The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a new EU law which affects all organisations that hold and process the personal data of EU citizens. 

In compliance with the General Data Protection Regulation (GDPR), we are responsible for protecting the personal data we collect from our clients upon sign up (name, email, address, password, billing data). We must also ensure that our clients’ data hosted on our servers during their usage of our services is also protected. We collect, store and work with our clients’ data in a legitimate way and we want to inform you of how we do this. We would also like to provide transparency as a processor on the way we store the data our clients host on our servers. 
 
1. Terms of Service And Privacy Policy Updates 
The GDPR says we have to inform clients what data we collect about them and legitimise how we use it afterwards. We only collect a minimal amount of personal data that is required to deliver the hosting service to your company. We collect your physical address for invoicing and tax purposes, your email address to contact you about our service, orders and important information relating to your business with us. We never use any of the data collected for profiling, secondary purposes and we do not sell it to anyone. 

In conformance with the GDPR requirements, our new Privacy Policy will fully describe why and how we collect and process your personal information. As our client you can validate that we handle this information carefully and responsibly. 
 
2. External Service Provision 
Some of the services we provide customers include services from external partners, such as Godaddy, Fasthosts, CDN77, Platinum Server Management, Amazon AWS S3 storage and myJoomla. Some but not all of these services either require client data, or that client data is stored in a secure password encrypted file (i.e. in the case of backups). 
 
3. Internal Procedures and Access-Control 
In line with the GDPR we are auditing and enhancing our security, access control and data storage provision. We are adding new procedures where this is required by the new regulation. For example, we are implementing higher levels of security authentication for sensitive data and access control we have to third party companies used by the client, i.e. Domain Registrars and Mailchimp.  
 
4. Mitigating Data Breach, Our Commitment to System Security
We employ third party specialists, Platinum Server Management to provide 24 x 7 x 365 server management and monitoring of our web servers.   

Through our server management contract with Platinum Server Management we closely monitor any unauthorised system access and we put multiple preventive measures into action to mitigate the risks of cyber attack. Server systems are regularly updated for this purpose. Some sites also feature an auto-banning protection system actively blocking users/IPs which are detected as behaving against defined rules. 

We implement a level of security deemed appropriate for the site we are managing based on our experience.  However, if a client requests a higher level of security, such as 2-factor authentication on their website, IP blocking, etc. we can provide a tailored security solution appropriate to their data needs. 
 
5. Data Protection by Design and Data Protection Impact Assessments
Security and protection of clients data is our primary priority. Whenever we develop a new system, security comes as the first design principle of the architecture of a system. Our first goal is to protect the integrity of the new production system. Our second goal is to protect the customer data that is being stored and used by that system. 
 
6. New Data Processing Agreement 
Many of our clients operate using the personal data of their own customers. For example, they take orders, they collect emails through sign up forms, they process credit cards, and more. Our client controls their customers’ data and how this data gets collected and used.  Haywood Sener stores this data on our servers and therefore takes part in its processing. The new data processing agreement will regulate our processing of that data only for the purposes of delivering the hosting service and resolving technical inquiries and no other secondary functions.  This has always been the case. In providing services to our customers we are committed to being a trusted partner, adhering to the principles of transparency, and meeting our obligations under GDPR adequately. 
 
7. Right to be Forgotten
Under the GDPR every client can request “to be forgotten”, meaning all their data has to be deleted and never used again, except in certain circumstances, which may include having to keep processing your personal information to comply with a legal obligation. An example of such obligation is the requirement to keep a copy of all invoices to comply with financial and tax legislation. We will comply and act on our clients’ right to be forgotten via written communication to This email address is being protected from spambots. You need JavaScript enabled to view it.
 
8. Privacy Policy
We are developing a new Privacy Policy to detail how we process your personal data. As a client we will provide transparency on the data we store about you, how you can update it and, where we rely on your consent for processing the data, you can withdraw your consent to that use. Our use of your personal information is necessary to perform our obligations under our service provision to you. We currently do not send marketing information or promotional offers but if we were to do so in the future we would ask for your specific consent. 
 
9. Where Are We Now? 
In line with the GDPR, we will be releasing updated versions of our Privacy Policy, Terms of Service, and a Data Processing Agreement by May 22nd 2018. We are also communicating to our clients the need for their own data compliance obligations under the GDPR.