General Data Protection Regulation (GDPR)

1 WHAT IS GDPR?

The General Data Protection Regulation ("GDPR") is a new privacy regulation that replaces the EU Data Protection Directive ("Directive 95/46/EC"). It aims to harmonize data protection laws across EU by implementing a regulation directly applicable in each EU Member State. It creates new protections for EU data subjects’ fundamental right to privacy and implements significant fines for non-compliant businesses, thereby allowing EU data subjects to better control their personal data.

2 WHAT'S NEW WITH GDPR?

The information we collect allows us to:

• Unified legal framework. GDPR is directly applicable in the EU Member States which creates a unified legal framework across EU Member States.
• Enhanced rights for data subjects. Under the GDPR, data subjects can benefit from new rights, including the right to portability, the right to be forgotten, and the right not to be subject to automated decision making. GDPR also introduces specific provisions for minors under the age of 16.
• Transparency and accountability. Under the GDPR, organisations need to implement appropriate technical and organisational measures including conducting privacy impact assessments, keeping detailed records on their data processing activities, communicating a data breach following a notification process, and if needed, appointing a data protection officer.
• Cross-border data transfers. The Binding Corporate Rules ("BCR") are officially considered valid under GDPR.
• Shared responsibility. Under the GDPR, there is a shared responsibility between controllers and processors.
• One stop shop. Businesses with point of contacts in different EU Member States can benefit from a unique point of contact, a lead supervisory authority, under the GDPR.
• Enforcement. Non-compliance can lead to administrative fines of up to €20,000,000 or, in the case of undertakings, 4% of global turnover, whichever is higher.

3 WHO DOES GDPR APPLY TO?

GDPR applies to any company established in the EU – whether or not the actual processing takes place in the EU, and to any company (not just in the EU) processing personal data belonging to EU subjects in relation to offered goods, services or monitoring behaviour.

4 WHAT IS CONSIDERED “PERSONAL DATA” UNDER GDPR?

Personal data means any information that relates to an identified or identifiable natural person. Examples of personal data includes identifiers such as IP address, location data or unique online identifiers. For a comprehensive list of what is considered personal data under the GDPR, please refer to Article 4(1).

5 HOW HAS CIRILLO CONSULTING GMBH BEEN PREPARING GDPR CHANGES?

Cirillo Consulting GMBH security and legal teams analyzed our entire platform, services and business practices to strengthen our commitment to data protection, which includes:

• Participating in the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks;
• Undergoing SSAE-18 SOC 2 Type II audits by a qualified independent third-party; and
• Leveraging third-party expert firms to conduct annual penetration tests.

All these processes take place under the governance of Cirillo Consulting GMBH Data Protection Officer.

6 DOES CIRILLO CONSULTING GMBH PROCESS PERSONAL DATA?

Since customers have control over the data that is sent to our hosted services, all customer data is assumed to potentially contain personally identifiable information (PII) and is secured accordingly. Cirillo Consulting GMBH may also collect EU personal data for other purposes, as outlined in Cirillo Consulting GMBH Privacy Policy.

7 WHERE DOES CIRILLO CONSULTING GMBH STORE CUSTOMER DATA?

Cirillo Consulting GMBH uses hosting facilities located in the Germany. Cirillo Consulting GMBH participates in the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks in order to ensure that EU personal data is transferred in accordance with GDPR.

8 IS CIRILLO CONSULTING GMBH A DATA PROCESSOR OR A DATA CONTROLLER?

Cirillo Consulting GMBH acts as a processor when processing data from its customers.

9 DOES CIRILLO CONSULTING GMBH HAVE A DATA PROCESSING ADDENDUM ("DPA")?

Yes. Cirillo Consulting GMBH understands that its customers handling EU personal data need to implement appropriate safeguards to ensure that the processing of personal data is secure. Cirillo Consulting GMBH DPA is available upon request for all cloud customers. To obtain a copy, please reach out to your sales contact, as mentioned on your order form.