Vretta and the General Data Protection Regulation

Vretta considers data security to be our top priority and we are committed to maintaining the highest standards in accordance with established best practices and legal requirements. We strive to hold user data in a secure manner while helping them attain their educational goals.

As you may already be aware, on May 25, 2018, a European privacy law, the General Data Protection Regulation (GDPR) will come into effect and Vretta is fully committed to adhering to the regulation. We are currently in the process of working with our legal and engineering teams and also with our clients and vendors to be compliant by the deadline.

For your reference, we have compiled the following information providing you with an overview of our current data policy and answers to frequently asked questions regarding the GDPR. If you have any questions, feel free to contact our Data Protection Officer at dpo@vretta.com.

What is the General Data Protection Regulation?

The GDPR is a strong move forward in the protection of data across the European Union. Effective May 25 2018, it will replace the existing EC Data Protection Directive (EC/95/46), bringing new legal rights for individuals, extending the scope of responsibilities for data controllers and data processors while enhancing the regime for enforcement.

The new regulations in the GDPR enhance the protection of personal data (any information that can identify a person, from names and emails to identification numbers). Personal data of a more sensitive nature (such as ethnicity or sexual orientation) is given even higher protection in the GDPR and requires stronger grounds to collect.

The GDPR applies to any organization that collects personal data from an individual residing in the European Union. This means individual rights are protected no matter where the organization is located. The right of consent has also been strengthened. In order to acquire personal information, consent must be an active process, separate from other processing, involving clear and plain language.

What are your rights under the GDPR?

In addition to regulating the behavior of organizations, the GDPR also grants new rights for individuals. These rights aim to give individuals more control over their data and how it is processed. The information below should help individuals familiarize themselves with what rights they have under the GDPR:

  • The right to be informed: Individuals have the right to know what kind of processing is happening to their data, commonly described in a Privacy Notice.
  • The right to access data: Organizations must be able to, free of charge, confirm that an individual’s data is being held as well as notifying them of the type of data.
  • Rectification or correction of inaccuracies: If any personal data is either inaccurate or incomplete, an individual can request this to be fixed.
  • Restricting the processing of personal data: If an individual feels the processing of their data is either inaccurate or unlawful, they have the right to stop processing activities.
  • Data portability: Individuals have the right to move their data from one organization to another, without any loss of usability.
  • Objecting to processing activities: Individuals can object to their personal data being used for scientific or historical research, direct marketing, processing based on official authority, legitimate interests or in the public interest.
  • The right not to be subject to automated decision-making: Individuals have the right not to be subject to profiling. Organizations may not analyze an individual’s personal information to predict their economic situation, health, location, or personal preferences.
  • Erasing personal data: Individuals have the right to have their data erased if the data was processed unlawfully, if they withdraw consent, or if their data is no longer necessary for the original purpose in which it was collected.

What is Vretta’s role as outlined by the GDPR?

The GDPR distinguishes two important roles that classify what an organization must to do comply with the regulation. Our clients and partners decide the purpose and method of data processing and are therefore considered data controllers. Vretta is considered a data processor since we process the data on behalf of the data controller, as per its instructions.

How is data currently being managed at Vretta?

We have implemented rigorous safeguards to protect your data. We maintain an encryption configuration necessary to achieve an ‘A’ grade on Qualys SSL Labs Report. All personal data is kept strictly confidential, meaning only those authorized for access may process it and we only process personal data as per instructions from our data controller.

We have established protocols to handle data processing. Just as we guarantee the confidentiality and security of data, you can be assured that at the end of our service any personal data processed will be erased. Additionally, should a data breach occur, we will immediately report the event and its details to our data controller upon its identification

We have a team of highly specialized data personnel responsible to process data and to ensure that we are fully compliant with data protection regulations. Our data team monitors data integrity, accuracy and confidentiality and performs regular security reviews. The team keeps a record of all processing activities. When an inaccuracy is discovered the data is updated without undue delay.

Our Data Protection Officer (DPO) keeps management updated on data protection responsibilities, risks and issues. Our DPO also deals with access requests and approvals of any contracts with third parties that may handle sensitive data. Since we handle large amounts of data on a regular basis, our DPO oversees our compliance with the GDPR.

What is Vretta doing to comply with the GDPR?

We are working with our legal and engineering teams to ensure that we are compliant with the GDPR by the deadline. We are also working with our customers to put GDPR compliant Data Processing Agreements in place prior to May 25, 2018.

Who do I contact at Vretta if I have any questions?

We are committed to ensuring the rights of individuals and organizations who work with us. If you have any questions or concerns, feel free to contact our Data Protection Officer at dpo@vretta.com.