- Right of portability: We will export your account data to a third party at any time upon your request.
How can NetLicensing assist in your GDPR compliance efforts?
You should review your organization’s data privacy and security practices, and there are several ways in which NetLicensing can help.
In order to outline specifics of how we will process personal data and what our obligations are as well as the obligations of our vendors/customers, we’ve developed a Data Processing Agreement (DPA) that we enter into free of charge with anyone who uses our service and requests it.
Expansion of Individual Rights
NetLicensing can help you promptly respond to requests from your end-customers pursuant to their expanded individual rights under the GDPR.
- Right to be forgotten: You may delete individual end-customers data upon their request at any time. In addition, individual end-customers may contact NetLicensing directly to request deletion of their data from NetLicensing systems.
- Right to object: You may opt out of the inclusion of your end-customers’ data in our data science projects simply by contacting us via email below.
- Right of portability: You may export any of stored licensees / licenses / transactional data as a list or selected information within any list, at any time by accessing your NetLicensing account.
Stricter Consent and Processing Requirements
You must lawfully obtain and process email addresses and other personal data from your end-customers.
- The personal data of your end-customers may be collected and transferred to NetLicensing using NetLicensing RESTful API and by means of the concrete implementation of your products and services. We encourage you to design your products and NetLicensing integration with the GDPR and data protection and security in mind, so you can meet your specific GDPR compliance needs.
- The ability of your end-customers to withdraw consent or change preferences should be easily accessible. NetLicensing API can help you here to ease access and modification of this data.
- Make sure that you are frequently updating any information stored within your NetLicensing account that relates to your end-customers, such as name and contact information when requested to do so by an end-customer.
- You should also ensure that you are keeping accurate records, especially of your end-customers consent permitting you to send them marketing emails, store and use their personal data, and any other processing activities which you are undertaking. NetLicensing can help you obtain proof of consent and will store a record of your end-customers’ consent in your NetLicensing account. When you use a NetLicensing Shop, NetLicensing records the email address, IP address, and timestamp associated with every end-customer who completes and submits the shopping cart, providing you with easy-to-access proof of consent.
- Keep in mind that any consent you obtain from your end-customers must comply with the GDPR requirements, irrespective of when that consent was obtained.
- We recommend consulting with local counsel to determine if consents obtained prior to the GDPR comply with its requirements, or whether you should instead contact your end-customers to re-request consent in accordance with the GDPR requirements or rely on a different lawful basis for your processing under the GDPR.
- You should review any NetLicensing integrations or add-ons that you are using (or plan to use), and any terms associated with those, to ensure that you have adequately disclosed potential data processing activities associated with your use of those services to your end-customers.
- You should review the privacy statement and practices applicable to your organization and ensure that they provide proper notice that the personal data of your end-customers will be transferred to NetLicensing and processed by NetLicensing.
Please refer to the detailed instructions, which will help you address GDPR efforts mentioned above.
- Privacy statement: Data processing by NetLicensing
- Data Processing Agreement (DPA)
- How to access and update licensee data
- How to export licensee data
- How to delete licensee data
- How to access and verify consent given by end-customer
- How to maintain vendor account data
If you have specific questions about the GDPR and your use of NetLicensing, you can email us at firstname.lastname@example.org.