Namirial Group
Mission
News & Events
Sustainability
English

GDPR

What is GDPR?

The new General Data Protection Regulation (GDPR) comes into force in May 2016, is applicable as of May 2018, and regulates the processing of personal data and the free movement of such data. The GDPR is a directly applicable standard, which does not require internal transposition rules nor, in most cases, implementing or application rules.

Who is affected?

It affects companies located in the EU and any other company that has data that identifies individuals in the EU, even if it does not have offices or servers in the area. It is also applicable to organizations that, to date, have been processing data of individuals in the region and are subject to the regulation of third countries.

What are the main changes?

With the GDPR, the permission of the Data Subject (the natural person to whom the personal data identifies) must be validly and expressly obtained (it is no longer valid to do so tacitly, the method also known as opt-out). It also regulates the way to obtain this consent, defining what information must be provided to the data subject (e.g., now it must be informed about the conservation period) and in what form (concise, simple, transparent, intelligible and easily accessible). It also adds new rights of the data subject to the ARCO rights (access, rectification, erasure and objection), such as the right to be forgotten and the right to portability. The categories of data that are processed, what type of processing and who does the processing, must be transparent information, thus improving the data subject's decision-making capacity and control over the personal data he or she entrusts to third parties. There are also requirements for the notification of data security breaches, including a maximum period of 72 hours for notifying the Data Protection Agency. The penalty regime is also toughened, with maximum fines of up to 20 million euros or 4% of the annual global turnover.

Can I obtain my customers' consent with Evicertia?

YES. With our certified electronic signature services (eviSign) you can very easily and quickly manage the whole consent process, since you can send a mass mailing to your customer database or automate it in real time (e.g. in each registration integrated by WebServices), and the Interested Party will have just a click away the acceptance. You will have a powerful management tool to track, search easily (by name, email, phone, etc...) and know in real time, who has accepted or not to treat their personal data. In addition, you will have a legally valid and risk-free proof, which is now necessary. Think that in case of doing it on your own website with a form or simply by email exchanging scanned documents, it will be more complicated to prove that you have not altered the records or documents that collect this consent (since anyone can modify them), if in the event, a customer, rightly or wrongly, sues you for unauthorized processing of their data.

How does it affect the services provided by EVICERTIA?

Evicertia provides trust services, and therefore processes personal data (for example the email address where we send a certified communication, such as a notice of change of conditions of a contract). Our goal is to provide trust and security, therefore, for us it is good news, as the GDPR brings security, trust and puts in value our principles and services. The GDPR stipulates that certain security measures must be complied with, but these measures have already been complied with since the birth of the services provided in Evicertia, as we are committed to security from the design. Although the GDPR only requires in some scenarios (e.g. for companies with more than 250 employees) the obligation to perform an Impact Assessment (a risk analysis), in Evicertia we do such Impact Assessment anyway. This assessment is in fact part of our Information Security Management System, which is certified ISO 27001 and uses the controls defined in ISO 27002. If users of Evicertia's certification services are processing personal data of other data subjects (e.g. email addresses, phone numbers or the very content to be certified of a certified email sent by Evicertia), they are considered to be outsourcing the processing of the data to Evicertia. In this scenario, the GDPR establishes the obligations of each party, defining the figures and responsibilities of the Controller and the Processor. This relationship must be regulated by a formal contract, which must include certain mandatory aspects.

Who is the Data Controller and the Data Processor?

Evicertia's CLIENT user (the sender of the communications or author of the documents to be signed) acts as the Data Controller, because he/she is the one who maintains the relationship with the addressee of that communication or document containing personal data. When Evicertia is entrusted with a service (certifying an email or a signature), Evicertia becomes the Data Controller. It is therefore the Controller who must obtain the consent of the Data Subject, as well as define the category of personal data to be processed, and the purpose of the processing of such data (in the example, using email to communicate changes in the conditions of a contract). Evicertia acts on the instructions of the Controller, must adopt the security measures defined in the Regulation and may not use the personal data for purposes other than those established by the Controller.

Does Vicertia collaborate with other Data Processors?

YES. For example, to support users, we collaborate with a company that answers the phone, and therefore that company that takes note of the contact information (when dealing with an incident) also becomes a processor of personal data. To communicate with our customers or to export a report to a spreadsheet, we use Google's G-Suite (the business version of GMail) and therefore entrust Google with the processing of some personal data. To send SMS we use telecommunication operators, which vary depending on the destination of the SMS. These collaborators of EVICERTIA are what we call sub-processors.

Can I get a list of Subprocessors?

If you are a Data Controller, who commissions services to Evicertia, you can request a list of subprocessors. To do so, please create a Request at: https://support.evicertia.com. In addition, in the request, you can indicate that you want a subscription to the subprocessors list mailing list, so that you will be notified when there are changes. If you are a natural person, whose data is being processed by Evicertia, although we will attend you equally at https://support.evicertia.com, we are obliged to forward your request to the Data Controller (our CUSTOMER), who is the one who collects your data, has to attend your rights and has to give us the instructions.

List of Subprocessors:

  • AD LOPEZ Y ASOCIADOS ASESORES

  • AMAZON WEB SERVICES

  • ANYWAYBAC

  • BACKBLAZE, INC

  • CENTRO DE NEGOCIOS G-88, S.L

  • CLX - SINCH UK LTD

  • COOKIEBOT

  • DMARCIAN

  • EVICERTIA CENTROAMÉRICA Y CARIBE SOCIEDAD ANÓNIMA

  • EVICERTIA DEL ECUADOR CIA. LTDA.

  • FRESBE IBERIA, SL

  • GOOGLE IRELAND LIMITED

  • HUBSPOT IRELAND LTD

  • INFOBIP LTD UK

  • INTERXION ESPAÑA S.L.U.

  • JIRA-ATLASSIAN PTY LTD

  • MAILGUN TECHNOLOGIES, INC

  • MASMOVIL - XTRA TELECOM S.A.U - GIGAS HOSTING, S.A.

  • MICROSOFT IRELAND OPERATIONS

  • MOBBEEL

  • MRW (LONGITUD 3M, S.L.)

  • NEXMO / VONAGE

  • NOTARIA DON FRANCISCO CALDERÓN ÁLVAREZ

  • NRS - NET REAL SOLUTIONS S.L.

  • ODOO

  • PAYPAL

  • SOCIEDAD ESTATAL CORREOS Y TELÉGRAFOS, S.A.

  • TWILIO

  • UANATACA, S.A.