Regulations that govern personal data protection

There are currently various documents covering data protection in place at the national, international, and European levels. The most important ones are the following:

• Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés.
• Directive 95/46/CE du Parlement européen et du Conseil, du 24 octobre 1995, relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, abrogée le 25 mai 2018 par le Règlement (UE) 2016/679.
• Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données).
• Charte des droits fondamentaux de l’Union européenne (2012/C 326/02).
• Convention pour la protection des personnes à l’égard du traitement automatisé des données à caractère personnel.

TEEPTRAK undertakes to abide by its obligations in accordance with the aforementioned regulations, particularly the General Data Protection Regulations (GDPR).

We strongly advise all our customers to be particularly vigilant on these aspects of compliance. Other, more specific regulations may exist, including for certain specific categories of personal data. In such cases, organisations are solely responsible for correctly identifying the regulations applicable to their business activities, and achieving compliance with them.

Data Protection Officer (DPO): oversees data protection strategy and implementation to ensure compliance with GDPR.

TEEPTRAK’S DPO is Francois Coulloudon.

The DPO acts as a fully independent internal watchdog, ensuring that TEEPTRAK’s data processing operations are compliant with all applicable European regulations. The DPO is totally committed to his objectives and has the resources at his disposal to operate completely independently, without any conflicts of interest.

He regularly runs awareness and training sessions for the Group’s employees and is there to answer their questions on privacy and data protection. He is also the first point of contact for any customers who need guarantees for the measures they have implemented in order to conform with applicable regulations, including the GDPR.

The DPO can be contacted regarding data protection and privacy at anytime using this email address: gdpr@teeptrak.com

GPDR

The General Data Protection Regulation (GDPR) is the new legal framework of data protection law across the EU, and is due to come into force on 25th May 2018. Contrary to Directive 95/46/EC, which governed this processing prior to this point, the GDPR has direct effect within the Union and does not need to be transposed at national level. In this way, it will aim to harmonise laws governing the processing of personal data across Europe. Even better, the GDPR enshrines a principle of extraterritoriality, which means that, in certain circumstances, the scope of its application can be extended beyond the frontiers of Europe.
If you are an organisation that processes personal data, you are highly likely to be governed by the provisions of the GDPR. In this regard, you are subject to obligations and must abide by them. The same is true of TEEPTRAK, which, in view of its situation, is bound by different obligations, in its capacity as a processor and as a data controller.

Definitions

Understanding the real, specific issues at stake in European regulations is not always an easy task, especially when the regulation in question contains 99 articles, 173 recitals and numerous lines of guidance on how it will apply. However, this is essential in order to avoid any risk that may result from an overly broad or imprecise interpretation of the regulatory obligations incumbent on your structure. A proper understanding of the terms defined below is therefore essential:

• Personal data: any information relating to an identified or identifiable real person. An identifiable real person is defined as any real person who can be directly or indirectly identified.
• Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, transmission, storage, conservation, extracting, consultation, use, disclosure by transmission and so on.
• Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

TEEPTRAK as a processor

It is undoubtedly in this last scenario that you will deal the most frequently with TEEPTRAK. TEEPTRAK is classed as a “processor” when it processes personal data on behalf of a data controller.

This will typically be the case when you use the services of TEPTRAK and you store data on an TEEPTRAK infrastructure. Within the limit of its technical restrictions, TEEPTRAK may process any data stored solely in accordance with your instructions, and on your behalf.

As a processor, TEEPTRAK commits to:

Processing personal data solely for the purposes of carrying out the services correctly: TEEPTRAK will never process your information for any other purposes (marketing, etc.). It is possible at any time to contact the TEEPTRAK DPO to find out the nature of the information recorded. We are committed to supporting the data controller (ie. The user company) in the proper management of personal data.

