EU GDPR - FAQs*

Version: October 2019

Introduction

This set of FAQs highlights the key themes of the General Data Protection Regulation (“GDPR”) to help our customers, partners and vendors understand the new legal framework for protecting personal data in the European Union (“EU”). It describes the key requirements of the GDPR as well as Happay’s approach to them. We will continue updating this document so please check back for new versions we publish on this site or with your regular Happay contact.

    1. What is GDPR?
      1. The full text of the GDPR can be found at https://gdpr-info.eu/ .
    2. When does GDPR come into place?
      1. All companies that process personal data of people based in European Economic Area must be ready to comply with GDPR regulations which came into force on 25th May 2018.
    3. Does the GDPR apply to me?
      1. While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. (c) conduct activities in the context of an establishment within the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
    4. GDPR – Important definitions
      1. Data Subject:

        Any natural who lives within the territorial jurisdiction of the EU.

      2. Personal Data:

        Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info).

      3. Controller:

        A company/organisation that collects people’s personal data and makes decisions about what to do with it. So if you’re collecting personal data and are determining how it will be processed you’re the Controller of that data and must comply with applicable data privacy legislation accordingly. Here, Happay is the controller of the data you collect in your Happay application.

      4. Processor:

        A company/organisation that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data. Data processors have direct obligations and liabilities under the GDPR, and must be authorized by the data controller to use sub-processors

      5. Joint Controller:

        Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.

      6. Processing:

        Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

      7. Data Protection Officer (DPO):

        A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert

      8. Data Privacy Impact Assessment (DPIA):

        A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing

      9. Supervisory Authority:

        Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities)

      10. Third Countries:

        Countries outside the EU

    5. Is there a GDPR certification?
      1. No, there is currently no GDPR certification issued by the European Commission. Happay will be monitoring any certifications that come out after the GDPR goes into effect and will certify to them, if it deems them to be appropriate.
    6. What is privacy at Happay?
      1. Happay (VA Tech Ventures Pvt. Ltd.) is a provider of business spend management solutions that streamlines the spend management workflow from end-to-end. We offer a suite of solutions including prepaid cards for business expenses, petty cash management, expense report automation, and travel and expense management through our application. Happay understands its commitments to data protection and privacy and is adopting adequate measures to ensure that personal data within our environment is secure and is collected, used, retained, and disposed of in compliance with GDPR.
        We engaged ERNST AND YOUNG LLP, India to carry out a gap assessment against the General Data Protection Regulation (EU GDPR) requirements and Generally Accepted Privacy Principles (GAPP). As part of the assessment, ERNST AND YOUNG LLP, India evaluated our privacy posture and exposure to personal data of our customers, vendors and employees. Listing below the initiatives to continuously improve our privacy posture.
        1. Privacy Governance Program
        2. Data Lifecycle management
        3. Security
        4. Data Subject Access Right Framework
        5. Data Minimization
        6. Privacy Organization
        7. Direct Marketing
        8. Incident and Breach Management
        9. Third party Compliance Framework
        10. Customer Contracts
        11. Training and Development
    7. What is considered personal data at Happay?
      1. Any information relating to an identified or identifiable natural person in the EU is considered personal data under GDPR. An identifiable person is one who can be identified directly or indirectly, particularly by reference to an identifier such as name, email address, identification number, or location, as well as online identifiers such as IP address. In certain instances, the Happay SAAS/Card platform processes personal information such as name, email, mobile number, address, business title and other, generally business, contact information. These are called “categories of personal data”.
    8. As a Happay client, does the GDPR apply to me?
      1. Companies within the EU, or who process the personal data of EU residents in the context of providing goods or services, will need to comply with GDPR. As a Happay client collecting data via our Software-as-a-Service (SaaS) solutions, you are likely a joint data controller under the GDPR. Clients will need to evaluate their obligations under the GDPR, in part, based on: (1) the type of client data that you collect via Happay SaaS solutions, and (2) the legal basis on which you rely for the collection of this client data.
    9. In the case of Happay’s relationship with a Customer, who is Controller and Processor of the data?
      1. Unless explicitly clarified in any engagement, Happay will be the Joint Controller when opted for the Software-as-a-Service(SAAS) solution and controller when the customers opts for Card Expense Management solution. Please refer to definitions in the beginning of this document.
    10. Is it mandatory for Happay to provide EU hosting to its European customers to comply with GDPR?
      1. No, there is no obligation under the GDPR for data to be stored in the EU and the rules regarding the transfer of personal data outside the EU will not change. This means that, as long as the personal data is “adequately protected”, data may be transferred abroad.
    11. What steps has Happay undertaken to comply with new GDPR requirements?
      1. We understand the importance of personal data and have taken steps to protect and secure this information within the infrastructure of the Happay platform. We place the utmost importance on data protection and are committed to helping our customers comply with this new regulatory law. We have recently undertaken the following actions in connection with GDPR compliance:
        1. Modifying our products, where applicable, to reduce collection of personal data and ensure compliance with GDPR requirements for processing personal data. Making sure our data deletion practices comply with GDPR.
        2. Updating product design policies to ensure our engineers are building products with privacy principles in mind.
        3. Updating our privacy policies to keep our website visitors and customers informed of how we may collect and use their personal information.
        4. Entering into data processing addendums with current customers and vendors to reflect the parties’ GDPR security obligations and privacy requirements.
        5. Reviewing our marketing practices to ensure we are communicating with prospects and customers in a manner that respects their rights under GDPR.
        6. Reviewing our security practices to ensure that the personal data we process on behalf of our customers, through their use of our services, is adequately protected.
    12. How does Happay ensure that its vendors comply with GDPR?
      1. As part of GDPR readiness program, Happay regularly reviews the privacy and security compliance of vendors that handle personal data on Happay’s behalf. We are also working to ensure that all contracts with vendors that process data be updated to comply with GDPR requirements which includes reviewing and amending existing contracts with third-parties to include clauses pertaining to data privacy and protection. Also, performing periodic audits to ensure compliance of the third-parties with our privacy policy and requirements.
    13. How does Happay ensure that its employees comply with GDPR?
      1. Happay has developed annual security training program with GDPR content that is mandatory for all employees to complete. The training content and material is periodically reviewed and updated to include latest privacy requirements applicable to us
    *This page gives a broad overview of the GDPR and does not provide legal advice. We urge you to consult with your own legal counsel to discuss the requirements applicable to your specific situation.

STAY IN TOUCH

COMPLIANCE & CERTIFICATIONS

employee expense reimbursement software - Happay

Happay is a product of VA Tech Ventures. © 2019 VA Tech Ventures Pvt Ltd. All rights reserved.