The privacy organization in BioAware gets many questions these days about how we prepare for the GDPR (General Data Protection Regulation).
On this page, you can read BioAware’s official answer to that question. The audience is any stakeholder that has basic insight in privacy
and privacy law. We will not go into details about the regulation itself.
GDPR will apply to all members of the EU and EEA from May 25th, 2018. It will replace todays legislation regarding privacy in member
countries currently subject to the EU Directive 95/46. You find many of the statutes in the GDPR in the current legislation, but the GDPR
is more detailed and precise in certain areas and takes into account the challenges in the rapid evolving digital world, giving rise to
privacy risks for data subjects. GDPR is first of all demanding due to its detailed transparency requirements. Any company as well as other
bodies that process personal data, is also to a large extent required to document the processing, ensure the lawfulness of processing,
document the existence of sufficient procedures, provide information on security measures and to ensure that sufficient data processing
agreements are in place. GDPR is important because it improves the protection of European data subjects’ rights and clarifies what companies
that process personal data must do to safeguard these rights.
BioAware has worked hard to incorporate the right attitude and knowledge about data protection and privacy in its culture.
BioAware cares about privacy and the topic is always on the agenda in the team meetings. The responsibility for privacy work in
BioAware has been delegated to a Data Protection Officer (DPO) who reports directly to the CEO. This is an independent formal role
described in the GDPR. The person appointed is the main contact point for any data subject or customer in privacy matters. The DPO
facilitates the privacy work in BioAware.
The GDPR defines two roles that are subject to different legal obligations:
The nature of BioAware business makes us both Controller and Processor. Thus, BioAware must comply with the legislation concerning
both of these roles. We are a Controller when we process data about our own employees and customer contacts/users. We are a Processor
when we provide cloud services (SaaS) or other hosted IT services to our customers. In addition, we are a vendor of software that customers
install and operate themselves, but this does not make BioAware a Processor. When BioAware act as Processor or software vendor, the customer
using the service/software is the Controller.
The next chapters will explain what BioAware is doing to comply with the GDPR in the Controller and Processor roles.
BioAware process data about employees and customer contacts/users. In a few occasions, we may also process data about others.
This is natural when running a software business. Our main efforts making sure we are compliant, are related to being transparent.
Enabling our employees and customer contact persons to understand why, what, when and how their personal data are processed.
Our customer contact persons will find this information in our Privacy Statement.
We are ensuring that all data protection agreements (DPA) with subcontractors are sufficient in terms of protecting the rights of data
subjects, as well as complying with provisions for transfer of data outside the EU/EEA as set out in the GDPR.
Utilizing the power of digital marketing technology is key to BioAware going forward. This involves creation of interest profiles such
that only relevant information can be presented to stakeholders. In addition, we will increase efficiency for stakeholders wanting to
adjust their interest profiles, as well as withdrawing consent.
BioAware provides a range of options in the cloud-based software (SaaS) to our customers, and does also provide hosting services as well as
consulting services. These occasions except for pure hire of consultants, makes BioAware a Processor. This mean that BioAware is responsible
for only processing the personal data as instructed by the Controllers (the customers). Since most of our software are delivered in a one to
many relation, giving the Controllers (the customers) the freedom to continuously give us instructions on how to process their personal data
is not possible. This underlines the importance of agreeing with the Controller (the customer) on what these instructions are, typically in
the Terms of Service or in a dedicated DPA.
When a customer hires a consultant from BioAware and his/her work is supervised by the customer, BioAware is not a Processor, and due to that
a DPA is not necessary. Depending on the nature of the assignment, it may be wise for the parties to enter into a non-disclosure agreement
As a software vendor we also take responsibility for certain things that the Controllers themselves will have difficulties controlling.
This will typically be the design of the software regarding features for correcting and erasing personal data and implementation of information
security measures to safeguard data confidentiality, integrity and availability.
Being a provider of cloud services also mean that we use a range of subcontractors to deliver the services, and we have certain transparency
obligations in this regard, as well as making sure that sufficient data processing agreements are in place. We are doing this to ensure
privacy and trust throughout the chain of companies involved in processing our customers data. BioAware’s business is based on earning this
trust from our customers.
Our main efforts making sure that we are compliant as Processor, are around these initiatives:
Further, we have published the Trust Center on bio-aware.com. This page provides customers information needed to document their processing
activities as a Controller. In summary, this information seeks to outline the privacy skills and abilities of our cloud services and software
products. The aim with this information is to enable Controllers (our customers) to fulfill their duties according to GDPR to safeguard privacy
when using a Processor (BioAware) to process personal data on their behalf.
On request, a customer may also access more detailed privacy information particularly concerning security measures applied and agreements
with subcontractors. Such requests may be subject to fees and non-disclosure agreements.
BioAware believes that awareness and competence among all our employees will have significant impact on our ability to comply with the GDPR
and safeguard privacy for customers and BioAware. In order to increase awareness and understanding, we have developed courses for privacy that
will be mandatory for all BioAware employees to complete in 2018. These courses will also be included in the onboarding process for new
If you are looking for general information regarding processing of personal data in BioAware, visit bio-aware.com and read our
If you represent a customer being a Controller and need more information regarding data protection around software products/services, you
can visit our Trust Center.
If you have questions directly related to a data protection agreement with BioAware, you should reach out to your primary business contact in
All other inquiries should be sent to firstname.lastname@example.org. We will respond to such inquiries as soon as possible and make priorities based on
urgency in terms of risk for data subjects.
Hannut, May 23rd, 2018
Follow us on Facebook, Twitter
and other social media
or contact us by phone or email
Phone: + 32 478 28 57 64
BioAware SA NV Rue du Henrifontaine 20 B-4280 Hannut Belgium
ING Bank#: 340-0469612-73
BIC code: BBRUBEBB