Solvinity and the AVG / GDPR
As of 25 May 2018, all countries in the European Union apply the same privacy legislation. This legislation is contained in the Algemene Verordening Gegevensbescherming (AVG), also known under its English title GDPR (General Data Protection Regulation).
What is the AVG?
The Algemene Verordening Gegevensbescherming regulates three important issues: it offers better privacy protection, gives organisations more responsibility and grants considerable powers to all European privacy regulators. For individuals, this means that they have the right to inspect the data that is recorded about them at any time, change it and if necessary delete or transfer it. Organisations must provide a clear reason (basis) to keep such data, are obliged to handle this data demonstrably carefully and must record all processing of that data. The privacy regulators have been granted the power to enforce these rights and obligations, among other ways by imposing fines of up to 20 million euros – or 4% of the company's global turnover, if that amount is higher.
The AVG and Solvinity
Since Solvinity has always taken data security very seriously, not much will change for us with the introduction of the AVG. Solvinity already complies with stringent data security standards, which are regularly checked by external auditors. Solvinity has also expanded the security team headed by our CISO (Chief Information Security Officer) with a Data Protection Officer (DPO), in accordance with the AVG requirements.
The main change for us is that we, as a processor of privacy sensitive data, will now also record our data processing in accordance with the AVG requirements, and that we will adjust the agreements we have with our customers accordingly.
Solvinity has also made what are known as sub-processor agreements with data processing partners, so that the entire chain under our responsibility amply complies the requirements set by the AVG. These adjustments are included in a new Processing Agreement that Solvinity offers to its customers.
The AVG and you
Customers of Solvinity are assured of a safe and stable environment that complies with stringent IT security standards, not just those issued by the EU, the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) and NEN, but also by regulators such as the Authority for the Financial Markets (AFM), the Dutch Authority for Consumers and Markets (ACM), De Nederlandsche Bank (DNB) and the Dutch Data Protection Authority. Of course, Solvinity itself also complies with the AVG. Compliance with relevant laws and regulations is important for your own organisation to be able to offer your customers and employees the security that is necessary in this day and age.
Working with Solvinity does not necessarily mean, however, that you comply with all the requirements that the AVG stipulates for you, nor with all potential additional requirements for your specific industry. Although Solvinity has a key responsibility as a data processor, the customer has the final responsibility for the security of the data under its management. This final responsibility for example carries with it accountability. The collaboration with Solvinity is certainly part of that, but it does not release the customer from other responsibilities that are beyond Solvinity's view, reach and responsibility.
Solvinity recommends that you contact parties yourself that can provide legal counsel, so that you can comply with all the relevant laws and regulations of your specific industry. For the AVG, you can also make use of the 10-step plan that the Dutch Data Protection Authority offers online.