ERALYS AND PERSONAL DATA PROTECTION
With head office and customers in Europe, Eralys is subject to the General Data Protection Regulation (GDPR).
But as a Global Player, we also may be subject to other international and local regulations.
GDPR came into force on May 25, 2018. It is certainly the regulation that protects the most individuals when to their personal data.
GDPR also applies to actors outside Europe when they have and process personal data of people residing in Europe.
To limit the risks of non-compliance to GDPR with their consequences and for a good understanding we use, to the extent possible, terms that are used in the GDPR, possibly supplemented by other requirements and other regulations that may apply, and which are listed below with their definition in the context of this presentation.
Personal data:Relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper.
Sensitive data:The following personal data is considered ‘sensitive’ and is subject to specific processing conditions: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic, biometric data, health-related data, sex live and sexual orientation.
Data Controller:The data controller determines the purposes for which and the means by which personal data is processed. So, if your company / organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.
Data Processor:The data processor processes personal data only on behalf of the controller.
Joint Data Controller and Joint Data Processor:'Joint' means when one or more natural person, legal person or organization together make the Controller / Processor job.
Data Protection Agreement (DPA):Means the contract or any agreement act that must be established between the Data Controller and the Data Processor.
There are situations where an entity can be a data controller, or a data processor, or both.
However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
In the present context and policy, Eralys is both.
It is essential to distinguish two situations
Client is Data Controller
Client owning the data
Eralys is Data Processor
He provides the means and process Client's data
ISP is Joint Data Processor
He provides the basic technical infrastructure support that allows Eralys to deliver its services to the Client.
Eralys is Data Controller
Eralys owning the data
Eralys is Data Processor
He provides the means and process Eralys own data
ISP is Joint Data Processor
He provides the basic technical infrastructure support that allows Eralys to receive all the services she needs.
ERALYS as Data Processor
As Data Processor, there is no difference whether Eralys serves a third party, a Client or its own needs.
In fact, we use exactly the same technical infrastructure, more precisely our Information Management System (I.M.S.) with our Smart Hybrid Connectivity (SHC) eco-system.
And we apply the same security policy.
Eralys undertakes to process the personal data of the Data Controller for the sole purpose of the proper performance of the Services and according to its instructions.
Data hosted by the Data Controller as part of our Services remains the property of the Client / Data Controller.
We prohibit the resale of such data, as well as any use for commercial purposes (such as profiling or direct marketing activities).
Eralys informs the Client / Data Controller about the ISP(s) and data center(s) where his data are processed and stored.
The location of the data must comply with the applicable Data Protection Regulations. EU GDPR states that data of natural persons residing in the EU and processing must remain in the EU. Nevertheless, provided that the target country is recognized by the EU as applying equivalent protection conditions, they may be transferred to the said country.
Eralys will not change ISP and the location without prior notice to the customer.
Through Smart Hybrid Connectivity (S.H.C.), Eralys can offer the Client / Data Controller the possibility of integrating and exchanging data flows with its own information systems and applications (on request).
I.M.S. provides the Client / Data Controller with useful tools and services to enable them to manage and offer the data subject the means to validate their rights.
But it is up to the Client / Data Controller to define his policy and what means he intends to use, what services he wants to offer.
I.M.S. provides the Client / Data Controller with useful tools and services to enable them to inform, collect and manage data subject's consent or opposition, restrictions.
But it is up to the Client / Data Controller to define his policy and what means he intends to use, what services he wants to offer and to pay attention about compliance with Data Protection Regulations that apply.
Eralys Information Management System (I.M.S.) is designed natively to manage data protection.
In particular, I.M.S. manages the rights of users, profiles and roles up to the right to consult, create, modify, delete for each elementary data (file or field of a record). And user can decide to share or not her data and with whom.
Eralys undertakes to provide the data entrusted back to the Client / Data Controller at any time, in a format that ensures portability (csv files - Excel - sql - pdf). Where appropriate, data may be delivered in a specific format requested by the Client / Data Controller on accepted quotation.
All data of the Client will be permanently erased. The Client / Data Controller will be responsible for the retention of data during the applicable legal period.
I.M.S. is User / Profil / Roles based for processing and data management (Services).
It's only and full Client / Data Controller responsibility to define their policies and I.M.S. Users rights, the Eralys I.M.S. Services they select and to pay attention on Data Protection Regulation compliance.
Minimum one people must be appointed by the Client to be the I.M.S. Administrator (better two for service continuity). He will be the privileged contact of Eralys support team.
