VISION HELPDESK – GDPR & EU DATA PROTECTION POLICY
Vision Helpdesk prioritizes customer trust. We know that customer data is important to our customers’ values and operations. That is why we keep it private and safe.
Vision Helpdesk helps customers maintain control of their privacy and data security in a myriad of ways:
- Data Security: We provide our customers compliance with high security standards, such as encryption of data in motion over public networks, auditing standards (ISO 27001:2013), and a Support team that is available 24/7.
- Disclosure of Customer Service Data: Vision Helpdesk only discloses Service Data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
- Data Hosting Locality: Customers have the ability to select the location (from the available Vision Helpdesk Data Center options) where the data center which hosts their Service Data is located.
- Access Management: Vision Helpdesk provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining and improving the Vision Helpdesk services and as otherwise required by law.
What is service data?
Service Data is any information, including personal data, which is stored in or transmitted via the Vision Helpdesk services, by, or on behalf of, our customers and their end-users.
Who owns and controls Service Data?
From a privacy perspective, the customer is the controller of Service Data, and Vision Helpdesk is a processor. This means that throughout the time that a customer subscribes to services with Vision Helpdesk, the customer retains ownership of and control over Service Data in its account.
Who are vision helpdesk sub-processors?
Vision Helpdesk maintains an up-to-date list of the names and locations of all sub-processors used for hosting or other processing of Service Data.
What is a subprocessor?
A subprocessor is a third party data processor engaged by Vision Helpdesk, who has or potentially will have access to or process Service Data (which may contain Personal Data). Below is list of subprocessors with their role.
Service Data Storage Subprocessors
Vision Helpdesk production systems for the Services are located in facilities in the United States United Kingdom and Europe. Subscriber accounts are established in one of these regions based on what they select while placing trial order or actual order the Subscriber’s Service Data subsequently remains in that region unless agreed between Subscriber and Vision Helpdesk, but may be shifted among data centers within a region to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged in the storage of Service Data by Vision Helpdesk.
Entity Name | Entity Type | Entity Country |
Amazon Web Services, Inc. | Cloud Service Provider | United States |
Amazon Data Services Ireland Ltd | Cloud Service Provider | Ireland |
Amazon Web Services UK Limited. | Cloud Service Provider | United Kingdom |
PhoenixNAP LLC | Cloud Service Provider | United States |
PoundHost Internet Ltd | Cloud Service Provider | United Kingdom |
LeaseWeb Global B.V.[NL] | Cloud Service Provider | Netherlands |
How does Vision Helpdesk use Service Data?
We use Service Data to operate and improve our services, help customers access and use the services, respond to customer inquiries, and send communication related to the services.
What steps does Vision Helpdesk take to secure Service Data?
Vision Helpdesk prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.
For example, Vision Helpdesk servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. and our Support team is on call 24/7 to respond to security alerts and events.
Where will Service Data be stored?
Vision Helpdesk has data centers in three main regions — United States, European Union, and the United Kingdom. Service Data may be stored in any region. Customers can select the region in which data centers that host certain of their Service Data are located. Please see the Data Hosting Policy for additional information.
How does Vision Helpdesk Respond to Information Requests?
Vision Helpdesk recognizes that privacy and data security issues are top priorities for customers.
- Vision Helpdesk does not disclose Service Data except as necessary to provide its services to its customers and comply with the law as detailed in our Privacy Policy.
- Vision Helpdesk has achieved internationally-recognized ISO 27001:2013 certifications and accreditations demonstrating compliance with third-party assurance frameworks.
How does Vision Helpdesk respond to legal requests for Service Data?
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Services, or as otherwise required by law.
EU DIRECTIVE
The EU Data Protection Directive (also known as “Directive 95/46/EC“) addresses the processing of personal data and the free movement of such data. Broadly, this Directive sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.
Directive 95/46/EC established the Article 29 Working Party (“WP29”), which is comprised of representatives from the data protection authorities of all the EU Member States as well as from the European Commission. WP29 works to harmonize the application of data protection rules throughout the EU and also advises the EU Commission on the adequacy of data protection standards in non-EU countries.
