As of May 25, 2018, the GDPR took effect for all members of the EU and the EEA.  It supplanted previous data protection and privacy legislation as laid out in the EU Directive 95/46. The GDPR includes many of the statutes from the previous legislation, though the GDPR is in many areas more precise and addresses the privacy, data and systems risks, in today’s fast-moving digital world.  GDPR is particularly demanding in its involved transparency requirements. Processing personal data must be stringently documented to ensure the lawfulness of the processing, demonstrate the existence of sufficient procedures, show that security measures have been taken, and ensure that the appropriate data processing agreements are in place. GDPR expands the protection of Europeans’  data rights and specifies what companies that handle personal data have to do to protect those  rights.In addition to the European GDPR legislation, many countries have implemented similar strict regulations to protect the personal information of their citizens.

 

In Adonis we are working diligently to promote awareness of data protection and privacy in our culture. We have sought to engage professionals with an abiding interest in this topic in order to encourage proactive, state-of-the-art data protection and privacy measures within our organization. 
To reinforce this at Adonis, we have appointed an internal Information Security Officer (ISO) as well as engaged an external Data Protection Officer (DPO) who reports directly to the CEO.  Data Protection and Security is a fixed topic on the agenda for all our 6 board meetings throughout the year.

 

The person appointed as DPO has deep knowledge of, and experience in data protection and is the main personin charge of any data subject or privacy matter. The DPO supports Adonis’ privacy “practice”; all corporate decisions regarding privacy are governed by the Board.

 

The appointed ISO has the main responsibility internally to support the business management in information security issues, and also being the driving force and facilitator for establishing and implementing internal audits in regards to information security throughout the business.

The GDPR defines two roles that are subject to different legal obligations:
• The Controller: a legal unit or similar that determines the purposes and means of the processing of personal data
• The Processor: a legal unit or similar that processes personal data on behalf of the Controller.

 

The nature of our business makes us both Controller and Processor. Thus, Adonis must comply with legislation pertaining to both of these roles. We are a Controller when we process our own employee data, and data on customer contacts/users.

 

We are a Processor when we provide cloud services (SaaS) or other hosted IT services to our customers, and occasionally when we provide consulting services.
As a vendor of software that customers install and operate themselves, we are not considered a Processor. When Adonis act as Processor or software vendor, the customer using the service/software is the Controller.
The next sections will explain what Adonis is doing to comply with the GDPR per the Controller and Processor roles.

 

Adonis processes data about employees and customer contacts/users. On occasion, we may also process data about others, which is standard for a software business. Our main focus is on making sure we are compliant and transparent. It is imperative that we enable our employees and customer contact persons to understand why, what, when and how their personal data are processed. Customer contacts will find this information in our Privacy Statement.

 

As a Controller, Adonis maintains catalogues of our processing activities, which is the core of our internal control system. These catalogues describe why, how and when we process personal data. This work is done on a legal unit level (Adonis subsidiaries) supervised by the DPO, and is based on corporate policies and guidelines promulgated by the Board..
We also ensure that all data protection agreements (DPA) with subcontractors are sufficient in terms of protecting the rights of data subjects, and are in compliance with provisions for transfer of data outside the EU/EEA, as set out in the GDPR.
Using the power of digital marketing technology is key to Adonis going forward. This involves creation of interest profiles that makes sure that only relevant information can be presented to stakeholders. Adonis protects the rights of persons being exposed to this by explaining what we do to ensure the legal grounds for processing personal data for this purpose.  In so doing, we increase efficiency for stakeholders wanting to adjust their interest profiles, as well as withdrawing consent.

Adonis provides a range of cloud-based software (SaaS) to our customers, as well as hosting and consulting services. In such situations, with the exception of when we engage a third party consultant, Adonis is a Processor. This means that Adonis is responsible for only processing the personal data as instructed by the Controllers (the customers). Since most of our software is delivered in a one-to-many relation, giving the Controllers (the customers) the ability to continuously give us instructions on how to process their personal data is not feasible.  This underscores the importance of agreeing with the Controller (the customer) on what these instructions are, typically expressed in a dedicated DPA.
When a customer hires a consultant from Adonis and his/her work is supervised by the customer, Adonis is not a Processor; because of this, a DPA is not necessary. However, depending on the nature of the assignment, it may be wise for the parties to enter into a non-disclosure agreement.
As a software vendor, we also take responsibility for certain aspects that the Controllers themselves will have difficulty controlling. This will typically include the design of the software regarding features for correcting and erasing personal data, and implementation of information security measures to protect data confidentiality, integrity and availability.

Being a provider of cloud services also means that we use a range of subcontractors to deliver the services, which imposes certain transparency obligations, and requires that sufficient data processing agreements are in place. We do this to ensure privacy and trust throughout the chain of companies involved in processing our customers’ data. Adonis’s business is based on earning and maintaining this trust from our customers.

 

Our efforts to make sure that we are compliant as Processor are based around these initiatives:
• Assessing our cloud services against the Privacy by Design and Default principles set out in the GDPR.
• Making Privacy Impact Assessments for all products/services designed to process sensitive personal data.
• Preparing for increased transparency with respect to use of subcontractors and security breach incidents that may occur.
• Ensuring that agreements with our subcontractors and partners commits to GDPR preparations and compliance.
• Entering into a DPA with all customers.

The Privacy pages on www.adonis.no will be continously populate with information our customers need to document their processing activities as a Controller. In summary, this information seeks to outline the privacy skills and abilities of our cloud services and software products. The aim is to enable Controllers (our customers) to fulfill their duties according to the GDPR in order to safeguard their privacy when using Adonis to process personal data on their behalf.   

 

Upon request, a customer may access more detailed privacy information, particularly on security measures that have been applied and agreements with subcontractors. Such requests may be subject to fees and non-disclosure agreements.

 

Adonis believe that awareness and competence among all our employees will significantly improve our ability to comply with the GDPR and safeguard privacy for customers and Adonis. In order to increase awareness and understanding, we are developing internal programs on privacy that will be mandatory for all Adonis employees to complete in the run of 2018. These courses will also be included in the onboarding process for new employees.

 

If you are looking for general information regarding processing of personal data by Adonis, visit adonis.no and read our Privacy Statement.
If you represent a customer and need more information regarding data protection around software products/services, you can also find it here.
If you have questions directly related to a data protection agreement with Adonis, you should reach out to your primary business contact at Adonis.
All other inquiries should be sent to privacy@adonis.com. We will respond to such inquiries as soon as possible and make priorities based on urgency in terms of risk for data subjects.