General rules for data protection

The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:

  • implement a privacy by design approach to compliance
  • be able to demonstrate compliance with privacy principles and obligations
  • adopt transparent information handling practices.
  •  
    There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act. (more info here)

    From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.

    The GDPR includes requirements that resemble those in the Privacy Act 1988, and additional measures that similarly aim to foster transparent information handling practices and business accountability around data handling.

    (GDPR, or also AVG – General Data Protection Regulation) is the legal framework for the processing of personal data in Europe from 25 May 2018.

    The GDPR contains a principle of extraterritoriality, which means that, in certain circumstances, the scope of its application can be extended beyond the borders of Europe.

    If you are a structure that processes personal data, you are most likely subject to the provisions of the GDPR. In this respect you are subject to obligations and you must comply with them.

    The same applies to KJHosting, which in view of its situation is bound by various obligations to the GDPR, in its capacity as a subcontractor or as data controller.

    Definitions

    Understanding the real, specific issues at stake in European legislation is not always an easy task, especially when the regulation in question contains 99 articles, 173 considerations and numerous directives to specify how it will apply.

    A good understanding of these issues is, however, essential to prevent risks arising from a too broad or ambiguous interpretation of the legal obligations that apply to your structure.

    A good understanding of the terms defined below is therefore essential:

    personal data: all information relating to an identified or identifiable real person. An identifiable real person is defined as any real person that can be identified directly or indirectly.

    processing: any operation or group of operations, whether or not performed via automated processes, applied to personal data or personal data collections (collection, recording, transmission, storage, storage, extraction, use, interconnection, etc).

    data controller: the real or legal person, government agency, service or other body that determines the purpose and manner of processing, alone or with other persons.

    Subcontractor / processor: the real or legal person, public authority, service or other body that processes personal data on behalf of the controller.

    KJH as a subcontractor

    It is undoubtedly in the subcontractor scenario that you will deal most frequently with KJH.

    KJH is classified as a ‘subcontractor’ when it processes personal data on behalf of a data controller.

    This will usually be the case when you use the services of KJH and you store personal data on KJH infrastructure. Within the limits of its technical limitations, KJH will only process all stored data in accordance with your instructions and on your behalf.

    As a subcontractor, KJH commits to taking the following actions:

  • We will only utilise services of subcontractors that also meet General Data Protection Compliance.
  • We will process personal data only with a view to the correct execution of the services: KJH will never process your data for other purposes (marketing, etc.).
  • We will not store your data outside the EU or outside the countries recognized by the European Union as offering a sufficient level of protection.
  • We will inform you of any appeal that had to be performed by subcontractors to process your personal data.
  • We will apply stringent security standards to provide a high level of security for our customers.
  • We will inform you as soon as possible in the event of a data breach.
  • We will help you meet your own legal obligations, by providing you with adequate documentation of our services.
  • KJH is classified as a ‘data manager’ when we determine the purpose and method of ‘our’ processing of personal data. This is typically the case when KJH collects data for invoicing, accounts receivable management, improving the quality of services and performance, sales prospecting, commercial management, etc. But it is also the case when KJH collects personal information about its own employees.

    In this scenario, ‘your’ data – the data that you store on the KJH services – will not be affected. On the other hand, certain information about you or concerning your employees (the identity and contact details of your contact at KJH as part of a request for technical assistance, for example) may be.

    The following outlines which guarantees have been given to ensure that this personal information is protected.

  • Limiting the collected data to what is strictly necessary: ​​as part of this approach, when you order a service, you only enter the data that KJH needs for billing or support purposes, or to ensure that we comply with our own legal requirements and data protection obligations.
  • not to use data collected for a purpose other than that for which they were collected.
  • storing personal data for a specific period. Data processed to manage customer relationships (name, first name, postal address, e-mail address, etc.) are stored by KJH for the duration of the contract, for example, plus an additional 36 (thirty-six) consecutive months. After this time, this data, as well as their copies, will be removed from all media;
  • not to transfer this information to third parties other than companies associated with KJH and as part of the execution of the contract. As part of this transfer within the Group, some data may be transferred outside the European Union, based on the restrictive business rules implemented by KJH.
  • take appropriate technical and organizational measures to ensure a high level of safety.
  • Who is the owner of personal data that is used and stored by the customer as part of KJH services?

    Data stored by the customer as part of KJH services remains the property of the customer.

  • KJH has access to this data and only uses it when it is necessary to provide services and within the limits of its technical capabilities.
  • KJH does not have the right to resell customer data or use it for their own purposes, such as data mining, creating customer profiles or direct marketing.
  • When a service allows a customer to host data, KJH will inform the customer about the location or the geographical area in which the data center is located.
  • Is data from KJH’s European customers transferred outside the European Union?

    Data transfers to countries whose security level is sufficient according to the standards of the European Commission can be done within the measures of KJH’s customer service. This also applies to countries whose level of data protection with regard to personal data is sufficient according to the European Commission. KJH also reserves the right to offer support services, including remote access to customer data stored in the service, to other KJH units located in countries with a data protection level that is sufficient according to the European Commission.

    The guarantees of KJH in the area of ​​data transfer enable the customer to meet his legal obligations. Article 45 of the GDPR, which defines “transfer of data on the basis of a decision establishing an adequate level of protection”, provides that the transfer of personal data to a third country or an international organization can take place when the Commission finds that a third country, a territory or a specific sector or specific sectors in that third country or that international organization provide an adequate level of protection. No special permission is required for such a transfer.

    When the customer chooses a service offered through a data center outside the European Union:
    In this case, the data is transferred outside the European Union. When multiple locations are available, the customer selects one of their own preferences. KJH can not change, without the customer’s consent and subject to the specific conditions for delivering some of the service, locations or geographical areas selected during the ordering phase.

    To support organizations that wish to process personal data by using data centers outside the European Union in a country that does not provide an adequate level of protection of personal data, KJH can, upon explicit request, grant the implementation of guarantees allowing such a transfer as provided for in Article 46 of to discuss the AVGB ‘Transfers subject to appropriate safeguards’.

    If multiple locations are available, the customer can choose one during the ordering process. Subject to special conditions relating to certain services, KJH is not entitled to change the location or the geographical area in the order phase without the consent of the customer.

    Other businesses that we utilise to deliver services

    In the process of delivering services to our clients KJH has occasion to rely upon other provider services. Every effort is made to ensure that these companies also meet data handling security requirements as detailed on this page.

    Unless legally required or as part of the legal execution of a contract, KJHosting never divulges personal customer details in the process of working with other partners.