General rules for data protection
There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act. (more info here)
From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.
The GDPR includes requirements that resemble those in the Privacy Act 1988, and additional measures that similarly aim to foster transparent information handling practices and business accountability around data handling.
(GDPR, or also AVG – General Data Protection Regulation) is the legal framework for the processing of personal data in Europe from 25 May 2018.
The GDPR contains a principle of extraterritoriality, which means that, in certain circumstances, the scope of its application can be extended beyond the borders of Europe.
If you are a structure that processes personal data, you are most likely subject to the provisions of the GDPR. In this respect you are subject to obligations and you must comply with them.
The same applies to KJHosting, which in view of its situation is bound by various obligations to the GDPR, in its capacity as a subcontractor or as data controller.
Definitions
A good understanding of these issues is, however, essential to prevent risks arising from a too broad or ambiguous interpretation of the legal obligations that apply to your structure.
A good understanding of the terms defined below is therefore essential:
personal data: all information relating to an identified or identifiable real person. An identifiable real person is defined as any real person that can be identified directly or indirectly.
processing: any operation or group of operations, whether or not performed via automated processes, applied to personal data or personal data collections (collection, recording, transmission, storage, storage, extraction, use, interconnection, etc).
data controller: the real or legal person, government agency, service or other body that determines the purpose and manner of processing, alone or with other persons.
Subcontractor / processor: the real or legal person, public authority, service or other body that processes personal data on behalf of the controller.
KJH as a subcontractor
KJH is classified as a ‘subcontractor’ when it processes personal data on behalf of a data controller.
This will usually be the case when you use the services of KJH and you store personal data on KJH infrastructure. Within the limits of its technical limitations, KJH will only process all stored data in accordance with your instructions and on your behalf.
As a subcontractor, KJH commits to taking the following actions:
KJH is classified as a ‘data manager’ when we determine the purpose and method of ‘our’ processing of personal data. This is typically the case when KJH collects data for invoicing, accounts receivable management, improving the quality of services and performance, sales prospecting, commercial management, etc. But it is also the case when KJH collects personal information about its own employees.
In this scenario, ‘your’ data – the data that you store on the KJH services – will not be affected. On the other hand, certain information about you or concerning your employees (the identity and contact details of your contact at KJH as part of a request for technical assistance, for example) may be.
The following outlines which guarantees have been given to ensure that this personal information is protected.
Who is the owner of personal data that is used and stored by the customer as part of KJH services?
Is data from KJH’s European customers transferred outside the European Union?
The guarantees of KJH in the area of data transfer enable the customer to meet his legal obligations. Article 45 of the GDPR, which defines “transfer of data on the basis of a decision establishing an adequate level of protection”, provides that the transfer of personal data to a third country or an international organization can take place when the Commission finds that a third country, a territory or a specific sector or specific sectors in that third country or that international organization provide an adequate level of protection. No special permission is required for such a transfer.
When the customer chooses a service offered through a data center outside the European Union:
In this case, the data is transferred outside the European Union. When multiple locations are available, the customer selects one of their own preferences. KJH can not change, without the customer’s consent and subject to the specific conditions for delivering some of the service, locations or geographical areas selected during the ordering phase.
To support organizations that wish to process personal data by using data centers outside the European Union in a country that does not provide an adequate level of protection of personal data, KJH can, upon explicit request, grant the implementation of guarantees allowing such a transfer as provided for in Article 46 of to discuss the AVGB ‘Transfers subject to appropriate safeguards’.
If multiple locations are available, the customer can choose one during the ordering process. Subject to special conditions relating to certain services, KJH is not entitled to change the location or the geographical area in the order phase without the consent of the customer.
Other businesses that we utilise to deliver services
Unless legally required or as part of the legal execution of a contract, KJHosting never divulges personal customer details in the process of working with other partners.