GDPR Compliance + Reflection
We hear it everyday – “How does Reflection meet requirements for GDPR?”As the need for GDPR compliance has expanded throughout and outside of the EU, being GDPR compliant has become more important than ever. Being rooted in providing the most advanced protection for the Department of Defense, security has been at our core for over 25 years.
We provide all of our customers complete access to their data. We never see it, or manipulate it in any way. Whether your needs are for a hosted solution by us, or completely on-premise – you’re always in complete control.
Riptide Software and GDPR
As a company who dwells in the Software engineering realm, security and data privacy have always been key to Riptide’s cultural fundamentals and a top priority since the company’s inception. The EU General Data Protection Regulation (GDPR) is a mandate designed to harmonize and protect data privacy laws for all citizens across Europe. Riptide Software complies with applicable GDPR regulations as a data processor and/or a data controller as they took effect on 25th May 2018.
Depending on the Riptide-client relationship, Riptide Software (“Company”) may act as either a data processor or data controller for it’s clients (“Customer”) within the definitions outlined in the GDPR.
GDPR defines a data controller as “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” This means that if an organization processes personal data for organization’s purposes and needs—not merely as a service provider acting on behalf of another organization—then the organization is likely to be a data controller.
● Riptide as a Data Controller Under GDPR
Businesses or organizations that process personal data solely on behalf of Customer (data controller), and as directed by Customer are data processors. The data controller outsources a data processing function to another entity (Company), the other entity is generally a data processor. Company may also serve as Data Processor for Customers’ end-users.
● Riptide as a Data Processor Under GDPR
If Riptide is processing data on behalf of a data controller (ie. employer) please see below.
- Customer must provide explicit consent for the data controller to store and process individual personal data. An individual can withdraw consent at any time. If Riptide Software is processing an individual’s data on behalf of one of Riptide’s enterprise customers (the data controller), individual consent shall be managed by the data controller.
- Breach Notification:
- Riptide Software is required to notify enterprise customers (the data controllers) “without undue delay” after first becoming aware of a data breach. In the event of a data breach, Riptide Software will notify data controllers via email.
- Right to Access:
- Individuals have the right to obtain from the data controller, such as his/her employer, confirmation as to whether or not personal data concerning him/her self is being processed, where it is being processed, and for what purpose. Further, upon the individual request, the data controller must provide a copy of the personal data, free of charge, in an electronic format. If Riptide Software is processing and individual’s data on behalf of one of enterprise customers (the data controller), such as the individual’s employer, the individual must submit a request through the data controller.
- Right to be Forgotten:
- Also known as Data Erasure, the right to be forgotten entitles the individual to have the data controller, such as the employer, erase personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. If Riptide Software is processing data on behalf of enterprise customers (the data controller), such as the employer, the individual must submit a request through the data controller. This right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
- Data Portability
- Individuals have the right to receive the personal data concerning themself, in a ‘commonly used and machine-readable format’, and have the right to transmit that data to another controller. If Riptide Software is processing data on behalf of enterprise customers (the data controller), such as the employer, the individual must submit a request through the data controller.
- Right to Rectification
- Individuals have the right to obtain from the data controller, such as the employer, without undue delay the rectification of inaccurate personal data concerning themself. If Riptide Software is processing data on behalf of enterprise customers (the data controller), such as the employer, the individual must submit a request through the data controller.
Legal Basis for Processing
The legal basis on which Riptide processes data is that of contractual necessity where data is processed for the data controllers that have subscribed Riptide services. Riptide processes data to comply with legal obligations and on the basis of legitimate business interests.
For more information on GDPR rights, please visit: www.eugdpr.org.
Please contact Riptide at firstname.lastname@example.org for any questions or requests of data subjects.