ACCOUNTING SEED AND THE GDPR
Consistent with Accounting Seed’s commitment to the data privacy of its customers, we offer this overview of the EU General Data Protection Regulation (GDPR), which became effective May 25, 2018. This overview is to help our customers and data subjects navigate the requirements of GDPR and understand how it impacts our relationships and the services we provide.
What is the GDPR?
The GDPR is a new regulation passed by the European Union (EU) that (1) dramatically expands the data privacy rights of EU citi and (2) imposes new obligations on many new businesses that collect, use or store personal data regarding these EU citizens. It is intended to serve as a single set of privacy and security standards for the EU and replace the “patchwork” set of European privacy rules that had previously applied.
Who and what does the GDPR protect?
The GDPR protects “personal data” regarding “data subjects”. This includes any information related to a natural person (as opposed to businesses) that can be used to directly or indirectly identify the person. It provides a set of rights to data subjects regarding how certain covered businesses must treat their personal data.
Personal data is broadly defined. The following are examples of information that would qualify as personal data regarding identifiable data subjects:
- Financial information
- Personal and family details
- Education and employment information
- Medical information
What businesses must comply with GDPR?
The GDPR applies to businesses that (1) engage in certain activities concerning personal data AND (2) have established certain contacts with the EU.
GDPR Activities. GDPR applies to all “controllers” and “processors” of personal data.
In short, processing refers broadly to any treatment of personal data, including collection, use, recording, storage, disclosure etc. A controller determines the purposes and means of processing personal data, while processor is responsible for processing personal data on behalf of a controller. In other words, the processing is ultimately for the business purposes of the controller. The controller either performs the processing on its own behalf or engages a processor to perform specified processing activities for it.
EU Contacts. A business is covered by the GDPR as a controller or processor only if it establishes at least one of the following links to the EU:
- The business is “established” in the EU and the processes personal data in the context of the activities of that establishment, regardless of where the processing takes place.
- The business is not established in the EU, but offers goods or services to EU data subjects or monitors their behavior (or other operation of law).
As a result, the GDPR can apply to processing of personal data that a business performs outside the EU.
What data protection does the GDPR require?
GDPR sets forth a set of core principles with which covered controllers and processors must comply when processing personal data. They are:
- Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation. Personal data may only be collected for, and processed consistent with, specified, explicit and legitimate purposes.
- Data minimization. Controllers and processors must limit processing of personal data to that which is adequate, relevant and necessary to achieve a proper purpose.
- Accuracy. Controllers and processors must take reasonable steps to make sure that personal data is accurate and, where necessary, kept up to date.
- Storage limitation. Except under certain circumstances, personal data may only be stored as long as necessary for the appropriate processing to occur.
- Integrity and confidentiality. Personal data must be processed in a manner that ensures its appropriate security (Article 5(1)(f)). This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. In this regard, controllers and processors must use appropriate technical or organisational security measures.
- Accountability. The controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles (Article 5(2)).
The law imposes detailed standards regarding each principle. Further, controllers and processors must implement data security measures to operationalize these principles.
What are some of the specific requirements that GDPR-covered businesses must comply with?
- Obtaining consent of for subjects for data processing
- “Anonymizing” collected data under certain circumstances to protect privacy
- Providing data subject with breach notifications
- Safely storing and transferring protected data
- Under certain circumstances, appointing a data protection officer to oversee GDPR compliance
- Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
What is a data processing agreement/addendum?
Pursuant to EU law, including the GDPR, covered controllers and processors of personal data must use third-party processors that provide sufficient guarantees that processing will be consistent with applicable EU standards. The data processing agreement or addendum (“DPA”) is an instrument to establish these duties. The GDPR further sets forth specific elements that must be included DPAs between covered controllers and processors, or processors and sub-processors. The GDPR imposes more detailed requirements for DPAs. Accounting Seed has analyzed these requirements and offers DPAs to its customers as necessary to comply with applicable law.
How does Accounting Seed process data?
Accounting Seed provides customizable applications and related services to help businesses analyze and report financial data to meet their specific needs.
SalesForce relationship. Accounting Seed has selected SalesForce as the exclusive host for our applications. We not only believe strongly that SalesForce maximizes the capacity of our unique offerings, but also in SalesForce commitment to data protection. Our customers interface directly with SalesForce to populate and access its data. Customers utilize the Accounting Seed application autonomously within SalesForce’s environment. At all times, all customer data resides on SalesForce’s infrastructure and is subject to its terms and conditions.
In order to craft appropriate disclosure language for purposes of obtaining consents of data subjects, we encourage our customers to review the SalesForce GDPR Webpage and its terms and conditions with SalesForce.
Accounting Seed Processing. Accounting Seed will only access customer data on the SalesForce platform for troubleshooting and related purposes upon a customer’s request. In these cases, we provide our customers with the ability to grant data access credentials for Accounting Seed’s workforce. Accounting Seed and its workforce do not export customer data from the SalesForce platform.
For any additional questions please contact firstname.lastname@example.org