General Data Protection Regulation

The General Data Protection Regulation (EU) 2016/679 (also known as the GDPR) is a new data protection law adopted by the European Union (EU) set to replace the existing Data Protection Directive 95/46/EC and designed to strengthen data protection for all individuals within the EU and harmonize data protection and privacy laws for companies doing business in Europe. The GDPR was adopted on April 27, 2016 and went into full effect in May 2018. GDPR:

  • Strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data.
  • Expands the rights of EU data subjects and creates new rights.
  • Seeks to replace the existing patchwork of national data protection laws with a single set of rules, directly enforceable in each EU member state.
  • Reaches beyond Europe, as it applies to any entity that processes personal data tied to offering goods or services to, or monitoring behavior of, individuals in the EU, regardless of where the data is processed or stored.

Both data controllers and data processors are liable for violations, which can result in steep fines of up to €20 million or 4% of global annual revenues, whichever is higher.

The full text of the GDPR can be found here. For more information, please visit the EU Commission’s GDPR website at this link.

What ConnectWise Has Done to Comply With GDPR

ConnectWise has taken steps to align business practices, processes and policies with the GDPR’s data protection obligations to help us and our customers meet compliance before the GDPR’s implementation date.

ConnectWise is also certified to the EU-US Privacy Shield, which ensures that we can transfer personal data outside the EU in compliance with the GDPR’s data transfer requirements. You can see our certification on the U.S. Department of Commerce’s Privacy Shield website at this link. We have also invested considerable time and resources to ensure GDPR compliance across all of our products and services when GDPR takes effect. These investments included a comprehensive review of all our business relationships, products, services, and data handling practices, including but not limited to the following:

  • The creation of Data Privacy Impact Assessment (DPIA) and Data Flow Diagrams for the data in our products and services
  • The review and updating of contractual agreements and renegotiate terms as necessary to align with the GDPR.
  • The review and updating of corporate privacy policies and privacy notices.
  • The review and updating data-driven products and services.
  • The preparation of a strengthened incident response process to ensure compliance with the GDPR’s data breach reporting obligations.

Additional information about ConnectWise’s data collection policies and GDPR compliance efforts is available below.

Data Collection and Usage Overview

ConnectWise processes personal data collected through ConnectWise services and our website to provide the greatest possible service to users and customers, deliver positive web experiences and operate our business. Personal data is generally collected in the following forms: personal contact information, device-related information, web-based cookies or similar technologies, and commercially available information.

In particular, ConnectWise collects both personal contact and company information via our website ConnectWise.com, including first and last name, address, and email address. In addition, if users choose to communicate with us via a web form, email, or by telephone, we may retain the content of those communications together with email addresses or phone numbers and our responses. We use the information we collect, including personal data, to respond to any requests or queries directed at us, to provide customers with products or services, including technical support, to manage our relationship with our customers, for direct marketing purposes, internal and service-related efforts, and anonymous analysis and aggregation activities.

Information is also collected on our website via cookies, which can be used to further enhance web experiences and respond to requests for information. Additional information about cookie usage is available here.

We do not rent, sell, or share Personal Data collected through our services or ConnectWise websites with other people or nonaffiliated companies for their direct marketing purposes.

More information about our collection and usage of personal data is available in our Privacy Policy.

Right to Be Forgotten

When you visit ConnectWise’s website (https://www.ConnectWise.com), enter your data in a form, and provide your consent, ConnectWise will store that data to facilitate communication between you and ConnectWise. In all marketing communications, you have the option to stop receiving email from ConnectWise by clicking the unsubscribe or manage preferences link at the bottom of the email—this will remove you from any future ConnectWise marketing communications but will not remove your information from our database. To remove information from our database, you must send an email request to Privacy@ConnectWise.com with REMOVE MY DATA in the subject line and the following details in the body of the message:

  • First Name
  • Last Name
  • Email
  • Phone Number (if you initially entered it in the form)

ConnectWise will work to ascertain the validity of the request; our assumption is that you have maintained control of your email account and that the request is sent in good faith. A member of ConnectWise’s team will check the information you provided against the records in our database. If the information matches, we will reply and confirm that we are going to delete your records within 30 days. After that reply, you will receive no further communication from ConnectWise.

Please keep in mind that we will have no way to contact you after we delete the original email. You must either contact ConnectWise directly or re-enter your information into a form on our website at https://www.ConnectWise.com in order to be added back into our systems.

GPDR IMPACT FOR WEBSITE VISITORS

To ensure GDPR compliance by its implementation date, ConnectWise has taken steps to optimize our web properties in the following areas:

  • Consent – We have enhanced the user experience across our web properties to ensure we are protecting the rights of data subjects in the EU by obtaining consent prior to the collection of personal data where required by law.
  • Vendor Compliance – We have worked with each of our third-party vendors to ensure their compliance with GDPR.
  • Transparency – We have reviewed and updated our policies to ensure that they meet the GDPR’s enhanced transparency requirements.

