The General Data Protection Regulation (GDPR) will, once it takes effect on May 25th 2018, replace the European Data Protection Directive and existing relevant national legislation. GDPR aims to strengthen the Individual’s rights, secure their personal data and protect their privacy. The introduction of GDPR will provide Data Subjects improved rights for transparency, and easier access to have data corrected, transferred and/or completely deleted.
Basefarm as a Data Controller
Basefarm is a Data Controller for data collected and processed by internal functions and processes. This include shareholder and employee data, and data collected about prospective and existing customers. It also includes data about vendor’s personnel, partner’s personnel, contractors and other persons who have been, or are, in contact with Basefarm through digital channels.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk, Basefarm applies appropriate and reasonable organizational and technical security measures to protect these datasets.
Basefarm as a Data Processor, or a Sub-Processor
Basefarm is a Data Processor when managing services that store, transfer or process personal data on behalf of our customers, where the customer is a Data Controller. Some customers are themselves Data Processors, in which case Basefarm has the role as Sub-Processor.
The GDPR defines “Personal Data” as any information relating to an identified or identifiable natural person, meaning that almost any IT system must be considered to carry personal data.
Basefarm will only perform processing activities on the Personal Data based on documented instructions from the relevant customer. Basefarm will not engage sub-processors without the prior written approval of the relevant customer.
Certifications and attestation services
Basefarm’s Information Security Management System (ISMS) is ISO27001 certified. The scope is all-inclusive; thus, it covers all operation activities, all Data Centers and all offices in Norway, Sweden and The Netherlands.
Basefarm also offers subscription-based SOC2 and ISAE3402 attestation services.
Our Data Center facilities are all designed, built and operated according to TIER III principles. Physical security controls are layered, based on balanced security principles designed to have adequate response in place before a physical intrusion is successful. Access is restricted to selected personnel only. The physical security of our Data Centers is reviewed annually as a part of the ISO 27001 audits.
Basefarm performs screening of employees relevant to their tasks and responsibilities, and within limitations in local legislation. All employees are required to sign non-disclosure agreements prior to being granted access to IT systems. Further, all employees are required to read and adhere to relevant parts of Basefarm’s security policies, and are subject to security awareness training, at least annually.
As a Data Processor or a Sub-Processor, Basefarm provides services with a default security level that for many customers and processing activities will be sufficient to meet the requirements of GDPR. However, the Data Controllers must assess the risk involved in the processing, and determine the need for additional technical or organizational security measures. Basefarm offers a range of security services that will increase Data Protection, or ensure faster detection and improved response capabilities in case of security incidents or Data Breaches. Ultimately, it is the customer that will decide on what (if any) additional security measure that are needed.
Processes and Governance
Basefarm operations are governed by well-defined and mature processes, based on ITIL and ISO9001.
Data Protection Officer
Basefarm has appointed a Data Protection Officer (DPO). The DPO monitors Basefarm’s commitment to, and execution of, activities needed to comply with GDPR. The DPO also works externally with suppliers, partners and customers as an advisor, to ensure that the parties provide data subjects with the general data protection and data privacy that is required, and that Service Agreements are kept up-to-date to define the roles and responsibilities of each Party. The DPO is also the primary liaison between Basefarm and national Data Protection Agencies.
The DPO can be reached at DPO@basefarm.com.
Basefarm uses Data Processing Agreements to document the specific Personal Data processing obligations and responsibilities we undertake on behalf of our customers. The DPAs will be added to the Service Agreements, and shall substitute any existing agreement governing Personal Data processing.
Similarly, Basefarm signs Data Processing Agreements with sub-contractors and partners if the service they provide includes access to, or processing activities on, Personal Data.