What is GDPR?
Answer: General Data Protection Regulation. The legislation aims to enhance data privacy protection for European Union (EU) and European Economic Area (EEA) [28-member countries of EU plus Norway, Liechtenstein, and Iceland] (herein collectively referred to as“EU”) citizens and residents.
Here is the regulation:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of
27 April 2016
Who should comply?
Any organization that processes, stores, accesses or hosts the personal data of EU residents regardless of the organization’s physical location.
The roles below are designed to show how EAMS group relates to your data Processing. If EAMS Group is processing your data, this is due to a contractual agreement in place with the data controller so that EAMS Group fulfils its contractual agreements with the Data Controller. EAMS Group does not use this data for any other uses as stated in the EAMS Group GDPR Data Protection Policy. This procedure has been put into place to adhere to lawful processing of personal data.
If contacted by a Data Subject to correct, amend or delete his/her personal data, then we will direct the Data Subject back to our client (the Data Controller) to take the appropriate action, unless in cases where EAMS Group is a Data Controller for the subject. Further Information of this is outlined in The EAMS Group data Protection Policy.
Any organisation which processes personal data on behalf of the controller
Any organisation which processes personal data on behalf of the Data Processor
The organisation who determines the purposes and means of the processing of personal data
One who can be identified, identifier such as a name, an identification number, or location data,
An independent public authority which is established by a Member State to oversee GDPR compliance.
Examples of Personal Data we may collect: Name, Surname, Work Email Address, Contact Number, Work Site. In most instances EAMS Group acts as a Data Processor for clients in order to fulfil contractual agreements. In this instant you may be a data subject and your data would have been collected by the data controller whom we may be in a contractual agreement with or are entering into contractual agreement with. If contacted by a Data Subject to correct, amend or delete his/her personal data, then we will direct the Data Subject back to our customer (the Data Controller) to take the appropriate action. In the scenario where we are the data controller we will take appropriate action.
Why do we collect this data?
Data may be collected in order to communicate with you, provide feedback, enter into contractual agreements with you. Should EAMS Group need additional Data from you they will contact you and request for your consent as well as identify the reasons why this data is needed.
When EAMS Group acts as a Data Processor to clients, Data such as email addresses is also used to communicate with data subjects who raise Service Desk related incidents or queries via existing clients. Other organisations that provide tools used by EAMS Group such as Microsoft SharePoint (for document storage), Zendesk (for Service Desk ticket processing) and IBM (Maximo) are our sub processors with whom we have verified their GDPR compliance. Access to all systems is security controlled and secure.
Cloud Hosting Services (Sub Processors)
Below are EAMS group Sub processors and the relative corresponding confirmation of GDPR compliance.
|Sub Processor||Compliance Details|
|Amazon Web Services||https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/|
EAMS Group Commitment
EAMS Group’s Commitment to Compliance
GDPR compliance is critical for all of our staff, clients and data security, as such, we are committed to Upholding GDPR compliance and ensuring our organisation continues to do so.
Commitment to Data Subject Rights
If contacted by a Data Subject to correct, amend or delete his/her personal data, then we will direct the Data Subject back to our customer (the Data Controller) to take the appropriate action.
If we experience a data breach, then we are contractually and legally required to notify any affected EAMS Group Client of the breach within 72hrs. The details of and to cooperate with them to satisfy GDPR reporting obligations.
This includes a description of (i) the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) the name and contact details of our data protection officer or other contact points where more information can be obtained; (iii) the likely consequences of the personal data breach; and (iv) the measures taken or proposed to be taken by EAMS Group to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Security and Monitoring
If called upon by our customer (the Data Controller) or a Supervisory Authority, we will demonstrate our compliance with the GDPR in the provision of EAMS Group Services. EAMS Group has implemented technical, physical and administrative measures to protect Personal Information or other confidential information. Our offices are secure working areas accessed by key cards and with 24/7 building security to avoid access of unauthorised individuals.
EAMS Group also has:
- Limited Data Access on company tools
- Strong and Different Passwords for Every Department
- Data is stored securely and transmitted securely, the data can also only be accessed via secure HTTP weblinks, so the data being transferred is secure (data is encrypted).
- EAMS Group policy is also not to have documents stored locally on laptops etc. Data is stored only within online services provided by Office 365, such as SharePoint, OneDrive
- Segmentation of our Network and Monitoring users.
- Regular Data Backups and Updates
- Secure Remote Access to our Network
- All staff ensure their Laptops are locked and password protected when away from their desk or not using them.
How Does EAMS Group Meet GDPR Requirements?
EAMS Group has never received any complaint, objection or similar notice or correspondence from any data protection or other regulatory authority, or any customer or individual whose personal or other confidential information it processes.
Data Protection Officer
25 Canada Square