What Is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that attract European visitors, even if they don’t specifically market goods or services to EU residents.
The GDPR mandates that EU visitors be given a number of data disclosures. The site must also take steps to facilitate such EU consumer rights as a timely notification in the event of personal data being breached. Adopted in April 2016, the Regulation came into full effect in May 2018, after a two-year transition period.
Prokuria is registered in the European Union, and therefore fully subject and compliant to GDPR.
Prokuria is a Data Processor, acting upon instructions of the Data Controllers, who are our clients.
How we process Personal Data
By accessing and using Prokuria, our users may make available to us some personal data of their employees and of contractors/suppliers:
(i) for employees/representatives the following data is usually provided: first and last name, e-mail address, phone number, identification details, and position of the individual in the organization;
(ii) for existing and potential suppliers/contractors, the following data may be provided: first and last name, e-mail address, phone number, details of the company they are representing, the position of the individual in the organization;
(iii) other personal data which is (i) supplied, or in respect of which access is granted to Prokuria whether by the user or otherwise in connection with the licence agreement governing our relationship with the user, or directly through the use of Prokuria, or (ii) produced or generated by or on behalf of users in Prokuria.
Under the rules of the GDPR, we process data as a Data Processor. Our users are therefore the Data Controllers, determining the purpose and means of processing. As a Data Processor (as defined by GDPR) we make available and maintain the technical solution necessary for achieving the purpose of processing.
As a Processor, we do however have a series of strong legal obligations and privacy best practices that we comply with:
(i) we only process personal data in compliance with GDPR;
(ii) we only process personal data on our clients’ (Controllers) documented instructions;
(iii) we implement all appropriate technical and organizational measures to ensure security of personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage of or to it. Such measures ensure best practice security and are compliant with GDPR;
(iv) we commit to notify our users immediately if we ever become aware of any data breach in relation to the use/access to the Software.
(v) We commit to take all steps to restore, re-constitute, and/or reconstruct any personal data which is lost, damaged, destroyed, altered, or corrupted as a result of a data breach, and we will provide our users with all reasonable assistance, as required by the GDPR, in respect of any such data breach.
(vi) We will notify our users prior to adopting a new type of processing in respect of personal data, and if requested we can assist in a data protection impact assessment in respect of the new type of processing which is being proposed;
(vii) We will notify our users prior to initiating any transfer or disclosure of personal data to any other party for the performance of the services. Should we enter any data processing agreement with a third party, we commit to include obligations that are at least as strong as the obligations we take upon ourselves in relation to processing personal data.
(viii) We will not transfer any personal data to any country or territory outside the European Economic Area (EEA) or to any international organizations/contractors located outside EEA without first obtaining the express written consent of our users.
(ix) If asked, we can assist the users with handling data subject rights requests and to “demonstrate” compliance in front of the relevant Data Protection Authority;
(x) If asked by our clients we can permit either them as Controller, or a third-party auditor acting under the Controller’s direction, to conduct, at the Controller’s cost, data privacy and security audits, assessments, and inspections concerning our data security and privacy procedures relating to the processing of personal data and its compliance with GDPR;
(xi) We will promptly inform our clients as data Controllers about complaints/inquiries etc. from regulators/individuals received directly by us or by any of our contractors in relation to the processing activities relating to the Software. We will not respond to any such inquiry, complaint, notice or other communication if it involves processing personal data made available by our users without the prior written consent of the Controller;
(xii) When our users terminate their account, we cease all use of their personal data and shall either destroy all personal data or transfer all personal data to the user upon their indication.
Prokuria is ISO 27001 compliant since 2021. Our good-standing compliance check was last completed in June 2022.
Are you stuck somewhere? Don’t worry, we’re here for you. Drop us a mail at email@example.com and we’ll get back to you.