How does the EU Directive apply to customers?
Vision Helpdesk customers that collect and store personal data are considered data controllers under Directive 95/46/EC. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including Directive 95/46/EC and the GDPR as of May 25, 2018.
What is a Data Processing Agreement (“DPA”)?
Vision Helpdesk offers customers a robust Data Processing Agreement (“DPA”), governing the relationship between the customer (acting as a data controller) and Vision Helpdesk (acting as a data processor). The DPA facilitates Vision Helpdesk’s customers’ compliance with their obligations under EU data protection law. Our DPA contains strong privacy commitments, and has been updated to confirm our compliance with the GDPR as and from May 25, 2018. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Vision Helpdesk outside of the European Union by relying on mechanisms Standard Contractual Clauses.
What are the “Model Clauses”?
The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (“Model Clauses”) which provide a data controller a compliant mechanism to transfer personal data to a data processor outside the European Economic Area (“EEA”). The Model Clauses are appended to the Vision Helpdesk DPA to help provide adequate protection for data transfer outside of the EEA or Switzerland.
Does Vision Helpdesk replicate the Service Data it stores?
Vision Helpdesk periodically replicates data for purposes of archival, backup and audit logs. We use secondary Data Centers in respected country to store the service data that is backed up, such as database information and attachment files. Please see our Data Hosting Policy for further details.
Does Service Data hosted in the EU region ever leave that region?
Vision Helpdesk customers have the ability to select the location (from the available Vision Helpdesk location options) where the data center which hosts their Service Data is located. Please see our Data Hosting Policy for further details. Otherwise, Vision Helpdesk may utilize any of its global data centers to host Service Data.
GDPR
Since our inception, Vision Helpdesk approach has been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which becomes enforceable on May 25, 2018.
If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our customers’ trust, our DPA has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR. Our contractual commitments guarantee that customers can:
- Respond to requests from data subjects to correct, amend or delete personal data.
- Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
- Demonstrate their compliance with the GDPR as pertaining to Vision Helpdesk Services.
VISION HELPDESK GDPR PRODUCT READINESS
The General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, provides data subjects with an array of privacy rights, which provide individuals with greater transparency into and control over uses of their personal information.
The features and functionalities that are currently available. As we approach May 25, 2018 (GDPR Effective Date), Vision Helpdesk will be updating and adding features and functionalities to further support our customers with their GDPR compliance programs.
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a new European privacy regulation which will replace the current EU Data Protection Directive (“Directive 95/46/EC”). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law.
To whom does the GDPR apply?
The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
What implications does GDPR have for organizations processing the personal data of EU citizens?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.
How has Vision Helpdesk been preparing for the GDPR?
Vision Helpdesk will be compliant with the GDPR when it becomes enforceable in May 2018. Our privacy team is working with customers around the world to answer their questions and to help them prepare for using Vision Helpdesk Services after the GDPR becomes effective. Additionally, our privacy team is reviewing Vision Helpdesk current product features and practices to ensure we support our customers with their GDPR compliance requirements.
How can Vision Helpdesk customers prepare for GDPR enforcement?
Vision Helpdesk encourages customers to begin preparing for the GDPR by reviewing their privacy and data security processes and policies to ensure compliance by May 2018. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Below are some key points to consider for GDPR compliance:
- Geographical Application:The GDPR may apply to organizations that are established in the EU as well as certain organizations established outside the EU but which are processing the personal data of EU citizens, depending on their activities.
- Rights of End-Users:Organizations should be cognizant of End-Users whose personal data they may be processing. The GDPR establishes enhanced rights for End-Users, and organizations should be able to accommodate those rights.
- Data Breach Notifications:Organizations that are controllers of personal data should have clear processes in place in order to comply with the GDPR requirement to report data breaches in accordance with the time frames set out within the GDPR. Vision Helpdesk will notify affected customers without undue delay if we become aware of a data breach of our services.
- Appointment of Data Protection Officer (“DPO”):Customers may need to appoint DPOs to manage issues relating to the processing of personal data.
