Information for existing and prospective customers
The EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018. GDPR has strengthened the rights of EU resident individuals over the use of their personal data and goes a long way toward creating a single data protection approach across the EU. It has also since been replicated in various forms in other jurisdictions.
Vendavo, as a data processor working in conjunction with our customers as data controllers, is committed to the delivery of solutions and services that comply with GDPR and applicable data protection laws.
What are we doing?
Vendavo has long had strong security and data protection policies, which are regularly reviewed and have been developed with a view to ensuring ongoing GDPR compliance. Similar to other legal requirements, compliance with GDPR requires a partnership between Vendavo and our customers in their use of our solutions and services.
How does Vendavo comply with GDPR?
Among other activities, Vendavo’s GDPR compliance includes:
- Use of Data Processing Agreements in order to permit customers to lawfully transfer EU personal information to Vendavo and to permit Vendavo to continue to receive and process personal information in the limited ways necessary for the provision of Vendavo products and services;
- Incorporating appropriate terms into third-party vendor contracts to meet the requirements of GDPR or other data protection law where personal data is transferred to or processed by those third parties;
- Building and developing our products with privacy and GDPR in mind, ensuring privacy by design wherever possible;
Does GDPR impact Vendavo customers?
Depending on the customer location, software configuration and the nature of data used, Vendavo software may process personal data which is subject to data protection laws, including GDPR. Accordingly, the latest version of Vendavo software supports GDPR requirements in a range of ways, including:
- Deletion. Vendavo software supports deletion of data by customers, including personal data and related data. This can be performed using the archiving feature, which allows customers to flag data for archival and deletion.
- Changes to personal data. Vendavo software supports the enablement of logging for fields that may contain personal data to allow for easy modification.
- Disclosure of personal data. Data privacy regulations may require the release of personal data upon request of the data subject. Vendavo customers can create a report containing this information using Pricemart Extractor, which includes optional encryption.
- Special Category personal data. Special category personal data requires special handling under GDPR. Ultimately, Vendavo customers control the data they upload to Vendavo solutions, but Vendavo does not anticipate that business pricing data should incorporate special category data. This would be determined with individual customers by exception if relevant to ensure proper handling of such data.
What do you need to do?
As a current or future customer of Vendavo, you are responsible as the data controller for ensuring that your use of our solutions and services is compliant with GDPR, wider data protection law, and your internal organizational policies. Consider the following tips:
- Get to know the legislation. Three years in, everyone should now be familiar with GDPR and its impact on relationships with customers and staff and have built policies and procedures to enable that continued compliance.
- Audit your data and processes for data capture. Create a precise inventory of personal data that you control. Review your current controls and processes regularly to ensure that they are adequate and build a plan to address any gaps including:
- Review your survey program;
- Review your process documentation;
- Ensure you have a lawful basis for holding and/or processing the data.
- Stay informed. Businesses should continue to monitor developments in this area, including the ECJ’s Schrems II decision, the e-Privacy Directive, and Digital Services Act in the EU, among others, to ensure ongoing compliance.
This information is provided for customer guideline purposes only and is not legal advice. It is subject to change or removal without notice. Consult with your own legal counsel if you have concerns over the use of Vendavo and its impact on your privacy compliance programs.