General Data Protection Regulation (GDPR)
What is GDPR
The General Data Protection Regulation (GDPR) was approved by the European Commission in 2016 and went into effect on May 25, 2018. This legislation is the most significant piece of privacy legislation passed in the European Union in several years, and replaces a prior directive known as Directive 95/45/EC.
GDPR aims to substantially increase individual privacy protections of persons in the European Union and regulates how individuals and organizations may obtain, use, store, and remove personal data. Personal data, in this context, means "any information relating to an identified or identifiable natural person," including name, identification number, location data, and other online identifiers.
Under GDPR Chapter 2, Article 5, personal data:
- Must be processed lawfully, fairly and in a transparent manner to the person in question;
- Must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and up-to-date;
- Must not be kept or stored longer than is necessary for the purposes for which the data was collected;
- Must be processed using appropriate security measures to ensure that data cannot be obtained by unauthorized or unlawful entities, and to ensure that the data is not lost or damaged.
- Syvantis GP Online™: Our hosted Dynamics GP products operate on hardware which is housed in Microsoft’s global Azure datacenter. We assist in managing the hosted environment on behalf of our clients.
- Office 365: All Office 365 environments are operated on hardware which is housed in Microsoft’s global Azure datacenter. When asked to do so, clients may request support to administer the service and manage subscriptions.
- Dynamics 365: All Dynamics 365 environments are operated on hardware which is housed in Microsoft’s global Azure datacenter. When asked to do so, clients may request support to administer the service and manage subscriptions.
- SendinBlue/Dynamics 365 Integration: SendinBlue products are housed on SendinBlue servers in France. Data may be transferred using an API that Syvantis manages between SendinBlue hardware and hardware which is housed in Microsoft’s global Azure datacenter, specifically to that client’s Dynamics 365 system. When asked to do so, clients may request support to administer the service and manage subscriptions.
- On-Premises Products: All on-premises products are housed on hardware owned or leased by our customers at locations that they manage. In this case, the client is both the controller and processor of their data, unless they specifically request support from Syvantis, in which case Syvantis is considered a processor and is subject to the commitments outlined below for Processors.
Clients may request Syvantis’ assistance to troubleshoot issues with any of the aforementioned products remotely or in person, which may incidentally grant us access to our client’s customer data. Syvantis will not intentionally retain this data and will take measures to destroy the data if it is unintentionally retained.
Syvantis considers itself to be a data processor for the products above and, as such, is subject to the commitments outlined below for Processors.
- Customer Relationship Management: Syvantis maintains personal information on some of our customers’ employees, including names, work emails, telephone numbers, work addresses, etc. to conduct business with that client. This information is voluntarily provided by the client on behalf of their employees. In this case, we are considered a data Processor and are subject to the commitments outlined below for Processors.
Our Commitment to GDPR compliance and your data privacy
Syvantis is dedicated to supporting our customers in their GDPR compliance efforts. We pledge to continually review our processes to improve security options, data management policies, and documentation to ensure that we are consistently abiding by the principles outlined in GDPR.
Data Processor Commitments
- We will only collect personal information when it is needed for specific purposes and we will handle it in accordance with reasonable expectations.
- We will not deceive or mislead clients when we collect personal data.
- We will be transparent and honest and will comply with GDPR obligations of the right to be informed.
- We will publish information regarding the purposes of processing private information for individuals publicly.
- We will regularly review our processing and ensure that private information is up-to-date. If the data is no longer needed, we will dispose of it.
- We will comply with our clients’ right to rectification regarding personal information.
- We will ensure that all employees involved in data processing are subject to appropriate obligations of secrecy.
- We will only transfer data from the EU to adequate jurisdictions, and only via lawful transfer mechanism.
- We will assist clients, as necessary, with audits, compliance, investigations, or certifications.
- We will document data breaches and will notify impacted clients in a timely manner.