What is GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy regulation that covers ‘personal data’ of EU residents. Failure to comply with the GDPR could result in significant penalties. Enforcement of the GDPR begins on May 25, 2018. And while GDPR is a European regulation, it applies much more broadly. See our GDPR overview for additional details.
As a Tech Data CSP partner, do I need to comply with GDPR?
Yes, where applicable. In general, GDPR applies to the processing of personal data where such processing activities relate to goods or services offered in the EU. As partners, our commitments to one another are mutual. Each party must not use or share personal data outside the bounds of the customer’s consent, handle and assist with relevant data subject requests, and take appropriate security measures to protect personal data. Each party must also comply with any data protection laws applicable to you or Tech Data, which may or may not include GDPR.
What are processors and controllers under GDPR?
A controller is a party that determines the purposes and means of the processing of personal data. A processor processes personal data on behalf of the controller, pursuant only to its instructions. Your role will be determined by the factual circumstances under which you handle personal data. GDPR defines ‘processing’ as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
What is a Data Processing Agreement (DPA) and do I need one with my customers?
If you are processing data on behalf of a customer, then a data processing agreement is required. Under GDPR, a data processing agreement is a contract between a controller and a processor that sets forth processing instructions for the processor and data protection obligations consistent with Article 28 of GDPR.
Can I use Tech Data’s data processing agreement instead of providing my own?
No. Where you process personal data on behalf of your customers, you must enter into an independent data processing agreement with that customer.
I currently have a data processing agreement with my customer, do I need to update it for GDPR?
Probably. Through Article 28, GDPR introduces new requirements for data processing agreements such as data breach notification obligations, commitments related to sub-processors, and obligations to assist with data subject requests, security, and data protection impact assessments, which must be included.
I use a third-party service provider to support my customers, do I need a data processing agreement?
Yes, if you ask the third-party service provider to process customer personal data of EU residents on your behalf. Under Article 28 of GDPR, you must obtain prior specific or written authorization from the customer prior to engaging a service provider and have a data processing agreement with each of your processors or sub-processors of personal data that includes the same data protection obligations as set out between you and the customer.
How long may I retain customer personal data?
In general, you may only retain customer personal data received by Tech Data for a period that is necessary to fulfill the purpose of the agreement (e.g., carrying out a transaction of interest to the customer). Any customer personal data provided to you directly by the customer may be retained in accordance with your agreement with such customer.
As a partner, do I need to appoint a Data Protection Officer (DPO)?
As a partner, you must comply with data protection laws applicable to your business, which may include GDPR. The circumstances for appointing a DPO are set out in Article 37 of the GDPR generally provides that a data protection officer needs to be appointed where: (a) the processing is carried out by most public authorities, with some exceptions; (b) any entity where its core activities of the consist of processing which, requires regular and systematic monitoring of data subjects on a large scale; or (c) any entity where its core activities consist of processing “Sensitive Data” or criminal records on a large scale .Other data protection laws may require a DPO (or other similarly-titled privacy officers).
What is Tech Data doing to comply with GDPR?
Tech Data is constantly striving to maintain and ensure the confidence of its CSP partners, and of all individuals whose personal information we process. Tech Data respects and protects the rights of those whose personal information we process, and Tech Data companies comply with relevant privacy and information security regulations. Our compliance with applicable regulatory requirements relative to processing of personal information is protected by internal privacy and information security control frameworks. As part of these frameworks, we provide training to our employees and commit our staff and partners to protect the confidentiality of the information that we process. In addition, we also obtain contractual commitments for our third-party suppliers providing services in connection with StreamOne to provide an equivalent level of protection for the personal information that they process on our behalf.
How does this affect users of the StreamOne Cloud Marketplace (SCM)?
Users of Tech Data’s SCM in Europe if you haven’t done so already, the next time that you place an order with us you will be asked to click to accept new terms and conditions.
How does this affect vendors in SCM?
All our vendors and ecosystem partners in StreamOne Ion will be asked to sign new Data Processing Agreements (DPAs) that are compliant with GDPR.
How does this affect users of StreamOne Ion?
Users of Tech Data’s StreamOne Ion in Europe will be required to sign a new printed DPA which will be sent to you. As soon as possible we will be implementing this as a click to accept process on
How does this affect vendors in StreamOne Ion?
All our vendors and ecosystem partners in StreamOne Ion will be asked to sign new DPAs that are compliant with GDPR.
What if I cannot comply with GDPR?
If GDPR is applicable to your business, then you will need to be able to comply with GDPR. As a Tech Data CSP partner you are obligated to ensure that you comply with applicable privacy laws, including GDPR. However, we have resources available to help you get ready for GDPR as well as connect you with partners who are GDPR ready.
How can I use GDPR Compliance to achieve more and deliver great solutions to my customers?
GDPR represents a paradigm shift in global privacy requirements. So, what does that mean for you? Opportunities to position your business as a leader in the privacy and data management space. By leveraging Tech Data’s security practice expertise, you can now streamline your GDPR compliance and help your customers do the same. Here are resources that can help partners intelligently approach GDPR.