GDPR FAQ

Data Protection laws are evolving continuously and Concentrix is committed to protecting Personal Information through its well established and maintained Privacy Program driven by Data Privacy and Protection Office (DPPO). Keeping in mind the new General Data Protection Regulation (GDPR), Concentrix has prepared this FAQ to provide a brief description on what steps Concentrix is taking to comply with the GDPR as a Data Controller and as a Data Processor. This will also provide you an insight into the features you may want to leverage when preparing for your own compliance.

1. What is GDPR?

General Data Protection Regulation. The legislation aims to enhance data privacy protection for European Union (EU) and European Economic Area (EEA) [28 member- countries of EU plus Norway, Liechtenstein, and Iceland] (herein collectively referred to as “EU”) citizens and residents.

Here is the regulation: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016

2. What is the territorial scope of GDPR? To whom does it affect?

GDPR applies globally to all establishments of a controller or a processor located within the union or outside of the European Union, if they offer goods and services or monitor the behaviour of EU data subjects when in the Union.

3. Where can I find a copy of the GDPR?

http://eur-lex.europa.eu

4. What is the type of work meant by processing personal data?

Examples of the type of work, including but not limited to: hosting, encrypting, decrypting, examining, modifying, storing, retrieving, destroying, deleting or erasing EU personal data. These activities can be manual, automated or semi-automated.

5. What are examples of EU personal data?

Some examples of personal data, include but are not limited to: EU citizen’s email address, phone number, name, work place or any other ID (twitter ID, skype ID, etc.) which can be usually found in everyone’s email signature.

6. Will GDPR require any changes in the Concentrix Service?

Concentrix has been proactively adopting the changes which GDPR has brought in. Concentrix has updated its Data Privacy and Protection Program. A special task force – “Concentrix GDPR Core team” has been established at Concentrix, which is working on all the new requirements of GDPR (privacy by design and default, breach notification, data subject rights etc.). The GDPR core team will reach out to you for any specific actions required of you or your team.

7. How does Concentrix meet the GDPR’s Data Subject Personal Data Access Requests requirement?

Concentrix has established Access Request process elaborating on the various rights of the data subject. Concentrix has defined channels for the data subjects to register their requests, which shall be responded in a timely manner with clear response (including for rejection of any requests).  Concentrix has appointed a Data Protection Officer, responsible for monitoring compliance with the various requirements of GDPR.

If Concentrix receives a data subject request as a data processor, it will act on the data subject request according to the clauses mentioned in the contract with the client (Data Controller).

8. How will Concentrix employees be trained in Privacy and Security including the GDPR?

All employees are required to mandatorily take an online training course on information security and data privacy. Concentrix is also proving specialised sessions on GDPR to all required employees and other stakeholders.

9. How does Concentrix assist their Clients with their GDPR obligations?

Other than meeting its own GDPR obligations as a Data Controller, Concentrix will take all necessary actions as Data Processor and assist its clients on specific contracted requirement with respect to GDPR.

10. How will Concentrix comply with the GDPR’s personal data breach notification requirements?

Concentrix has an established IT Security, Data Incident and Fraud Management process, which is updated to include GDPR breach notification requirements.

Concentrix will adhere to mandatory breach notification timelines specified in GDPR.

As Data Processor, Concentrix will notify clients as per contractually agreed terms and will assist their clients in meeting the GDPR requirements.

11. How is Concentrix addressing the GDPR data processing agreements including transfer requirements?

Concentrix has well established mechanism to legitimize data transfers outside European Economic Area (EEA) and transfers within EEA (Concentrix to Concentrix, Clients to Concentrix, Concentrix to its Suppliers (including sub processors)).

To protect data in such cases and fulfil the data transfer requirements as per GDPR, Concentrix has drafted the Standard Contractual Clauses. The Standard Contractual Clauses are model contracts published by the European Commission designed to facilitate transfers of personal data from the European Economic Area to other countries.

12. What steps will Concentrix take to comply with the GDPR’s Article 30 requirements to maintain a record of processing activities?

Concentrix own processing activities (including category of information and technical & organizational controls) are documented in the Data Flow Diagrams (DFD). Client and Supplier specific processing activities (including category of information and technical & organizational controls) are documented in the Service Agreements (Master Services Agreement and Data Processing exhibit).

Concentrix has developed an Information Security Management System including Privacy program to define the technical and organizational controls for management of information.

Concentrix Information Security Management System (ISMS) is structured and developed by adopting the International standards like ISO 27001:2013, ISO 22301:2012, PCI DSS, HiTrust CSF and Data Protections Acts or other legislative requirements like HIPAA, FFIEC, etc.

13. What about Data Subjects under the age of 16?

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

14. How does Concentrix evaluates the GDPR Compliance requirements?

Concentrix understands the importance of GDPR in the industry and closely monitors its compliance with the same. Concentrix also takes into consideration any Member State Law which may be applicable to Concentrix. Concentrix undergoes internal and external reviews / audits for ISO 27001:2013, ISO 22301:2012, PCI DSS version 3.2 and is certified for these standards.

15. Does the GDPR require EU data to stay in the EU?

The GDPR permits EU data transfers to third country subject to set conditions compliance, including conditions for onward transfers.

16. What does GDPR mean by “data protection by design and by default”?

Data protection by design and by default means, the Data Controller both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles.

It is ensured that only personal data which is required, is collected, and only personal data which are necessary for each specific purpose of the processing are processed.

17. Has Concentrix appointed a DPO?

Yes, Concentrix has appointed Audrey Costes, Global Corporate Compliance Leader as DPO. She can be contacted at [email protected]

 

FAQs for Concentrix Suppliers:

1. How do I know if GDPR applies to the work my company performs for Concentrix?

Concentrix will send you a GDPR communication package. If you have any doubt as to whether your company’s services fall under GDPR, contact your Concentrix Procurement Representative or [email protected]

2. Is the GDPR contract a standalone document or an amendment to agreements my company has already signed with Concentrix?

This agreement amends all agreements between Concentrix and your company in which your company processes EU personal data. It is a standalone document so our companies can easily access GDPR obligations for different engagements.

3. Is there any follow-on activity after the contract is put in place?

Yes. GDPR compliance has several components. Your company will have to take several steps to ensure GDPR compliance, including but not limited to complying with technical and operational measures to protect EU personal data, monitoring your company’s compliance and ensuring GDPR compliance for your sub processors. You are obligated to perform these actions to remain compliant with GDPR and obligations under the DPA. Concentrix will contact you regarding additional Concentrix Supplier GDPR requirements.