VETERINARIUM DATA PROTECTION COMMITMENTS
(INCLUDING PURSUANT TO GDPR REQUIREMENTS)
Why are we writing this right now?
From 25 May 2018 on the protection of personal data will be regulated in a different way it used to across and even outside Europe. 25 May 2018 is the effective date for the EU General Data Protection Regulation (GDPR). As the most significant data privacy change in decades, the GDPR will strengthen the rights of the data subjects, regardless of where one’s data are processed.
In contrast to thousands of EU statutes and other documents, the GDPR is the only one that most organizations outside the EU knows. We are not an exception. Therefore, we want to ensure you that Veterinarium Inc., its agents and contractors are committed to GDPR compliance and enforcement. Below we want to share with you our understanding of our future cooperation. That is the mutually beneficial data protection cooperation built on trust and respect.
GDPR preparation: we are aware of its territorial scope
The GDPR has a unique feature that is its exterritorial application. If earlier EU data protection enforced through Directive 95/46/EC and the internal member states legislation was limited to the organizations residing within EU, now the GDPR will affect any other company in the world that processes personal data of EU data subjects under certain conditions. These conditions are either offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU.
Veterinarium Inc. is incorporated in Canada. Even in case the GDPR has no direct effect on Veterinarium we understand that in modern world the compliance with the world trends of the personal data protection is a must. Our devotedness to your privacy makes us believe that we have nothing to be afraid of in face of the GDPR. But let put the general phrases and nice words aside. We do not want our words to be just mere assertions and prepared this agenda for Veterinarium’s GDPR compliance.
Our Commitments as a controller
Our Commitments: we respect the individuals’ rights
The list of data subject’s rights remains almost the same, as it used to be, namely:
Our Commitments: Security Measures
Under the GDPR, all data controllers and data processors have to implement the principle called “Privacy by Design”. Accordingly, we include data protection from the onset of the designing of systems. In other words, we take technical and organizational measures to meet the GDPR.
Besides that, Veterinarium uses HubSpot CRM software, Microsoft Azure, a cloud computing service, Chargify and Stripe to store and process information needed to provide services. These well-known software providers that together with Veterinarium will ensure your data is secured within Smart Flow in the following ways:
Veterinarium signs NDA with employees and contractors;
Physical Access Control
Electronic Access Control
Internal access control (permissions for user rights of access to and amendment of data) Veterinarium takes measures in order that that no unauthorized reading, copying, changes or deletions of data within the system, e.g. rights authorisation concept, need-based rights of access;
Veterinarium arranges and provides training for its personnel and contractors regarding confidentiality, integrity and availability and resilience of processing systems and services within the GDPR compliance;
Data transfer control
Veterinarium takes measures in order that no unauthorized reading, copying, changes or deletions of data with electronic transfer or transport, transfer within the secured internet channels
Data entry control
Veterinarium ensures verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, e.g.: Logging control
Availability and Resilience measures
Procedures for regular testing, assessment and evaluation
Veterinarium conducts periodical compliance checks with the requirements of the current data protection legislation.
Veterinarium provides regular identification and record of the data processing risks in relation to the data importer’s contractual and legislative obligations.
Veterinarium takes measures in order that no third-party processes data as per Article 28 GDPR without corresponding instructions from the data controller, e.g.: clear and unambiguous contractual arrangements, duty of pre-evaluation, supervisory follow-up checks.
Our Commitments as a processor
We provide our services to the clients that have a need to digitalize, visualize, and optimize their work flow in veterinary clinics. In such cases Veterinarium processes the personal data provided to the platform based on the services agreement between Veterinarium and its corporate clients as well as based on the instructions of such clients on the data processing.
Taking into account the fact that Veterinarium Inc. is incorporated in the Canada and Canada is on the list of the countries that provide the adequate level of protection of personal data. That means that the transfer of personal data from clinics in EU to Smart Flow in Canada is secure in terms of cross border transfers outside EEA.
Veterinarium Inc. has the IT services contractors in Ukraine as well as subsidiary company in Australia. These countries are not on the list of the countries that provide the adequate level of protection of personal data. For these purposes special legal basis or “safeguard mechanism” as the GDPR calls it for the transfer of personal data from the EU to the Ukraine on Australia based processor has to be applied. The most common safeguard mechanism for such cases is the execution of Standard Contractual Clauses.
It is a common practice throughout the world to use the Standard Clauses that were adopted by the European Commission before the GDPR was passed as there are no newer Standard Clauses adopted yet. These Standard Clauses are traditionally supplemented by the additional requirements set by GDPR. Altogether such documents form the Data Processing Agreements that guarantee the data is being processed by Veterinarium and its sub-processors upon the instructions of its clients and within the requirements of GDPR.
Therefore, the transfer of the client’s data to the recipients in these countries are secured by the Standard data protection clauses adopted by the European Commission and compliant with the EU data protection laws.
Our Commitments: breach notification
Under the GDPR, we will have to provide the breach notification in all EU member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.
GDPR: staying tuned
We keep monitoring the official updates from the EU side regarding the implementation of the GDPR, including but not limited to:
Join us in monitoring any amendments and comments from the EU data protection authorities concerning the GDPR compliance. Please drop us a line if you have something to add, give an advice or recommendation or correct us. The more we understand, the more beneficial our endeavors to protect personal data properly will be.
> Last Updated: May 2018