TEEPTRAK’s commitments as a subcontractor

As a subcontractor, TEEPTRAK undertakes in particular to implement the following actions:

• Process personal data for the sole purpose of the proper performance of the services: TEEPTRAK will never process your information for other purposes (marketing, etc.).
• Do not transfer your data outside the EU or outside countries recognized by the European Commission as having a sufficient level of protection: provided that you do not select an infrastructure in a geographical area outside the EU (for example our infrastructure in China).
• Inform you of any use of subcontractors who could process your personal data: to date, no service involving access to the content stored by you as part of the services is subcontracted outside the TEEPTRAK group
• To implement high security standards in order to provide a high level of security to our services.
• Notify you as soon as possible in the event of a data breach.

FAQ: Who owns the personal data used and stored by the customer as part of the services?

The that customers host on our services remains the property of the customers in question.

TEEPTRAK will not access this data except where necessary in order to perform the services, within the limits of its technical restrictions.

TEEPTRAK will never use this data except for anonymous analysis of performance impact of our solutions for our clients. Any resale of the aforementioned data, as well as any use of the data for commercial purposes (e.g. data mining, profiling activity or direct marketing), is strictly prohibited.

TEEPTRAK as a data controller

TEEPTRAK is classed as a “data controller” when we determine the purpose and method of “our” personal data processing.

This is typically the case when TEEPTRAK collects data for billing, managing accounts receivable, improving the quality of services and performance, sales prospecting, commercial management, etc. But it is also the case when TEEPTRAK collects personal data on its own employees.

In this scenario, ‘your’ data – the data that you store on TEEPTRAK’s infrastructures – is not affected. On the other hand, certain information concerning you or concerning your employees (the identity and contact details of your contact person at TEEPTRAK as part of a request for technical assistance, for example) may be. This is why TEEPTRAK is keen to explain the guarantees put in place to ensure that this personal data is protected.

• Process personal data for the sole purpose of the proper performance of the services: TEEPTRAK will never process your information for other purposes (marketing, etc.).
• Do not transfer your data outside the EU or outside countries recognized by the European Commission as having a sufficient level of protection: provided that you do not select an infrastructure in a geographical area outside the EU (for example our infrastructure in China).
• Inform you of any use of subcontractors who could process your personal data: to date, no service involving access to the content stored by you as part of the services is subcontracted outside the TEEPTRAK group
• To implement high security standards in order to provide a high level of security to our services.
• Notify you as soon as possible in the event of a data breach.

Data security

For its core business, TEEPTRAK has implemented several techniques and procedures to protect its clients’ data.
Here is some information regarding implemented safety measures:

• Encryption: The HTTPS protocol use our SSL certificate (256 bits) verified by the well-known third party GeoTrust.
• Unsecured HTTP traffic is redirected to encrypted HTTPS protocol.
• Authentication: each tablet is identified by a UDID (Unique Device Identifier) and need to be authorized by our service
• Authorization: each authorized tablet got a dedicated token
• Authorization: each authorized tablet got a dedicated token
• Once data are pushed to the server they are removed from the tablet after 1 week (and then available only on the online platform).
• All data is permanently backed up on a second dedicated and physically isolated infrastructure
• Our systems are protected against the most classic attacks: SQL injection, Cross Site Scripting (XSS), Cross-Site Request Forgery, Header injection and more
• Each of the hardware bricks can lose connectivity without any information being lost. Everything resynchronizes when the communication channels are operational again. Only a Bluetooth module fault causes a loss of information.

Our European infrastructure exclusively uses dedicated servers at OVH. We know precisely the physical location of clients’ data using European infrastructure. More information: https://www.ovh.com/fr/protection-donnees-personnelles/securite.xml.

Supplier addresses
• Headquarters: 2 rue Kellermann, 59100 Roubaix, France.
• Servers location : GRA-1, Route de la Ferme Masson, 59820 Gravelines, France

For more information and/or to access or enquiry about personal information that we might have, you can contact TEEPTRAK’s DPO, Francois Coulloudon, at this address : gdpr@teeptrak.com