GDPR IMPACT FOR CONNECTWISE PARTNERS

ConnectWise handles personal data of both ConnectWise’ partners, which may include a name, company name (to the extent it identifies an individual), address, and email address, and potentially our partner’s end-customers. We use the information we collect, including personal data, to respond to any request or query directed to us, to provide users with our products and Services and to manage our relationship with partners.

GDPR IMPACT FOR CONNECTWISE EMPLOYEES

ConnectWise handles personal data of employees, which may include a name, address, email address, date of birth, and tax or government ID. We use the information we collect, including personal data, for tax, payroll, insurance, and other purposes related to managing benefits and communicating with employees. In addition, ConnectWise’s HR teams share personal data with third-party benefit providers for the purpose of extending corporate benefits to our employees and their families.

Frequently asked questions

We know that many organizations have questions about the GDPR and their obligations under the GDPR. To help you on your compliance journey, we have outlined a few of the notable provisions of the GDPR below. This document discusses in general terms the EU General Data Protection Regulation (GDPR) and does not provide legal advice. We urge you to consult with your own legal counsel to familiarize yourself with the requirements that govern your specific situation.

What is the GDPR?

The EU General Data Protection Regulation (“GDPR”) is a comprehensive data protection law that updates EU data protection laws to strengthen the protection of “personal data” (any information relating to an identified or identifiable natural person, so called “data subjects”) in light of rapid technological developments, the increasingly global nature of business and more complex international flows of personal data. It puts in place a single set of rules, directly enforceable in each EU member state. The GDPR took effect on May 25, 2018.

If you are processing personal data in the context of an organization established in the EU, the GDPR applies to you, regardless of whether you are processing personal data in the EU or not. “Processing” means any operation performed on personal data, such as collection, storage, transfer, dissemination, or erasure. If you are not established in the EU, the GDPR applies to you if you are offering goods or services (whether paid or free) to EU data subjects or monitoring the behavior of EU data subjects within the EU. Monitoring can be anything from putting cookies on a website to tracking the browsing behavior of data subjects to high-tech surveillance activities. Under European data protection laws, organizations processing personal data are divided into “Controllers”, or the entities which control the personal data, and “Processors”, the entities that process personal data only on the instructions of the Controllers. The GDPR applies to both Controllers and Processors.

The GDPR changed former EU data protection laws in several ways: 

  1. Expanded definition of “personal data”: The GDPR expands and clarifies the concept of personal data. While the basic concept of personal data largely remains the same, the GDPR makes it clear that location data and online identifiers, such as IP addresses, are considered personal data. The GDPR also expands the concept of “sensitive personal data,” which is more highly regulated, to include genetic data and biometric data. 
  2. Expanded and new rights for EU individuals: The GDPR provides expanded rights for EU data subjects such as: 
  • Deletion: This right is sometimes referred to as the “right to be forgotten.” The data subject has the right to require that the Controller erase personal data about him or her in certain conditions, including if the personal data is no longer necessary for the original purpose of the processing or if the data subject withdraws consent for the processing. 
  • Restriction: Under the GDPR, a data subject has the right to obtain from a Controller a restriction on the processing of personal data in certain circumstances, including if the data subject contests the accuracy of the personal data. A restriction on processing means that the data may be stored but cannot be further processed. 
  • Portability of personal data: Data subjects also now have the right, in certain circumstances, to receive the personal data that they have provided to a Controller in a structured, commonly used and machine-readable format. ConnectWise’s data processing addendum reflects these expanded and new rights. 
  1. Security measures: The GDPR requires Controllers and Processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented. At ConnectWise, we have robust security measures in place. We have our security certification from the American Institute of CPAs’ (AICPA) System and Organization Controls (SOC) report covering the trust service criteria of security, confidentiality, and privacy. 
  2. Breach notification: The GDPR requires organizations to report certain personal data breaches to the relevant supervisory authority, and in some circumstances, to the affected data subjects. Controllers must notify the relevant supervisory authority “without undue delay” (and where feasible, within 72 hours of having become aware of it), unless the breach is not likely to present any risk to the rights and freedoms of the data subjects concerned. If circumstances require it, Controllers may also be required to communicate the data breach to data subjects. Processors, for their part, are required to notify Controllers “without undue delay” after becoming aware of a personal data breach. ConnectWise’s data processing addendum reflects this new obligation. 
  3. Data Protection Impact Assessments (DPIA): Where certain processing is likely to be classified as “high risk” to data subjects, the Controller may be required to carry out a data protection impact assessment identifying the impact of the proposed processing operations on the personal data. ConnectWise’s data processing addendum reflects this obligation. 
  4. International transfers: European data protection laws restrict the transfer of personal data outside the EU unless there are appropriate safeguards in place to protect that data. The GDPR continues to recognize current mechanisms (e.g., EU standard contractual clauses, EU Commission adequacy decisions, etc.) for legally transferring personal data outside of the EU. 
  5. Consent: Consent is subject to additional requirements under the GDPR. The GDPR defines consent as “any freely given, specific, informed, and unambiguous indication of a data subject’s wishes through a statement or clear affirmative action.” The concept of consent is used throughout the GDPR as a means to legitimize certain processing activities from a legal perspective. 
  6. Transparency: The GDPR requires that Controllers provide data subjects with information about their processing operations at the time when personal data is collected. This information includes the identity and contact details of the Controller, the contact details of the data protection officer (if relevant), the purposes and the legal bases for the processing of the personal data, the recipients of the data, and a number of other fields to ensure that the personal data is being processed in a fair and transparent manner. In addition, Controllers are required to provide information to data subjects even in circumstances where the personal data has not been obtained directly from the data subject. 
  7. Profiling: The GDPR introduces the concept of “profiling” or any form of automated processing that uses personal data to evaluate personal aspects and in particular to analyze or predict aspects relating to an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Data subjects must be informed of the existence of profiling and any consequences of the profiling. 
  8. Enforcement: Fines for non-compliance under the GDPR can be substantial. Supervisory authorities have a number of enforcement powers under the GDPR, including the ability to fine organizations up to €20 million or 4% of annual global turnover, whichever is higher. These are maximum fines, and it remains to be seen how supervisory authorities will use these enforcement powers.

