General Data Protection Regulation
The General Data Protection Regulation is a new set of privacy regulations and guidelines that replaces the Data Protection Directive 95/46/EC and effective May 25, 2018.
The General Data Protection Regulation (GDPR) will require several changes to organizations in the way they collect and process European Union (EU) personal data.
The GDPR contains a number of new protections for EU citizens and threatens penalties for non-compliance. In addition, there are new security, recordkeeping, access rights, and notification procedures that companies must implement to ensure compliance. Issues that are attracting particular focus include increased administrative requirements, and the need to provide the tools necessary to meet the numerous obligations on administrators, controllers, and processors.
ExpiWell offers self-service products to users via an Application Service Provider model delivered via the Internet and using standard web browser software. Customers solely determine what data to collect, from whom and where, for what purpose, and for how long. Therefore, ExpiWell does not and cannot classify or represent any Customer data. All data are processed electronically on the instructions of the Customer as required to provide the software, support, and maintenance. ExpiWell administrators and employees do not interact with or view this data process.
Since the Customer has full control over its data, it may have special obligations to protect the data outside the scope of the protection ExpiWell provides (for instance, if data were downloaded to the user’s local drive or printed). ExpiWell has always agreed to safeguard all Customer data with industry best standards regardless of what that data represents.
Enabling the Customer to be GDPR Compliant
ExpiWell enables its Customers to be GDPR compliant. Briefly stated, that means ExpiWell will:
Provide sufficient guarantees to the controller to implement appropriate technical and organizational measures designed to safeguard Customer data
Process data (that could include personal data) only to fulfil its obligations as related to the Services
Enable users to modify and delete individual data points
Enable users to modify and delete complete survey responses
Enable users to modify and delete the entire project (responses and survey definitions)
Provide security documentation that describes the processes and procedures for safeguarding the data
Sign a contract that governs the processing of EU personal data
However, if a ExpiWell Customer desires to have a GDPR-specific contract, it may be electronically downloaded here.
This Contract appends the terms of an existing Agreement to satisfy the requirement of the GDPR Article 28, Section 3, that governs the processing of EU personal data. Once reviewed and signed, please send to [email protected].
Key Principles of GDPR and Responsible Parties
Both ExpiWell and its Customers (controllers) are separately and jointly liable for actions or inactions that do not comply with GDPR. Thus, the GDPR requires a shared responsibility to protect an individual’s right to privacy. The table below summaries these responsibilities and is included for clarification only.
Legend: E = ExpiWell's responsibility; C = Customer’s responsibility; S = Shared responsibility
|Breach Notification Standards|
|Data security and processing standards|
|Individual “unambiguous” explicit consent before data collection|
|Individual withdraws consent, requests data deletion|
|Parental consent to collect information on children|
|Only transfer data to a country with adequate protection|
|Cross-border transfer of PII|
|Post public privacy notice|
|Follow requests from a DPA|
|Allow right to data modification and to be forgotten|
|Provide data portability|
|Rights of notice, access, and objection|
|Clarifying role of controller and processor|
|Data breach notification|
|Collect data only for “specific, explicit, and legitimate purposes”|
Please note: this is not an exhaustive list of responsibilities.