myneTEC's Approach to GDPR Compliance
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a comprehensive European Union data protection and privacy regulation regime which applies to all EU Member States. The GDPR rules apply to almost all private sector processing by organizations in the EU or by organizations outside the EU, such as myneTEC, which provide products or services to EU residents. The regulation is effective as of May 25, 2018 and applies to the processing of personal data relating to an identified or identifiable individual (natural person). It does not apply to processing of personal data relating to legal entities.
Roles and Responsibilities
The users who provide personal information when using our service, website, the myneTEC platform and the applications developed for our customers are known as “Data Subjects” in terms of GDPR.
Our customers, who control the purpose and means of processing the personal data collected through the JourneyApps platform and the applications we developed for them, are known as “Controllers” in terms of GDPR.
myneTEC is a “Processor”, where we process and use personal data about Data Subjects only as instructed by our customer (the Controller) in terms of a written agreement. In these instances, our customers are responsible for ensuring that Data Subjects provide consent to (to the extent that consent is required) for the collection and processing of personal data using the customer’s application. In respect of personal data collected via our website, myneTEC is a “Controller” in terms of GDPR. We act as a “Controller” when we collect personal data on our website, through our various technical support or customer interaction channels in order to provide timely customer support, or through the myneTEC platform when we administer user accounts.
As a Processor, myneTEC will take all reasonable required steps to assist Controllers with their compliance obligations under the GDPR. Where myneTEC is the Controller, myneTEC accepts responsibility for compliance with the requirements of GDPR in respect of Controllers.
Our customers own all rights to the personal data collected using the myneTEC platform and any application developed and hosted on the platform. myneTEC never uses any user data, except insofar as it is required to ensure the successful operation of an application, which is included in the authority given by our customer. When our relationship with a customer ends, or on request from the customer, all customer and user data is securely and permanently deleted, and a copy is provided to the customer.
Methods of Data Collection
myneTEC collects data, which may include personal data of Data Subjects, in one of three ways:
- Through our website, at www.mynetec.com, when an individual enquires about our services by providing their details and requesting that we contact them;
- Through the myneTEC platform, when customers and their users sign up to use the myneTEC platform, access one of our ancillary services or request support from our Support Desk; or
- Through applications developed for our customers and hosted on the myneTEC platform, when users provide personal data such as a name or email address to enroll in an application or use an application to capture other personal data as part of a business process.
Types of Personal Data Collected
When an individual clicks on “Contact Us”, we collect their full name, phone number, business email address, company name (if applicable) and online identifier information.
When an individual signs up to use the myneTEC platform, or any ancillary service used to access the platform or administer an application, we collect their name, email address and online identifier.
Customer Support and Interaction Channels
We use a number of channels to provide application development services and technical support to customers and users and to contact customers and users with important information regarding the myneTEC platform and customers’ applications. When we interact with users in this way, we collect the user’s name and relevant contact information.
We use the myneTEC platform to develop, operate and host custom applications for our customers. Each application is developed according to a customer’s specifications and therefore the personal data collected using the application varies depending on the application’s purpose and the customer’s requirements.
Our customers’ applications are rarely used to collect personal data, and where personal data is collected it is seldom sensitive. Personal data collected from users of a customer’s application is typically, but not always, limited to a user’s name, email address, phone number, address, employee or contractor identification number and the location where the application is used and the device used to access the application.
Data Subject Rights
The GDPR provides for various rights to data subjects and specific principles for lawful processing.
These include for example the Data Subject’s right to access the personal data held by the Controller (or Processor on behalf of the Controller) and the right to Erasure (or as it is referred to – “the right to be forgotten”). Data subjects may send a request for deletion or a request to obtain a copy of all personal information collected from their use of the myneTEC website to our Data Processing Officer (firstname.lastname@example.org), and the myneTEC platform or any application hosted on the myneTEC platform to the customer (as the Controller of the personal data). Data subjects can also contact our Data Protection Officer (email@example.com) directly where after we will engage our customer to consider and comply with the request.
myneTEC is Prepared for GDPR
myneTEC has always valued the trust our customers and users place in us, and we have always adhered to strong data security protocols. As part of our GDPR compliance assessments, we have worked with our legal team and engineers to further address all aspects of GDPR that are applicable to us.
Our Agreements and Policies
We have updated our Master Services Agreement (“MSA”) to provide more information on data privacy and security, and have also made our Data Processing Addendum (“DPA”) available online for customers to use. The DPA is an addendum to the MSA and elaborates on the data privacy and security clauses in the MSA. Customers may download the DPA and return a signed copy to our Data Protection Officer. Our DPA includes European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our customers who operate in or have users in the EU.
Customers may specify their specific data management rules with respect to their users’ personal information in their Master Services Agreement, or any other agreement, with us, such as requiring their applications to be configured so that all personally identifiable information (PII) is expunged from the myneTEC platform after a specific period. We only keep personal data for the period as required by the customer or until the agreement is terminated. We never use personal data of users for any other purpose than to host and support an application for our customer.
Our agreements with customers provide assurance that the customer will retain all rights to personal data collected as a result of the agreement with us. Customers are able to view the types of data collected or request a copy of the data at any time. Customers always have access to all of the data and can download copies at any time using the myneTEC platform. Customers are responsible for ensuring that the users of their applications provide the necessary consent, to the extent that consent is required. Users may revoke that consent by contacting the customer and myneTEC will provide the customer with assistance to carry out the instruction from the user. A user may, however, be unable to use an application if they revoke consent and should always reference any agreement between them and the customer to understand their specific rights with respect to an application.
Our Cloud Partners
myneTEC uses only reputable providers of cloud storage and processing services as its own sub-processors, and have entered into agreements with each which commits them to complying with all aspects of GDPR. Our main data sub-processors, such as Amazon Web Services (AWS) and Microsoft, maintain rigorous security standards (SOC2 and/or ISO 27001 certifications).
We take the security of customer and user data very seriously and use several rigorous measures to protect customer and user data. For more information on myneTEC's’ approach to data security, refer to our Security Whitepaper.