Jostle’s Approach to the GDPR
On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. Jostle is committed to helping our customers comply with the GDPR through our robust privacy and security protections.
As a Canadian Corporation, Jostle has always had to comply with the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”). Although many of the provisions of the GDPR are similar to those contained in PIPEDA, there are some unique requirements that we are taking the following steps to address.
Obligations on Controllers and Processors
The GDPR differentiates between controllers, the entity that determines the purpose and means of the processing of personal data, and processors, the entity that processes personal data on behalf of the controller. As it is you that is determining the information on your people into your intranet, you would be the controller, and Jostle the processor from this perspective. The GDPR requires that there be a contract between the controller and the processor stipulating a number of conditions under which the date processing is to be conducted. Although Jostle’s standard Subscriber Agreement covers much of this, we have also have a standard Data Processing Addendum (DPA) that you can download, sign, and return to firstname.lastname@example.org.
Download the Data Processing Addendum Download the DPA
Lawfulness of processing
Jostle’s basis for the processing of personal data of your people is that the processing is necessary for the performance of a contract to which your people are a party, ie. our contract with you. As the controller, you are ultimately responsible for ensuring that you have a valid reason for the processing of your people data within Jostle. There are a few options that you could consider:
- Obtaining consent from each of your people;
- Considering that the processing is necessary for the performance of employment contracts or other contracts with your people;
- Considering that the processing is necessary for the purposes of the legitimate interests pursued by You, namely the main business reason for using Jostle.
It is likely that you need to make similar assessments for other business systems, so choose the one that works best for your organization.
Security and privacy by design
The security and privacy of the data that customers entrust to us has always been of the utmost importance. Jostle has established appropriate technical and organizational safeguards to ensure that this continues. Jostle undergoes annual third party reviews of the security and privacy measures that it has put in place, and can provide customers copies of the most recent certifications subject to reasonable confidentiality terms.
Jostle utilizes best in class sub-processors to provide its infrastructure services, and has entered into agreements with each Sub-processor containing data protection that meet the requirements of the GDPR. Jostle’s current list of sub-processors and the services being provided are:
|Amazon Web Services, Inc. (AWS)||Data center services to own, manage and locate the physical infrastructure for the Jostle Services provided to Jostle customers at AWS owned facilities in the US and Europe.|
|Citrix Systems, Inc.||File sharing service (Citrix ShareFile) to provide document storage and file viewer capability within the Jostle Platform. Jostle’s ShareFile usage is hosted within AWS.|
|Google Inc.||Data storage service to store some Jostle data in Google (this service is only used upon user organizations’ requests)|
|Qbox Inc||Hosted search engine|
Jostle has security incident management policies and procedures in place that include the requirement to notify customers without undue delay after becoming aware of a data breach.
Right to be Forgotten
Jostle respects the right of an individual to be forgotten, but at the same time understands that the decision to erase the personal data of any individual really lies with the organization that individual is a part of. As such, Jostle provides tools that allow the designated administrators of our customers to remove the personal data for one of their users should they decide to do so. It should be noted that Jostle considers the content and data outside of an individual’s personal profile to be the property of the organization that individual is a part of, and that information will continue to exist after the individual’s personal data has been removed.
Similar to above, Jostle provides tools that allow designated administrators to extract the information in an individual’s profile and provide that to them. An individual themselves can download any files or other information that they have added to their personal profiles. Once again, Jostle considers the data and content outside of an individual’s profile to the property of the organization and not the individual and as such does not provide an automated way of extracting that content per individual.
If your organization is located within Europe, and hosted on our European infrastructure then all of your data will reside within Europe and there will be no systemic transfer of data outside of the EU. As a Canadian company, any transfers of data to Jostle can be conducted on the basis of the EU’s assessment of Canada offering an adequate level of privacy protection.
For customers not hosted on our European infrastructure, all transfers of data to Jostle’s Sub-processors are governed by contracts between Jostle and its Sub-processors incorporating EU Model Clauses.
Data Protection Officer
Jostle has determined that we are not required to designate an official data protection officer based on the nature of the data in Jostle and the fact that no systemic monitoring is performed.
Questions or concerns?
Jostle is committed to both fully complying with the GDPR itself, and assisting our customers in achieving compliance in their use of Jostle. Should you have any questions or concerns, please reach out to us at email@example.com