Privacy, Terms and Conditions
General rules for data protection
The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:
- implement a privacy by design approach to compliance
- be able to demonstrate compliance with privacy principles and obligations
- adopt transparent information handling practices.
There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act. (more info here)
From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.
The GDPR includes requirements that resemble those in the Privacy Act 1988, and additional measures that similarly aim to foster transparent information handling practices and business accountability around data handling.
(GDPR, or also AVG – General Data Protection Regulation) is the legal framework for the processing of personal data in Europe from 25 May 2018. The GDPR contains a principle of extraterritoriality, which means that, in certain circumstances, the scope of its application can be extended beyond the borders of Europe. If you are a structure that processes personal data, you are most likely subject to the provisions of the GDPR. In this respect you are subject to obligations and you must comply with them. The same applies to KJHosting, which in view of its situation is bound by various obligations to the GDPR, in its capacity as a subcontractor or as data controller.
Understanding the real, specific issues at stake in European legislation is not always an easy task, especially when the regulation in question contains 99 articles, 173 considerations and numerous directives to specify how it will apply. A good understanding of these issues is, however, essential to prevent risks arising from a too broad or ambiguous interpretation of the legal obligations that apply to your structure. A good understanding of the terms defined below is therefore essential:
personal data: all information relating to an identified or identifiable real person. An identifiable real person is defined as any real person that can be identified directly or indirectly.
processing: any operation or group of operations, whether or not performed via automated processes, applied to personal data or personal data collections (collection, recording, transmission, storage, storage, extraction, use, interconnection, etc).
data controller: the real or legal person, government agency, service or other body that determines the purpose and manner of processing, alone or with other persons.
Subcontractor / processor: the real or legal person, public authority, service or other body that processes personal data on behalf of the controller.
KJH as a subcontractor
As a subcontractor, KJH commits to taking the following actions:
- We will only utilise services of subcontractors that also meet General Data Protection Compliance.
- We will process personal data only with a view to the correct execution of the services: KJH will never process your data for other purposes (marketing, etc.).
- We will not store your data outside the EU or outside the countries recognized by the European Union as offering a sufficient level of protection.
- We will inform you of any appeal that had to be performed by subcontractors to process your personal data.
- We will apply stringent security standards to provide a high level of security for our customers.
- We will inform you as soon as possible in the event of a data breach.
- We will help you meet your own legal obligations, by providing you with adequate documentation of our services.
KJH is classified as a ‘data manager’ when we determine the purpose and method of ‘our’ processing of personal data. This is typically the case when KJH collects data for invoicing, accounts receivable management, improving the quality of services and performance, sales prospecting, commercial management, etc. But it is also the case when KJH collects personal information about its own employees.
In this scenario, ‘your’ data – the data that you store on the KJH services – will not be affected. On the other hand, certain information about you or concerning your employees (the identity and contact details of your contact at KJH as part of a request for technical assistance, for example) may be. The following outlines which guarantees have been given to ensure that this personal information is protected.
- Limiting the collected data to what is strictly necessary: as part of this approach, when you order a service, you only enter the data that KJH needs for billing or support purposes, or to ensure that we comply with our own legal requirements and data protection obligations.
- not to use data collected for a purpose other than that for which they were collected.
- storing personal data for a specific period. Data processed to manage customer relationships (name, first name, postal address, e-mail address, etc.) are stored by KJH for the duration of the contract, for example, plus an additional 36 (thirty-six) consecutive months. After this time, this data, as well as their copies, will be removed from all media;
- not to transfer this information to third parties other than companies associated with KJH and as part of the execution of the contract. As part of this transfer within the Group, some data may be transferred outside the European Union, based on the restrictive business rules implemented by KJH.
- take appropriate technical and organizational measures to ensure a high level of safety.
Who is the owner of personal data that is used and stored by the customer as part of KJH services?
Data stored by the customer as part of KJH services remains the property of the customer.
- KJH has access to this data and only uses it when it is necessary to provide services and within the limits of its technical capabilities.
- KJH does not have the right to resell customer data or use it for their own purposes, such as data mining, creating customer profiles or direct marketing.
- When a service allows a customer to host data, KJH will inform the customer about the location or the geographical area in which the data center is located.