This update provides an overview of how Panaya is working towards the full implementation of GDPR-required technical and organizational measures to best support its customers in protecting personal data and exercise their rights.
In May 2016, the European Union adopted a new regulation on data protection, the “General Data Protection Regulation”, or GDPR, which will come into force as of May 25,2018. The GDPR introduces a comprehensive data protection regime and increases the compliance requirements for organizations that use personal data of EU data subjects, whether the organization acts as a controller or processor of such data.
Panaya takes data protection, data security, and regulatory compliance very seriously. We are already SOC 2-compliant, and we currently rely on Amazon’s GDPR-compliant infrastructure through the hosting services we provide through Amazon Web Services (AWS).
In terms of the GDPR, the data subject is the sole owner of any personal data that is stored with Panaya through our cloud-based services. Panaya acts as a processor of this data. You can utilize the capabilities built into the Panaya business offering to meet your own GDPR obligations related to the rights of data subjects, such as deletion and rectification of data, data access and transfer, and data subjects’ objection to the automated processing of personal data.
We recognize that cloud services may pose unique data protection and security challenges, and at Panaya we believe that our time-tested policies and practices provide a solid foundation for addressing customer concerns and enabling greater trust in services based on cloud computing.
We have worked to make our cloud-based offerings not only reliable, manageable and scalable, but also to ensure our customers’ data is protected and used by Panaya in a transparent manner.
Taken together, our data protection principles, data processing agreements and our company data protection and privacy policies govern the collection and use of all customer information processed by Panaya. These give our employees a clear, company wide framework for all data operations.
When Panaya envisions a new product or service, privacy and data protection are considered at each phase of development. This is part of our approach to GDPR-based privacy by design and by default , which describes not only how we build products, but also how we operate our services and structure our internal governance practices.
For our enterprise services, we believe that customers should be given the maximum abilities and tools for controlling their own information, whether it is stored on their premises or in our cloud-based service.
Many of Panaya’s services enable a download of copies of data subjects’ data ,without requiring assistance from us or our partners. Wherever the service does not enable this functionality, we are committed to delivering data portability to the customer upon demand, in a reasonable amount of time.
Finally, when a customer terminates its agreement to Panaya’s services, we retain any personal data in a limited and restricted manner (as our customer contracts detail) to extract its data. Thereafter, all data is deleted.
Under the GDPR, it will become mandatory for certain controllers and processors to designate a Data Protection Officer (DPO).
Therefore DPO was appointed starting on May 10, 2018.
For more details please contact [email protected]
The GDPR introduces a general data breach-reporting obligation to the European regulator. In any instance that a data breach will occur, it would be subject to this reporting process.
In order to identify data breaches, Panaya applies processes and methods to protect and monitor all personal data maintained by us. We understand that the security risks and challenges are evolving, therefore we will constantly monitor emerging security risk and re-assess our organizational preparedness.
Making employees aware of what is expected of them shows the value Panaya places on the protection of personal data. We conduct ongoing education and awareness training for all employees accessing personal data in order to increase awareness and properly handle such data in a manner that respects data subject rights.