Comtact Ltd. GDPR Statement

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), adopted on April 27, 2016, is a regulation intended to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the transfer of personal data outside of the EU. The primary objectives of the GDPR are to enhance EU residents’ control of their personal data and to simplify the regulatory environment for international business by imposing uniform data protection requirements on all EU members. The GDPR replaces the data protection directive (officially Directive 95/46/EC) from 1995 and is effective from May 25, 2018.

Comtact Ltd. is committed to compliance with the GDPR. Just like existing privacy laws, including the preceding data protection directive, compliance with the GDPR requires a partnership between Comtact and our customers in their use of our services and products. Comtact has reviewed the requirements of the GDPR, and is working to make enhancements to our services, products, documentation, and contracts to support our own compliance with the GDPR.

Updated Data Protection Policy (DPP): Comtact Ltd. has updated its DPP, and supporting processes, to align with GDPR requirements. This updated DPP will contain revised or additional contractual provisions where appropriate in order to assist our customers in their compliance with the GDPR.

Comtact’s Compliance with the GDPR

As a managed services provider, data privacy and security is at the core of Comtact’s business and something Comtact takes very seriously. Comtact remains committed to protecting personal data in compliance with the highest standards of privacy and security. Below is a high-level summary of Comtact’s compliance with many of the key areas of the GDPR.

Data Protection

  • As the data processor, Comtact will only process personal data on behalf of the data controller and on written authorisation from the data controller (i.e. through a contract or order).
  • Comtact expects that its customers, as the data controllers, will notify their employees and users (i.e. the data subjects) of the processing carried out by Comtact and will obtain their consent for Comtact to do so.
  • Comtact ensures the confidentiality and availability of the personal data that it processes, and that appropriate technical and organisational measures are taken to protect such personal data.
  • For the majority of Comtact’s services and products, personal data is never stored by or accessible by Comtact.
  • Customers have the option to obfuscate their user IDs from ever being seen by Comtact Operations and Support teams or their own administrators.
  • Logs are never stored in clear text.
  • Comtact only allows access to personal data by personnel who are authorised administrators with appropriate privileges.
  • Comtact does not process or store any personal data that is not needed to perform the contracted services on behalf of the data controller.
  • The personal data that Comtact processes on behalf of the data controller will be accurate, complete, and kept up-to-date as much as technically possible.
  • Personal data will not be disclosed, made available, or otherwise used for purposes other than to perform the contracted services on behalf of the data controller, except as required by law.
  • If Comtact uses any sub-processors, it will first obtain the data controller’s consent to do so and will ensure that all of Comtact’s obligations under the GDPR and its contract with the data controller are also flowed down to any such sub-processors.
  • All transfers of personal data outside of the European Economic Area (EEA) will only be done for the purposes of providing the contracted services to the data controller and will be subject to EU-US and Swiss-US Privacy Shield principles.
  • Comtact retains Logs in its provided applications for rolling periods of at least six months, after which the Logs are securely purged.
  • At contract termination or expiration, the Logs will be purged pursuant to the six-month retention cycle, or as earlier requested in writing by the data controller.
  • Comtact will make available to the data controller all information reasonably necessary for the data controller to demonstrate its compliance with the GDPR.
  • Comtact will be accountable and responsible to ensure its own compliance under the GDPR.

Security Safeguards

  • Comtact protects personal data through reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification, or disclosure.
  • Comtact has certified to the ISO 27001 information security framework in order to maintain consistent and robust security controls and procedures for all customers.
  • Comtact performs robust security measures on its systems such as antivirus, firewalls, scheduled vulnerability scanning, penetration testing and security code peer reviews.
  • All Comtact personnel who are authorised to process personal data have committed themselves (through employment and confidentiality agreements) to the confidentiality and security of personal data.
  • In addition to adhering to ISO 27001 principles, the top tier global data centres that Comtact uses take security just as seriously as Comtact – through, among other protections, sophisticated entry control systems, dual power feeds with backup generators, and video surveillance.
  • Comtact is able to ensure ongoing confidentiality, integrity, availability and resilience of its processing systems and services, in addition to restoring real-time availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Comtact has an internal process for regularly testing, assessing, and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing of personal data.
  • Comtact will notify the data controller without undue delay after becoming aware of a personal data breach and will assist the data controller in reporting to supervisory authorities and affected data subjects any personal data breaches.