General Data Protection Regulation (GDPR) – Nectar Data Privacy Statement
The European Union’s (EU) General Data Protection Regulation (GDPR), passed by the EU Parliament, went into effect on May 25, 2018, and is focused on the security of EU citizens’ personal data, wherever that data is stored. GDPR defines entities that gather personal data for any business purpose as Data Controllers – who must implement all of the GDPR requirements. By this definition, Nectar Services Corp. (Nectar) is not a Data Controller; however, Nectar is considered a Processor. Data Controllers may outsource some processing functions, such as data storage and transmission, to third parties known as Processors, but not their responsibility for the security of personal data and for monitoring entities that process the personal data.
Nectar has taken all required internal and external steps necessary to become GDPR compliant, including successfully subjecting its proprietary software and platform to undergo outside third party GDPR Audit Compliance Testing. Nectar is compliant with the protection of personal data under the GDPR.
In addition to the EU’s GDPR data protection regulations, there are other domestic and international laws and regulations affecting personal data, that either exist or are anticipated to be enacted. In that regard, Nectar has adopted high standards of protecting the personal data of individuals that it does not have a direct business relationship with, such as personal data processed by the systems of its corporate clients that Nectar is either, operating or supporting. Nectar employees and contractors will only process personal data when they are explicitly instructed to do so, in writing, by the corporate client, and they will strictly follow the instructions of the corporate client. Under no circumstances will Nectar employees or its contractors attempt to process the following types of personal data without the prior written consent and instructions of the corporate client, to wit:
- Seeking access to personal data that they are not authorized to access;
- Asking for or opening computer files, messages, or other media that may be expected to contain personal data;
- Sharing screens that display personal data with unauthorized individuals;
- Providing personal data in computer files, messages, or other media to unauthorized individuals;
- Letting unauthorized individuals participate in video-conferences where personal data is shared, or is expected to be shared;
- Letting unauthorized individuals gain access or otherwise involve them in personal data processing;
- Recording video-conferences, making copies of personal data in any other way;
- Accessing production databases, systems or log files;
- Altering or destroying files, databases, printed documents that may contain personal data;
- Starting or stopping computer systems that are involved in personal data processing; and
- Altering security, access control or permission mechanisms that change expose of personal data.
When Nectar employees and/or contractors either engage in, or are exposed to, personal data that they thereafter realize is unauthorized by a corporate client, such employee or contractor will immediately terminate the processing (terminate screen sharing, stop examining computer files, and perform other actions as appropriate) and will inform Nectar’s designated Data Protection Officer of the unauthorized processing.
Nectar’s corporate clients, as the Data Controller, are responsible for:
- Defining specific, explicit and legitimate purposes for data collection;
- Depending on the type of data, obtaining explicit consent or unambiguous consent from data subjects;
- Minimizing the amount of personal data collected or processed;
- Maintaining, correcting or protecting the integrity of the personal data;
- Defining and implementing appropriate data retention periods;
- Implementing appropriate security controls to protect personal data under their control; and
- Determining if existing agreements provide sufficient processing instruction and data protection.
Nectar’s Data Center sites undergo annual third-party audits, against various compliance frameworks that focus on the security and availability of the Data Center Services system. Their audit status and compliance requirements are part of the Service Level Agreement with Nectar. Nectar corporate clients will need to determine whether their setup and own controls meet GDPR requirements.
If any questions, please send all inquiries to: DPO@nectarcorp.com