Fact versus Fiction

This document discusses in general terms the EU General Data Protection Regulation (GDPR) and does not provide legal advice. We urge you to consult with your own legal counsel to familiarize yourself with the requirements that govern your specific situation.

One of the main challenges for organizations is getting the resources to sort through the facts, and the fictions, of the GDPR. You may have come across contradictory information about what the GDPR requires. With that in mind, ConnectWise put together this document to help reduce some common misconceptions around the GDPR.

Fiction: Processing European personal data requires the consent of the data subject.

Fact: There are six available lawful bases for processing. Consent is only one of them. For instance, personal data can also be processed:

  • when necessary, for the performance of a contract to which the data subject (the individual whose data is processed) is a party;
  • when there is a legal obligation to process the data (such as the submission of employee data to a tax authority); and
  • on the basis of legitimate interests, such as commercial and marketing goals. The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.

The GDPR does not require information to be stored in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally, require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (Articles 44-50). The CJEU has recently confirmed the validity of the European Commission’s standard contractual clauses as a legal mechanism for the transfer of EU personal data but invalidated the EU-US Privacy Shield framework. ConnectWise’s customers can use our services, relying on the European Commission’s standard contractual clauses which are already included in our Data Processing Addendum.

The GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented. Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. In other words, encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated in every instance.

The right to have one’s data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It has a limited scope and is subject to certain limitations. In most cases, when considering a request for deletion several relevant factors should be taken into account; this right will not apply, for example, if the processing is necessary for compliance with a legal obligation.

Fact: A data protection officer is required by the GDPR only when one of the following applies:

  • the organization is a government institution
  • the organization processes certain sensitive types of data (such as data on health or religion) on a large scale as part of its core activities; or
  • the organization systematically monitors people (for example, via cameras, or software which tracks internet behavior) as part of its core activities.

Fact: A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimize the data protection risks of a project. Under the GDPR, a DPIA is necessary only for processing that is likely to result in a high risk to individuals, such as the following:

  • large-scale processing of certain sensitive types of EU personal data, such as data concerning a person’s health
  • systematic and extensive automated decision-making which produces legal or similarly significant effects on individuals, such as the use of fraud detection software; or
  • systematic and large-scale monitoring of public space (for example, with cameras).

Fact: Profiling of EU individuals and automated decision-making involving EU personal data are not prohibited, but these processing activities may be subject to certain conditions. In particular, when decisions which legally or similarly significantly affect an individual are made automatically, the data subject:

  • must be given meaningful information about the underlying logic, and about the significance and potential consequences for them; and
  • must in some cases have the ability to require that a human being is involved in the process.

A DPIA may also be required.

Fact: Regardless of where an organization is established, the GDPR applies to EU personal data which is processed in the context of:

  • offering goods and services (whether paid or not) to people in the EU; or
  • monitoring the behavior of people in the EU, for example by placing cookies on the devices of EU individuals (Article 3(2)).