I.M.S. Administrators will have extended access rights to manage Users, rights, services, tools in accordance with Client's / Data Controller policies and requirements.
Eralys will only assist Client's I.M.S. Administrators.
I.M.S. provides all necessary means to organize and set up a help desk. It is the hub for service request management with follow-up, action tracking and he allows interaction and tracking between "internal" and "external" actors, departments.
Coupled with the event engine, the workflow and the e-mail system it is the ideal tool for incident management, alert and escalation management, service contract management (SLA), process management. But his possible jobs are very wide.
Eralys at his level uses this tool for his own help desk.
Client / Data Controller can use that tool in her I.M.S. system with their own contacts, their employees.
In collaboration with the ISP, Eralys, which administers its eco-system, monitors all services. Its objectives are multiple: detect incidents of production and security, monitor critical functions with a feedback to the supervision system, notify those responsible and initiate the appropriate procedures, ensure continuity of service in performing automated tasks, ensure the integrity of the monitored resources.
An incident management process is in place. It can prevent, detect and resolve these events in the service management infrastructures and the service itself.
The technical and infrastructure components are constantly updated by both the ISP and Eralys. A technological watch on the new vulnerabilities is ensured.
Eralys Platform Administrators must be able to intervene to ensure the delivery of the Services, to ensure the upgrades, to assist in the event of an incident, to manage and monitor the data save & restore and any automated process.
Platform administration access management is implemented:
All administration access to a system in production is carried out via a bastion.
Administrators connect to the bastions via SSH, using public and private key pairs. Use of default accounts on systems and equipment is prohibited) and access is with full tracing.
Administrators have an account dedicated exclusively to administration tasks, in addition to their user account (if apply)
Administrators are limited in number
Administrators in this role does not have access to application processing or application data (Client / Data Controller / User Services).
ISP's infrastructure management and support team must be able to intervene to ensure the servers, internet backbone, network installation, operation and maintenance. If needed they may assist Eralys. They never will have an access to Eralys platform's components and to the I.M.S. and S.H.C. eco-system. They never have an access to any Eralys and Client / Data Controler, Data subject information.
Eralys and its ISP have put in place specific monitoring methods for the detection of malicious acts.
Eralys and its ISP undertake to inform the Client / Data Controller as soon as possible following the analysis of a potential or reported detection.
A crisis management committee is planned.
I.M.S. provides the Client / Data Controller with all the necessary tools to inform people when the protection of their personal data has been violated.
As Data Processor, in accordance with the GDPR, Eralys may be required to make this information directly to the data subjects within 72 Hours.
Eralys has set up resources and provides services in the field of Cybersecurity (please look at Cyber Security section for more details).
These physical security measures are provided by the ISPs.
They concern the access controls of their premises by their staff and their subcontractors, as well as natural and environmental risks, activity/services continuity.
By working exclusively with top ISPs that have security certificates such as ISO 27000 and choosing only Class III and Class IV data centers, we are confident that we benefit from the best security measures.
Eralys makes available the information on the security measures implemented within the framework of the Services, so that the Data Controller can evaluate the conformity of these measures with the treatment of personal data.
Eralys provides the relevant information and documentation relating to the Services it provides and the security measures implemented to enable the Client / Data Controller to demonstrate compliance with the applicable safety regulations and more particularly with the data protection such as GDPR in EU countries.
Audits can be performed on request by internal or external auditors, subject to conditions defined in the Services contract or by a particular agreement.
Audits may concern Eralys and ISP(s) but are limited to the scope of the Client / Data Controler.
An information system security policy (ISSP) is implemented. It is updated at least every year or in the event of major changes that affect its content.
Eralys ensures that its ISPs, as hosts, providers of basic infrastructure and related services, meet the highest level of security requirements and are consistent with its security policy and requirements of its Clients and Data Controllers.
Eralys only works with the top global and local ISPs and only use Class III and Class IV data centers.
ISO/IEC 27000 standart is mandatory and PCI-DSS (for payment systems), SOC1 type II SOC2 type II and HDS (Healthcare Data System) certificates and more of ISPs are available.
Eralys exclusively uses servers that are entirely dedicated to it and that it administers itself.
The servers are distributed in different sites.
On request, Client / Data Controller can have their own dedicated server(s), their "private" environment.
Eralys defines and manages its own technical and technological architecture that is based on Open Source components and is commercially identified as I.M.S (Information Management System) and S.H.C. (Smart Hybrid Connectivity) and constitutes the Eralys eco-system.
