On 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into force, replacing the 1995 EU Data Protection Directive. The GDPR both strengthens the rights of individuals regarding personal data relating to them and unifies data protection laws across Europe.
You can count on the fact that we are committed to ensuring compliance with the GDPR. Our commitment extends to helping you achieve compliance with the GDPR compliance and have made privacy and security protections first class citizens of our services and contracts.
What are your responsibilities as a customer of Wirehive?
You are the data controller of any personal data you provide to us in relation to your use of our services. This means that you are responsible for determining the reason why data is being processed, how it is processed and when it is processed. You also have other responsibilities, such as maintaining records of the processing activities that are carried out on the personal data.
We are a data processor, which means we are processing personal data on your behalf when you are using our services. The GDPR prohibits us from conducting any processing activities that you have not authorised us to do. As a data processor we will not process any data you provide unless we have received an appropriate instruction from you.
As a data controller, the GDPR requires you to implement appropriate technical and organisational measures to ensure and demonstrate that any processing of personal data is performed in a compliant manner. The principles of the GDPR include topics such as lawfulness, fairness, transparency, purpose, data minimisation and accuracy. The GDPR also gives data subjects various rights with respect to their data, which you are required to fulfil.
Further guidance related to your responsibilities under the GDPR may be available from your national data protection authority, such as the United Kingdom’s Information Commissioner’s Office. Other organisations, such as the International Association of Privacy Professionals, provide guidance that you may also find beneficial.
Nothing on this website should be considered as legal advice and you should seek independent legal advice regarding your obligations under the GDPR.
What is Wirehive doing in preparation for the GDPR?
The GDPR requires that data controllers use data processors that carry out processing in a manner that complies with the GDPR. When reviewing our services, you may find it helpful to review the following information.
We employ a dedicated Security and Compliance Officer, as well as many extremely competent systems administrators and architects. Under the direction of the Security and Compliance Officer, this team is responsible for building and maintaining the security of Wirehive’s systems and for ensuring compliance with security and data protection standards, regulations and legislation.
Data Processing Agreement
Schedule 8 of our Terms and Conditions explains our security and privacy commitments to you. These terms will automatically take effect when the GDPR comes into force on 25 May 2018 or earlier if you are an existing customer and sign our Data Processing and Security Addendum. Our GDPR compliant Terms and Conditions will take effect immediately for all new orders.
Any data that you and your users put into our systems will only be processed in accordance with your instructions, as described in Schedule 8 of our Terms and Conditions.
All of our employees and contractors are required to sign a confidentiality agreement and undertake regular data protection training.
Use of sub-processors
We directly conduct most of the data processing activities needed to provide our services to you. For some of our services we use an explicit third-party provider, such as Microsoft for our Azure Service, and this will be made clear in our agreement with you.
We also engage some other third-party vendors to assist in supporting our services. We ensure each vendor is technically capable and can deliver the required levels of security and privacy. Details of our sub-processors are available and our commitments regarding sub-processors are included in our Terms and Conditions.
The GDPR requires that data controllers and their processors implement security controls that are appropriate to the level of risk. We operate and partner with organisations who operate state-of-the-art security infrastructures to ensure the safety of customer personal data. We make a copy of our security measures available to assist you in determining the appropriateness of our controls.
Data export and deletion
We will assist you in exporting or deleting customer data, if required, in line with our agreed service levels. When we receive a deletion instruction from you we will delete all relevant customer data from all of our systems within a period of no more than 180 days, unless we are obliged by law to retain such personal data for a longer period of time.
Restrictions on processing
As a data controller, you can use the functionality of the Customer Portal and our services to help access, rectify, restrict processing of, or delete any data that you or your users put into our systems. The exact tools used to do this will be dependent on the services you are running. This helps you to fulfil your obligations to data subjects.
We are committed to notifying you regarding data incidents and this is reflected in our Terms and Conditions.
International data transfers
The GDPR requires that any personal data transferred outside of the EU is afforded the same protections as personal data within the EU. This is achieved by implementing appropriate safeguards such as the EU-U.S. Privacy Shield framework or by EU Standard Contract Clauses. We allow you to choose the data processing locations of your services and it is your responsibility to ensure the necessary permissions have been obtained from the data subject.
Data Centre Information
We operate our Cloud Platform and Dedicated Platform Service’s from secure co-located data centres within the UK to keep our services running 24 hours a day, 7 days a week. You can find out more about our data centres by following the links below:
Our Security Measures provide an overview of the controls that are in place at each of these sites.
We use a range of third-party sub-processors to assist us in connection with the services we provide. Use of a particular sub-processor is dependant on which service(s) we provide to you as indicated in your contract with us. Each of our third-party sub-processors is listed below along with a description of the function they provide.
- ConnetU – Network infrastructure support services for our Cloud and Dedicated Platform services.
- Amazon Web Services – Provision of our AWS services.
- Google Cloud Platform – Provision of our GCP services.
- Microsoft Azure – Provision of our Microsoft Azure services.
- Auth0 – Customer portal identity, authentication and authorisation services.
What is the GDPR?
The EU General Data Protection Regulation (GDPR) is a new privacy law that replaces the 1995 EU Data Protection Directive from 25 May 2018. The GDPR is intended to harmonise data protection laws within the EU.
Who does the GDPR apply to?
The GDPR applies to all organisations established in the EU and those anywhere in the world that process the personal data of EU data subjects. Processing is deemed to be taking place if it is conducted in relation to the offering of goods or services to EU data subjects or the monitoring of behaviour that takes place within the EU.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is someone who can be identified, either directly or indirectly, for example a name, email address or location data.
Does the GDPR require storage of personal data in the EU?
No, however, to be able to transfer personal data outside of the EU certain conditions must be met. These can be achieved by either an adequacy decision such as the EU-U.S. Privacy Shield or Standard Contract Clauses.
Will the GDPR give customers the right to audit Wirehive?
The GDPR requires data controllers to be granted audit rights of their data processors. From 25 May 2018, our customers will be able to audit Wirehive in accordance with our Terms and Conditions.
What role do security certifications have in compliance with the GDPR?
Our ISO 27001 certification, awarded by BSI (a UKAS accredited certification body), can be used by customers to help them conduct their risk assessments and determine whether appropriate organisational and technical measures are in place.
How does Wirehive protect personal data?
We have implemented a range of security measures to help protect any personal data you may store when using our services. We also make available a range of optional security controls such as encryption, logging and monitoring, identity and access management, security scanning, and firewalls. We may also make other security tools available from time to time.
When will Wirehive’s GDPR compliant Terms and Conditions take effect?
Our GDPR compliant Terms and Conditions will take immediate effect for all new contracts from the date of signing. For existing contracts, our Data Processing and Security Addendum will come into force when we have received a signed copy from you or automatically on 25 May 2018, whichever is sooner.