- Data Processing Agreement (“DPA”):Where personal data is transferred outside the EEA, a customer may need DPAs in place with its sub-processors to ensure an adequate level of protection for the transferred data. Vision Helpdesk’s DPA addresses GDPR and can be obtained by submitting a request to legal@visionhelpdesk.com
- Data Protection Impact Assessment (“DPIA”):DPIAs usually describe organizations data processes and protective measures, particularly those that may be risky. For data processing activities, customers need to conduct and file with authorities a DPIA.
Which Vision Helpdesk services and features can support customer’s compliance with the GDPR?
Customers can use Vision Helpdesk third-party ISO certification to help conduct their risk assessments and determine whether appropriate technical and organizational measures are in place. For additional information, please see the Security page.
Below are examples of specific Vision Helpdesk product features that customers can utilize to assist with the GDPR compliance program. Through our Advanced Security Deployed Associated Service, customers can choose to obtain enhanced features, including enhanced disaster recovery and encryption, as well as the ability to configure for the Health Insurance Portability and Accountability Act (“HIPAA”).
Currently available features for specific Vision Helpdesk products can be found in the questions/answers below.
Auditing Standards:
- ISO 27001:2013 certified
Scanning:
- Static scanning of code repositories
Encryption:
- Encryption of data in motion over public networks
- Encryption of certain data at rest with AES256 (Optional Add-on feature)
Does Vision Helpdesk provide any product specific Features/Functionality in its products to assist us with our GDPR compliance program?
Vision Helpdesk provides customers the option to delete Service Data that may contain personal data, such as profiles, tickets, images, and attachments, in active Vision Helpdesk Support accounts.
Below is the list of features Vision Helpdesk offers to help you comply with GDPR
1) Add TOS and Privacy Policy link on client registration form.
You can add your company TOS & Privacy Policy links to customer registration page, thus allowing customers to read and select the checkbox before signing for customer portal.
2) Data deletion for tickets, ticket post, attachments and all ticket related data
By default system offers you to move ticket to trash folder and from trash folder agents can delete tickets permanently. Agents can restore tickets from trash folder too.
Customers can delete profile information associated with tickets by deleting the ticket.
3) Attachment and Image Deletion: Customers can delete attachments and images by deleting the Support tickets to which those attachments and images are attached.
4) Complete deletion of end user or client data
End-User Profile Deletion:Vision Helpdesk currently supports the deletion of End-User profile information and their related data like tickets etc.
End-User themselves can modify their profile from end user portal.
Both Administrators and Agents can delete End-User profiles from staff portal as long as they have permission set under their roles by Administrator.
Following this deletion action, the End-User profile is removed from the User Interface and the End-User identity is deleted from the system, along with the tickets and other data is also deleted. e.g. solution comments, forum topics / comments, invoice and profile information.
5) Agent / Staff Profile Deletion:Vision Helpdesk currently supports the deletion of Agent profile.
Administrators can delete profiles of all Users, including Agents.
Vision Helpdesk retains Account Owner information inside our billing software (https://secure.visionhelpdesk.com) in order to continue to provide its products. When an account is terminated, Vision Helpdesk follows its Data Deletion Policy for remaining profile information.
6) Log deletion for incoming and outgoing emails
Vision Helpdesk Admin user can delete the incoming and outgoing email logs from admin settings area,
7) Secure cookie access through out the application
You have option to use SSL certificate and also the cookies that we store (read our cookie policy) on end user browser will be encrypted.
8) Access / role for staff member accessing client data
You can set role based granular access staff member so they can view or do certain operations allowed to them under roles. This can be done under settings area staff management section.
9) Archive data (available in V5 version) and its deletion
Our new V5 version also offers data archiving feature and further the archived data can also be deleted by admin user under settings area.
These features and functionalities are currently available, Vision Helpdesk will be updating and adding features and functionalities to further support our customers with their GDPR compliance programs.
VISION HELPDESK CERTIFICATIONS:
ISO 27001:2013 Certification.