General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a new European data protection regulation adopted by the EU Commission. It replaces the EU Data Protection Directive, also known as Directive 95/46/EC. The GDPR becomes effective on May 25, 2018 and will strengthen security of and regulate personal data in the broadest sense. The GDPR applies to both individuals and businesses and regulates the way in which personal data of citizens in the European Union should be handled.

We would like to provide you with answers to some of the questions that we hear time and time again from our customers. We also want to provide an update on what Phocas has done to ensure that we will be ready for GDPR and what services we offer to our customers to help them meet their compliance obligations.

FAQs about the upcoming General Data Protection Regulation (GDPR)

When it comes to customer data, is Phocas a controller or a processer?
Under the GDPR, a “controller” determines why and how personal data is processed. A “processor” processes personal data on behalf of the controller. Phocas has limited knowledge of the data that each customer processes via the hosting infrastructure (“Customer Data”). Also, Phocas only processes Customer Data in accordance with the customer’s instructions. Therefore, Phocas is a processor of Customer Data hosted on our servers; the customer is a controller. We will continue to process personal data only in accordance with your instructions.

Will GDPR change the way Phocas treats customer data?
Phocas continues to treat customer data with the required level of sensitivity and confidentiality. Phocas uses Rackspace, one of the leading cloud service providers, as its sub processor. Lean more about the Rackspace security practices at https://www.rackspace.com/compliance

Phocas will continue to invest in the security of its customer solutions to ensure it remains compliant with applicable legislation.

With the new GDPR, can an EU customer continue to host personal data outside of the EU/EEA?
Provided certain legal mechanisms are in place, EU customers can host personal data outside of the EU. Personal data may be transferred outside of the EU and the EEA when an adequate level of protection for that data is guaranteed.

To help achieve this level of protection Phocas uses Rackspace as its sub-processor for cloud provision. Rackspace is Privacy Shield certified.
Please contact your account manager if you need a Rackspace Data Processing Addendum that includes EU Standard Contractual Clauses.

Won’t I be in breach of the data protection laws if Phocas transfers my personal data outside the EU/EEA?
The current laws allow Phocas and its sub-processors to process personal data and therefore support your services from outside the EEA if you have given us your consent, or if data is transferred to a non-EU jurisdiction deemed by the European Commission to offer an adequate level of protection for personal data, or if the transfer is subject to model contracts.

Can you keep my data in the EU only?
Phocas is able to offer high quality support by operating a 24/7 "follow the sun" support model that leverages our support consultants in countries where we operate. This means that although we will not move your personal data into another jurisdiction without your consent, sometimes we will need to provide you with support from outside the EU. We comply at all times with applicable laws.

Transfers of personal data originating from other locations globally to Phocas affiliates are subject to the terms of the intra-company data processing agreement which requires all transfers of personal data to be made in compliance with applicable Phocas security and data privacy policies and standards.

Will the Data Protection laws/GDPR apply when Britain leaves the EU?
The U.K. legislation on data protection (Data Protection Act 1998) is derived from the EU Directive on data protection. The new General Data Protection Act, which is effective from May 2018, will replace the U.K. legislation and the U.K. Information Commissioner has confirmed that the U.K. will comply with the GDPR to enable it do business in Europe.

Do you have other data centres within the EU where I can store my data?
Yes, Phocas can provide servers in the EU. Because Phocas has customers throughout the world in different timezones it enables us to optimise the use of our servers because different timezones put load on the servers at different times. This enable us to keep the cost of our cloud service to our customers as low as possible. If we have to provide servers that are dedicated to a particular timezone this increases the cost of providing the service. Follow the sun support policy cannot take place if you geolocate your data.