General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the European data protection regulation adopted by the EU Commission to replace the EU Data Protection Directive, also known as Directive 95/46/EC. The GDPR applies to both individuals and businesses and regulates the way in which personal data of citizens in the European Union should be handled.

We would like to provide you with answers to some of the questions that we hear from our customers relating to GDPR. We also want to provide some detail on what we have done to become GDPR compliant and what services we offer to our customers to help them meet their compliance obligations.

FAQs about (GDPR)

When it comes to customer data, is Phocas a controller or a processer?

Under the GDPR, a “controller” determines why and how personal data is processed. A “processor” processes personal data on behalf of the controller. Phocas has limited knowledge of the data that each customer processes via the hosting infrastructure (“Customer Data”). Also, Phocas only processes Customer Data in accordance with the customer’s instructions. Therefore, Phocas is a processor of Customer Data hosted on our servers; the customer is a controller. We will continue to process personal data only in accordance with your instructions.

Does GDPR change the way Phocas treats customer data?

Phocas continues to treat customer data with the required level of sensitivity and confidentiality. Phocas uses Rackspace, one of the leading cloud service providers, as its sub processor. Learn more about the Rackspace security practices at

Phocas will continue to invest in the security of its customer solutions to ensure it remains compliant with applicable legislation.

Under GDPR regulations, can an EU customer host personal data outside of the EU/EEA?

Provided certain legal mechanisms are in place, EU customers can host personal data outside of the EU. Personal data may be transferred outside of the EU and the EEA when an adequate level of protection for that data is guaranteed.

To help achieve this level of protection Phocas uses AWS and Rackspace as its sub-processors for cloud provision. AWS and Rackspace ensure adequate safeguards are in place, including entering Standard Contractual Clauses 2010/87/EU, approved by the European Commission, with third party recipients.

Please contact your account manager if you need a Rackspace Data Processing Addendum that includes EU Standard Contractual Clauses.

Won’t I be in breach of the data protection laws if Phocas transfers my personal data outside the EU/EEA?

The current laws allow Phocas and its sub-processors to process personal data and therefore support your services from outside the EEA if you have given us your consent, or if data is transferred to a non-EU jurisdiction deemed by the European Commission to offer an adequate level of protection for personal data, or if the transfer is subject to model contracts.

Can you keep my data in the EU only?

Phocas is able to offer high quality support by operating a 24/7 "follow the sun" support model that leverages our support consultants in the countries where we operate. Therefore sometimes we will need to provide you with support from outside the EU. We comply at all times with applicable laws.

Transfers of personal data originating from other locations globally to Phocas affiliates are subject to the terms of the intra-company data processing agreement which requires all transfers of personal data to be made in compliance with applicable Phocas security and data privacy policies and standards.

Will the Data Protection laws/GDPR apply when Britain leaves the EU?

The Information Commissioner has confirmed that the U.K. will comply with the GDPR to enable it do business in Europe.

Do you have other data centres within the EU where I can store my data?

Yes, Phocas can provide servers in the EU. Because Phocas has customers throughout the world in different timezones it enables us to optimise the use of our servers because different timezones put load on the servers at different times. This enables us to keep the cost of our cloud service to our customers as low as possible. If we have to provide servers that are dedicated to a particular timezone this increases the cost of providing the service. Follow the sun support policy cannot take place if you geolocate your data.