The GDPR & Alchemy

Alchemy’s Compliance with the GDPR

Alchemy is committed to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which becomes enforceable on May 25, 2018.

As a data processor for customers that collect, transmit, host or analyze personal data of EU citizens, we are taking steps to comply with the GDPR’s requirements for third-party data processors. Our Data Processing Addendum (“DPA”) is our contract with our customers regarding compliance with applicable EU data protection law. Customers will consent to our Data Processing Addendum before signing up with Alchemy Systems. Broadly speaking, the DPA describes our technical and organizational measures to protect the security of EU personal data we process on behalf of customers, our reporting requirements to customers, and other efforts we will undertake to help customers comply with their requirements under the GDPR. For example, we agree to help customers:

  • Respond to requests from data subjects to correct, amend or delete personal data.
  • Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
  • Demonstrate their compliance with the GDPR as pertaining to Alchemy Services.

Your responsibilities under the GDPR?

It is important to remember that you, as the business customer and the data controller, have specific legal obligations under the GDPR.

Alchemy customers that collect and store personal data are considered data controllers under Directive 95/46/EC and the GDPR as of May 25, 2018. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law.

You should be confident that any providers (data processors) which you work with have a highly robust approach to data protection, understand the obligations of the GDPR and are well prepared to meet them.

Remember however that no provider can offer to “solve” GDPR compliance for you.

GDPR: Key changes

The GDPR brings with it a shift in mindset. It expressly introduces several principles that previously underpinned data protection law, such as the “accountability principle” and “privacy by design,” and encourages organizations to take more responsibility for protecting the personal data they handle.

Privacy by design: This means that organizations handling personal data need to think about data protection when designing systems, not just review privacy implications after a product or process is developed. If you process a lot of personal data or deal with sensitive information, in many cases you’ll also need to conduct data protection impact assessments to meet the privacy by design principle.

User rights: The GDPR expands the existing set of user rights and creates several entirely new rights. Companies should review and ensure they have effective systems in place to give effect to these rights.

Tougher breach notification rules: Under the GDPR, organizations are required to have a strong breach notification system in place and understand their specific reporting obligations.

Accountability: Not only must your company adhere to the principles set out in the GDPR, but you must also demonstrate compliance with the principle of accountability. This requires a comprehensive and clear internal privacy governance structure.

Data protection officer: The GDPR requires companies that engage in processing of EU personal data to determine if they should appoint a Data Protection Officer. Companies whose core activities consist of large scale processing of special categories of data or engage in large scale, regulator, and systematic monitoring of individuals must appoint a DPO. Special categories of personal data include race, ethnic origin, health information, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, and sexual orientation.