Eralys use reserved IP with Fail Over and all connexions to the servers and applications, services, are encrypted. Client/User connexions to Eralys Servers and applications are encrypted.
Subject to the capabilities of the ISP, Eralys implements its own Virtual Private Network (VPN) between its servers. A specific VPN for the Client can be set up. Also a PoP connection with the Client's IT site for system integration can be implemented, if local conditions permit.
Services continuity of infrastructures (availability of equipment, applications and operating processes) is ensured by Eralys and the ISP.
ISP assumes standard Data Center Class III and Class IV continuity measures for basic infrastructure (server, Internet network).
Eralys assumes I.M.S. and S.H.C. services continuity:
- Redundancy of equipment and servers
- IP Fail Over
- Raid Disks
- servers distributed in different data centers and distant
- backup policy with remote storage
It is the responsibility of the Customer / Data Controller to define its own policy and service continuity requirements and then to choose the necessary Services from Eralys.
Eralys will submit a quotation and if it is accepted will implement it.
Client as Data Controller
If the Client is Data Controller, it's up to him to manage the relationship with his contacts, to define and implement his own personal data management policy.
Eralys as his Data Processor assists the Client as Data Controller by providing him with means and services that will help him demonstrate that he meets the requirements of the regulations for the protection of personal data, in particular the EUGDPR.
Caution: Some services specifically developed for a Client or that use older components and infrastructure do not provide the Client (Data Controller) with the facilities or tools that they may be required. Thank you to consult us.
Eralys and the Client (the Data Controller) sign a Data Protection Agreement.
The Data Controller must agree Eralys as his Data Processor.
Such agreement will be a part of Eralys General Contract of Services.
Such agreement must be signed for compliance with EU General Data Protection Regulation. Eralys will do it for all Clients adapted to any particular regulation which applies.
Eralys informs the customer about the ISP(s) and data center(s) where his data are processed and stored.
The location of the data must comply with the applicable Data Protection Regulations. EU GDPR states that data of natural persons residing in the EU must remain in the EU. Nevertheless, provided that the target country is recognized by the EU as applying equivalent protection conditions, they may be transferred to the said country.
Eralys will not change the location without prior notice to the customer.
The type of Personal Data and the categories of data subjects are determined and controlled by the Client / Data Controller, in its sole discretion.
The Customer is solely responsible for the choice of Services.
The Client must ensure that the Services chosen have the characteristics and conditions required in view of the processes, as well as the type of Personal Data to be processed in connection with the Services, including but not limited to where the Services are used to process Personal Data subject to specific regulations or standards (for example in some countries, health data or banking data).
A risk assessment of the personal aspects of natural persons and anything that could significantly affect the data subject and the handling of particular categories of sensitive data or data will be carried out.
Eralys as Data Controller
This is typically the case when Eralys collects certain information concerning you or relating to your employees (identity and contact details,...) in example for service contract, support services, payments and so on.
Since 2005, Eralys processes the personal, sensitive and strategic data of international financial, industrial and commercial clients. We know the value of information, the strategic importance of confidentiality, as well as the transparency for trust, and the need for sharing.
The challenge, the major difficulty is to be able to control and manage a very tenuous balance between protection-confidentiality (the private, guarantor of freedom, independence) and communication-sharing (the public, necessary for our development).
As a service provider we are finally a trusted third party, custodians of important and valuable things. Conscious of our role and the trust that our interlocutors give us, we have the greatest respect for the people and our customers, suppliers and partners, information.
That's why our approach, our design is based on three separate pillars: information - treatments - communication.
And that we have decided to focus our services on the user (the person) who has needs, rights, responsibilities, but also roles, tasks and communication needs within an organization and society in general.
We have created an eco-system for information management (the "data" is an IT restrictive word) with I.M.S. (Information Management System) and S.H.C. (Smart Hybrid Communication) for communication.
In I.M.S. basically it's the User who has control over the information he creates in the system, and each user decides for himself what he wants or needs to share and when and with whom. Each piece of information is attached to a User or a group of Users responsible for the Information.
This direct, permanent, visible and global empowerment of Users in the eco-system is the best guarantor of the protection and use of information. Naturally for private, personal data, but also in general all the information.
And we go further because our model is totally open. Indeed, with I.M.S. and S.H.C. if desired, it does not matter if a person, an entity, a group is "internal" or "external", is member or not, whether the information is: in a tool, application, system, format, location or an other one, the eco-system can expand to and the I.M.S. becomes in a way the integrator, the aggregator, a "universe".
