GDPR
Online version of the GDPR available on BioAware website.
How BioAware prepares for the GDPR
The privacy organization in BioAware gets many questions these days about how we prepare for the GDPR (General Data Protection Regulation). On this page, you can read BioAware’s official answer to that question. The audience is any stakeholder that has basic insight in privacy and privacy law. We will not go into details about the regulation itself.
Why is GDPR important
GDPR will apply to all members of the EU and EEA from May 25th, 2018. It will replace todays legislation regarding privacy in member countries currently subject to the EU Directive 95/46. You find many of the statutes in the GDPR in the current legislation, but the GDPR is more detailed and precise in certain areas and takes into account the challenges in the rapid evolving digital world, giving rise to privacy risks for data subjects. GDPR is first of all demanding due to its detailed transparency requirements. Any company as well as other bodies that process personal data, is also to a large extent required to document the processing, ensure the lawfulness of processing, document the existence of sufficient procedures, provide information on security measures and to ensure that sufficient data processing agreements are in place. GDPR is important because it improves the protection of European data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights.
Organization and privacy culture
BioAware has worked hard to incorporate the right attitude and knowledge about data protection and privacy in its culture.
BioAware cares about privacy and the topic is always on the agenda in the team meetings. The responsibility for privacy work in BioAware has been delegated to a Data Protection Officer (DPO) who reports directly to the CEO. This is an independent formal role described in the GDPR. The person appointed is the main contact point for any data subject or customer in privacy matters. The DPO facilitates the privacy work in BioAware.
BioAware’s roles?
The GDPR defines two roles that are subject to different legal obligations:
-
The Controller; a legal unit or similar that determines the purposes and means of the processing of personal data.
-
The Processor; a legal unit or similar which processes personal data on behalf of the Controller.
The nature of BioAware business makes us both Controller and Processor. Thus, BioAware must comply with the legislation concerning both of these roles. We are a Controller when we process data about our own employees and customer contacts/users. We are a Processor when we provide cloud services (SaaS) or other hosted IT services to our customers. In addition, we are a vendor of software that customers install and operate themselves, but this does not make BioAware a Processor. When BioAware act as Processor or software vendor, the customer using the service/software is the Controller.
The next chapters will explain what BioAware is doing to comply with the GDPR in the Controller and Processor roles.
Preparing for GDPR as Controller
BioAware process data about employees and customer contacts/users. In a few occasions, we may also process data about others. This is natural when running a software business. Our main efforts making sure we are compliant, are related to being transparent. Enabling our employees and customer contact persons to understand why, what, when and how their personal data are processed. Our customer contact persons will find this information in our Privacy Statement.
We are ensuring that all data protection agreements (DPA) with subcontractors are sufficient in terms of protecting the rights of data subjects, as well as complying with provisions for transfer of data outside the EU/EEA as set out in the GDPR.
Utilizing the power of digital marketing technology is key to BioAware going forward. This involves creation of interest profiles such that only relevant information can be presented to stakeholders. In addition, we will increase efficiency for stakeholders wanting to adjust their interest profiles, as well as withdrawing consent.
Preparing for GDPR as Processor
BioAware provides a range of options in the cloud-based software (SaaS) to our customers, and does also provide hosting services as well as consulting services. These occasions except for pure hire of consultants, makes BioAware a Processor. This mean that BioAware is responsible for only processing the personal data as instructed by the Controllers (the customers). Since most of our software are delivered in a one to many relation, giving the Controllers (the customers) the freedom to continuously give us instructions on how to process their personal data is not possible. This underlines the importance of agreeing with the Controller (the customer) on what these instructions are, typically in the Terms of Service or in a dedicated DPA.
When a customer hires a consultant from BioAware and his/her work is supervised by the customer, BioAware is not a Processor, and due to that a DPA is not necessary. Depending on the nature of the assignment, it may be wise for the parties to enter into a non-disclosure agreement though.
As a software vendor we also take responsibility for certain things that the Controllers themselves will have difficulties controlling. This will typically be the design of the software regarding features for correcting and erasing personal data and implementation of information security measures to safeguard data confidentiality, integrity and availability.
Being a provider of cloud services also mean that we use a range of subcontractors to deliver the services, and we have certain transparency obligations in this regard, as well as making sure that sufficient data processing agreements are in place. We are doing this to ensure privacy and trust throughout the chain of companies involved in processing our customers data. BioAware’s business is based on earning this trust from our customers.
Our main efforts making sure that we are compliant as Processor, are around these initiatives:
-
Assessing our cloud services against the Privacy by Design and Default principles set out in the GDPR.
-
Assessing our cloud services against the Privacy by Design and Default principles set out in the GDPR.
-
Preparing for increased transparency regarding use of subcontractors and security breach incidents that may occur.
-
Ensuring that agreements with our subcontractors and partners commits to GDPR preparations and compliance.
-
Updating Terms of Service (ToS) documents to reflect the obligations of both Controllers (our Customers) and BioAware imposed by the GDPR.
Further, we have published the Trust Center on bio-aware.com. This page provides customers information needed to document their processing activities as a Controller. In summary, this information seeks to outline the privacy skills and abilities of our cloud services and software products. The aim with this information is to enable Controllers (our customers) to fulfill their duties according to GDPR to safeguard privacy when using a Processor (BioAware) to process personal data on their behalf.
On request, a customer may also access more detailed privacy information particularly concerning security measures applied and agreements with subcontractors. Such requests may be subject to fees and non-disclosure agreements.
Other initiatives
BioAware believes that awareness and competence among all our employees will have significant impact on our ability to comply with the GDPR and safeguard privacy for customers and BioAware. In order to increase awareness and understanding, we have developed courses for privacy that will be mandatory for all BioAware employees to complete in 2018. These courses will also be included in the onboarding process for new employees.
How to get more information
If you are looking for general information regarding processing of personal data in BioAware, visit bio-aware.com and read our Privacy Statement.
If you represent a customer being a Controller and need more information regarding data protection around software products/services, you can visit our Trust Center.
If you have questions directly related to a data protection agreement with BioAware, you should reach out to your primary business contact in BioAware.
All other inquiries should be sent to info@bio-aware.com. We will respond to such inquiries as soon as possible and make priorities based on urgency in terms of risk for data subjects.
Hannut, May 23rd, 2018
Document reviewed on: 29th of December, 2023