MergerWare commitment to GDPR
Our pledge to data protection and right of individuals to data
MergerWare is fully committed to being compliant prior to GDPR. We promise to safeguard your data.
[Contact privacy@mergerware.com for any questions/comments]
What is GDPR?
The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It will have a significant impact on businesses around the world.
The full text of the GDPR can be found at https://gdpr-info.eu/ .
Does the GDPR apply to me?
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
GDPR – important definitions
| TERM | DEFINITION |
| Data Subject | A person who lives in the EU |
| Personal Data | Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info) |
| Controller | A company/organisation that collects people’s personal data and makes decisions about what to do with it. So if you’re collecting personal data and are determining how it will be processed (for example using the MergerWare platform for your M&A deal management), you’re the Controller of that data and must comply with applicable data privacy legislation accordingly. |
| Processor | A company/organisation that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data. So for example, MergerWare is the processor of the data you collect in your MergerWare platform .. We don’t control how you collect or use the data; we merely process it on your behalf and on your instruction. |
| Processing | Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Data Protection Officer (DPO) | A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert |
| Data Privacy Impact Assessment (DPIA) | A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing |
| Supervisory Authority | Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities) |
| Third Countries | Countries outside the EU |
What are the rights of Data Subject under GDPR?
At the heart of GDPR lies a set of rights a person can exercise against organizations processing their personal data. Specifically, individuals have the right to:
| Access | Under GDPR, the Data Subject will be able to request access to his/her personal data and learn how an organization uses it. |
| Erasure | Data Subject will have a right to withdraw consent to store and use personal data and have the information erased. |
| Data Portability | Data Subject will have the right to transfer its data from one service provider to another, and current provider must comply with this request. |
| Rectification | Data Subject can also require any errors in personal data to be corrected, and an organization must reply to the request within one month. |
| To Be Informed | Under GDPR, companies must be transparent about how they gather personal information, and must do it before they collect the data. As part of this, Data Subject must freely give consent for their data to be gathered for a specific purpose. |
| Restrict Processing | This gives Data Subject the right to block and suppress processing of their personal data. Under suppressing, an organization can still store personal information but cannot use it in any way. |
| Stop Processing | Data Subject will have the right to object to using and processing their personal data. This includes direct marketing, profiling, processing for scientific or historical research, inclusion in statistical research and much more. Once a Data Subject objects, all his or her data processing must cease immediately. |
What contractual changes is MergerWare planning in its agreements with customers & vendors in preparation of GDPR?
We are reviewing all our legal agreements to ensure we make any required changes in order to be compliant with GDPR. Here are some of the planned changes:
We have created a new European Union General Data Protection Regulation and Data Transfer Addendum
- Data Transfer Addendum (DTA) to meet the requirements of the GDPR in order to permit our Customers to continue to lawfully transfer EU personal data to MergerWare and permit MergerWare to continue to lawfully receive and process that data;
- We are updating our third-party vendor contracts to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data.