For the information itself, from the technical point of view, and to the extent that its management and storage is entrusted to us, we protect the data using tools and components of the open software community and we distribute them on several disks, servers and also physically on several sites.
And as we are global, we reason and apply these principles, these rules, this philosophy on a general and global scale. What about, for example, an attack or a climatic event that neutralizes a country, a continent or a dominant actor that imposes its law, an employee or a group of employees or a supplier, a hacker takes you in hostage, a key player disappears or takes control ?
In a globalized, interconnected and interdependent world, engaged in a profound economic, social, political and generalized and permanent instability, increasing conflicts, spreading terrorism, changing climate ... we need to adapt and to prepare for any eventuality.
For us it's now mandatory and Eralys acts and helps, so we created a Cybersecurity platform and offer specialized Services
Warning: are excluded from the scope here presented the information and data owned by users of our Eralys Services (Eralys acting only as Data Processor).
Note: also, please read our Eralys as Data Processor section which contains important informations
- to limit collection of personal data to those strictly useful for the sole purpose of the proper performance of the Services and for professional, commercial, business, projects relationship management in the framework of support, service request, request for quotation, subscriptions and online registration, payments, administrative and legal needs, quality improvement, human resources management and still for respect its own legal obligations
- do not use the data collected for purposes other than those for which they are collected
- not to collect and use the data for profiling purposes in order to carry out mass marketing, advertising campaigns or personally targeting the individuals whose information we hold
- not sell or transfer the information to third parties other than related companies or group members
- keep personal data for a limited and proportionate period. For example, the data processed for the purpose of managing the relationship between the customer and Eralys (surname, first name, postal address, e-mail, etc.) are kept by the company during the entire duration of the contract and then following period still for respect Eralys own legal obligations. At the end of this time, they are deleted on all media and backups
- to treat the personal data of all people in the same way, regardless of the nature, type, level and purpose of the relationship.
Whenever Eralys collects or receives personal data, the natural person concerned will be notified with a reminder of his rights and, where appropriate, a request for his consent. For example I.M.S. will automatically send an e-mail when creating a new contact record.
Most often, and especially when required by regulation (i.e. EU GDPR), an appropriate consent will be requested.
Eralys will also ask you periodically or occasionally to check your data and ask you for update and renew your consent. For example, some time before a deadline or after a period of total inactivity.
Default common option is done by the link (or sending an e-mail) to firstname.lastname@example.org with Subject = Personal Data Request
As a customer, supplier, partner, project member you or some of your employees, maintain regular exchanges with Eralys. You then become a personal login Id for direct and permanent online access to your personal data and, case by case based, other information through our Customer Service Portal. There you have the direct view on your data and more stored in I.M.S. Also you can submit your requests and communicate online directly in a private, secured way with Eralys, inside I.M.S.
On a case-by-case basis, at Eralys' sole discretion, upon request, you can obtain this access.
In case of a close relationship and if it brings added value, efficiency, at Eralys' sole discretion, you and some of your employees can have an I.M.S. User access.
Depending on what is concerned, and the access rights available to the natural person, it may either submit a request for modification, express restrictions, or itself directly made certain changes.
Erasure (right to be forget) can be requested at any time. Perfectly legitimate and without having to provide reasons or justification, this request is however the subject of a specific procedure with manual processing because certain information are essential to the provision of services that the natural person wants to continue to benefit and some informations must be retained by Eralys to fulfill its own legal obligations.
To avoid fake requests you will have to confirm your request and to pass a particular identification process. Eralys also may ask you to provide some informations and/or documents.
The full process will be tracked and exchanges recorded. You will become event/action drived automatic notification as follow-up until the final confirmation of the erasure.
When erasure is allowed also in relation to legal obligations for Eralys, ALL the data and informations concerned are deleted.
In accordance with the applicable regulations, Eralys will accede to any request for transfer that will be submitted to it within the means available: either at the level of the Customer Services Portal or the I.M.S. User access, otherwise by the link (or sending an e-mail) to email@example.com with Subject = Personal Data Transfer Request
Eralys provides data to be transfered in a portable format: text (.csv or .txt), MS Excel (.xls or xlsx), opendoc xml (.odt - .ods).
Case of volumes or on particular request, transfer might be done using or S.H.C. platform and other particular data format can be done (subject to conditions and special quotation).
In case of detection of a data breach, or serious potential data breach suspicion, Eralys undertakes to communicate as soon as possible and within 72 hours following the confirmation by an analysis of the facts (EU GDPR rule)