GDPR Compliance

Introduction

Compliance with data protection laws is a hot topic for the digital preservation and research data management communities. For any organization that processes personal data in the European Union (EU) or originating from individuals in the EU, the GDPR must be observed.

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA).

The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. This regulation applies to any enterprise established in the EEA or — regardless of its location and the data subjects' citizenship - that is processing the personal information of data subjects inside the EEA, so it is also impacting our overseas customers.

LIBNOVA welcomed the GDPR as an opportunity to build a stronger data protection foundation for the benefit of all. Data privacy is an important human right, and in this data-driven world, more than ever, data protection is something that all companies should be paying close attention to. We worked hard to align all of our processes to the GDPR, and to include internal policies in our ISO27001, ISO27017, and ISO27018 certifications. This note illustrates how the LIBNOVA Cloud environment is fully aligned with the GDPR.

What is Data Processing, Who are Data Subjects, and What is Personal Data?

GDPR is all about protecting the rights of data subjects in connection with processing their personal data.

Data Processing

Data processing is really just anything that it is possible to do with or to data. It includes accessing it, collecting it, reading it, storing it, analyzing it, retrieving it, organizing it, transferring it, disclosing it, and deleting it.

Data Subjects

Under GDPR, data subjects are just people — human beings. Personal Data is data that relates to “identified” or “identifiable” data subjects.

An “identifiable” data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, ID number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Note how broad the definition of personal data is: it can include data such as the IP address of an individual’s personal device, a device ID, or a phone number. It doesn’t matter that the identifier could change (e.g., that the user could change their phone number or device ID).

Data Controllers and Data Processors

Data controllers and data processors have different obligations under GDPR.

Who is a data controller?

GDPR defines a data controller as “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

This way, our customers are usually the data controllers.

Who is a data processor?

Organizations that process personal data solely on behalf of, and as directed by, data controllers are data processors. When a data controller outsources a data processing function to another entity, that other entity is generally a data processor.

This way, LIBNOVA is a processor of the content preserved in our platforms. LIBNOVA will do nothing with that content unless the data controller tells us to. In addition, when requested, we'll process the data in accordance with the predefined policies.

In order to deliver the agreed service, LIBNOVA needs the data to be processed by other organizations, which become subprocessors. Our subprocessors are listed in the LIBNOVA Data Processing Agreement.

Our Responsibilities as Data Processors

LIBNOVA's responsibilities as a data processor are derived from the GDPR Article 5, 28, 29, 33, 34, and 35 and can be summarized as:

  • General alignment with the GDPR, in particular with the seven principles of data protection

  • Meeting the data processor duties specified in the (GDPR Article 28):

    • Controller’s instructions: LIBNOVA will only process the data following instructions from the controller (unless otherwise required by law).

    • Processor contracts: Obligations are defined in a binding contract with the controller.

    • Sub-processors: LIBNOVA will inform the controller about present sub-processors and will not engage with another processor (i.e. a sub-processor) without the controller’s prior specific or general authorisation. Our sub-processors provide an equivalent level of protection for personal data as those in the contract between LIBNOVA and the controller.

    • Security: LIBNOVA implements multiple technical and organisational measures to ensure the controller's capability to ensure security of personal data, including protection against accidental or unlawful destruction or loss, alteration, unauthorised disclosure, or access.

    • Notification of data breaches: LIBNOVA will notify the controller about a data breach immediately after we become aware of it. We will assist the controller in complying with its obligations regarding personal data breaches.

    • Notification of potential data protection infringements: LIBNOVA will notify the controller immediately if we are aware that any of their instructions would lead to a breach of the EU/UK GDPR or local data protection laws.

    • Accountability obligations: LIBNOVA will keep the external audits for the security-related standards it is certified in. Information about the certification is available.

    • International transfers: LIBNOVA will not transfer the data to any other region unless instructed by the controller or as requested by the applicable Laws.

  • Processors (and sub-processors) can never process personal data on behalf of controllers except when they have clear instructions regarding the processing of those data or when needed to deliver the service (GDPR Article 29).

How LIBNOVA meets its responsibilities

Accountability is essential in order to demonstrate GDPR compliance. LIBNOVA keeps its processes in constant improvement and in full transparency to our customers:

  • A specific agreement for data processing and our role as data processors is in place. Please check LIBNOVA Data Processing Agreement.

  • A Data Protection Policy is in place. This policy is part of the ISO 27001 certification and is externally audited yearly.

  • A Training Policy (with Data Protection specifics) for our team and our customers is in place. This policy is part of the ISO 27001 certification and is externally audited yearly.

  • An Information Security Policy is in place. This policy is part of the ISO 27001 certification and is externally audited yearly.

  • A Privacy Policy is in place. This policy is part of the ISO 27001 certification and is externally audited yearly.

  • A Data Protection Impact Assessment in our role as data processors is performed at least when major changes are introduced in the platform. Article 35 of the GDPR covers Data Protection Impact Assessments. The DPIA is a new requirement under the GDPR as part of the “protection by design” principle for high-risk or sensitive content.

  • Data processing records are maintained independently of the LIBNOVA platform with extended retention periods in accordance with a specific procedure part of the ISO27001 certification. Processing records can't be modified by platform users.

  • Subject Access Request Forms are available for subject requests.

  • A procedure is in place for International data transfers when we are requested by the data controller to transfer data to a different jurisdiction.

  • A data portability procedure is in place, including a handover policy, process, and request method. This procedure is part of the standard services agreement.

  • A complaints form and procedure are in place as part of the ISO 27001 policies.

Last updated