If you're an organization based in the United Kingdom or the European Economic Area (EU Member States + Norway, Iceland & Liechtenstein), we thought that you may be interested to know the steps We take to comply with data protection laws in the UK and the EEA and how We help you to comply with those laws...so, here you go!
1. Controller & Processor
Loop Works as your processor. We are a SaaS technology company, so most of the time We'll be acting as your processor and you (or your customer, where you resell Our products & services) will be the controller of personal data you share with Us.
As you would expect, We have a standard data processor agreement which is aligned with Article 28, GDPR and which sets out Our obligations as your processor including:
|Obligations||GDPR Requirement||DPA Clause|
|Sub-processors are used with the controller's consent (general authorisation) – see our list of sub-processors in section # below.||Art.28(2)||TBC|
|Processing of personal data only on the controller's documented instructions||Art.28(3)(a)||TBC|
|Our staff who process your personal data are subject to a duty of confidentiality||Art.28(3)(b)||TBC|
|We will implement appropriate technical & organisational measures to ensure an appropriate level of security||Art.28(3)(c)||TBC|
|Will engage sub-processors with your general authorisation & impose the same processor terms on sub-processors||Art.28(3)(d)||TBC|
|Assist you in dealing with rights/requests of data subjects||Art.28(3)(e)||TBC|
|Assist you in complying with your obligations to maintain appropriate technical & organisational measures; breach notifications; data protection impact assessments & associated consultations with supervisory authorities.||Art.28(3)(f)||TBC|
|Delete or return your personal data after the end of our provision of services to you||Art.28(3)(g)||TBC|
|Make available to you information necessary and contribute to audits to demonstrate compliance with Art.28 GDPR||Art.28(3)(h)||TBC|
|We will inform you if we believe an instruction breaches GDPR or other EU laws.||Art28(3)(h)||TBC|
|We will flow-down the same terms to our sub-processors and we are liable for breaches by our sub-processors||Art.28(4)||TBC|
2. Processing Personal Data Outside the EEA
We are global. Loop Works is a global company with staff and operations in the [United Kingdom] and the USA. Personal data will be processed by staff and systems in the USA [+ other non-EEA countries including the United Kingdom by the Loop Works group of companies and Our Authorised Sub-Processors.]
Our customers are global. For customers who are controllers of personal data in the UK and EEA, when we process personal data outside the UK and EEA our processing is subject to European Commission approved Standard Contractual Clauses in line with Article 44 & 46, GDPR.
SCCs. We know that the current Standard Contractual Clauses are being overhauled and are due to be replaced in 2021 – once the new Standard Contractual Clauses are approved by the European Commission, rest assured that we will be introducing the new Standard Contractual Clauses for non-EEA processing.
EU/US Privacy Shield. We also remain an active participant in the EU/US Privacy Shield programme operated by the US Department of Commerce. We know about Schrems2 (more on that later!) and we know that the EU/US Privacy Shield programme is no longer a valid mechanism for non-EEA processing of personal data…..but the comfort and assurance that the EU/US Privacy Shield programme provides to our UK and EEA customers remains in place for your peace of mind.
We maintain the following technical and organisation measures in respect of personal data which we process:
- All Our staff receive data protection training + confidentiality which is refreshed on an annual basis
- All Our staff agree to an express duty of confidentiality
- All customer data is backed-up in cloud infrastructure across multiple locations
- We have a series of internal policies in place which Our staff are required to comply with including data protection, confidentiality, security, incident management etc.
- We carry out extensive due diligence and ongoing audits on our sub-processors.
4. How Our Products Help Support Your Data Protection Compliance
Our SaaS platform provides:
- State-of-the-art security
- Highly resilient hosting platforms and disaster recovery and back-up solutions
- A 24/7/365 self-service platform which puts you in control of your data – if you need to view personal data, provide portable copies of personal data or erase personal data to comply with data subject requests under GDPR, our online self-service SaaS platform helps support your compliance
5. Data Protection Officer
[Note: please confirm if you have a data protection officer – see Article 37, GDPR]]
6. EU Appointed Representative
[Note: please confirm if you have a Rep – see Article 27, GDPR (if you're not established in the UK e.g. through a subsidiary or branch, but you provide services to UK/EU customers and process a lot of personal data about UK/EU data subjects, you may trigger the requirement to appoint a UK/EU Rep)]]
7. Authorised Sub Processors
When you use our SaaS services, we will use the following service providers to process your personal data as our sub-processors:
|Microsoft Azure||Provides the cloud infrastructure which hosts and processes all customer information/personal data||[US]|
|Members of the Loop Works Group of Companies including Loop Works LLC & mResource LLC||TBC e.g. support services/helpddesk||TBC|
In line with our DPA, we may change our sub-processors and when we do this, we will update the information in the table above.
We are aware of the decision of the European Court of Justice in the Schrems2 case. Like many SaaS vendors, we use Standard Contractual Clauses for non-EEA processing of personal data and we note that whilst the ECJ judgment in Schrems2 invalidated the EU/US Privacy Shield programme for non-EEA processing, it upheld the use of Standard Contractual Clauses for non-EEA processing.
Loop Works maintains a range of supplemental measures relating to its processing of personal data including:
- encryption of personal data in transit and at rest;
- a policy to manage requests for access to personal data from law enforcement and government agencies
The UK is no longer an EU Member State, but UK data protection law remains based on the EU GDPR and the UK ICO has approved the use of Standard Contractual Clauses for non-UK/EEA processing of personal data. We will keep a watching brief on the development of UK data protection law post-Brexit, but if you're a UK customer, we're confident that we have appropriate measures in place for you to share personal data with us.
10. Cookies & Online Tracking Technology
We know that UK and EEA privacy laws don't start and end with the General Data Protection Regulation 2016/679 or the UK Data Protection 2018.
11. Any Questions?
If you have any questions that aren't answered in our Privacy Hub or if there are other things that you would like to see covered in our Privacy Hub, please get in touch and let us know! You can contact us firstname.lastname@example.org