JAGGAER & the General Data Protection Regulation
Effective 25 May 2018, the EU General Data Protection Regulation (“GDPR”) replaced the 1995 EU Data Protection Directive. GDPR (i) strengthens the rights that individuals have with respect to their personal data and (ii) imposes new obligations on organizations processing the personal data of individuals residing in the EU. JAGGAER is committed to helping ensure our customers’ compliance with GDPR.
What does GDPR mean for our customers and JAGGAER?
Our customers’ users enter certain personal data into our software applications: primarily business contact information when logging in. Under GDPR, our customer is a “data controller” and a data controller’s responsibilities include: (i) determining the purposes and means of processing personal data and (ii) implementing appropriate technical and organizational measures to ensure and demonstrate that any personal data processing is performed in compliance with GDPR. Under GDPR, JAGGAER, is a “data processor” and a data processor’s responsibilities include processing personal data in accordance with the limits of processing set forth by the data Controller. Accordingly, JAGGAER must also implement appropriate technical and organizational measures to protect personal data and be able to provide assurances to our customers that we are only processing personal data in accordance with our customers’ instructions. To accomplish these goals, JAGGAER has implemented a comprehensive GDPR compliance program to provide the necessary safeguards and documentation to support our customers’ GDPR compliance efforts.
What does GDPR require?
GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles: (1) personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (2) personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (3) processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed; (4) personal data must be accurate and, where necessary, kept up to date; (5) personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and (6) personal data must be processed in a manner that ensures appropriate security for the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Frequently Asked Questions
JAGGAER has compiled this list of Frequently Asked Questions so that our customers may familiarize themselves with the basics of GDPR and how JAGGAER’s compliance efforts enable our customers to comply with GDPR.
Where can you learn more about GDPR?
The rules and regulations of GDPR are available at https://ec.europa.eu/info/law/law-topic/data-protection_en. Additionally, the International Association of Privacy Professionals maintains comprehensive resources about GDPR and privacy generally. For additional guidance, JAGGAER recommends you regularly (1) check the website of your national or lead data protection authority under GDPR, as applicable, (2) monitor updated regulatory guidance as it becomes available and (3) consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
Data Processing Addendum
JAGGAER’s Customer Data Processing Addendum provides contractual assurances for our customers that JAGGAER is utilizing the appropriate technical and organizational measures and sets forth the terms under which JAGGAER can process personal data on behalf of our customers to enable both JAGGAER and our customers to meet our respective obligations under GDPR.
Under GDPR, any services providers accessing personal data from our customers are considered “sub-processors.” Click here for a list of sub-processors providing services to JAGGAER that may require them to process certain forms of personal data provided by our customers when using our software applications and services. These processing activities may include accessing, storing, handling or otherwise using the personal data in order to provide services to our customers.
Additional Questions and Comments:
Customers may contact our data privacy team (located in both the EU and the U.S.), via the Data Privacy Inquiry Portal for any questions, comments, concerns or requests regarding how JAGGAER manages personal data our about our GDPR compliance program. Additionally, you may contact JAGGAER’s Data Protection Officer directly at DPO@jaggaer.com.