Intermedia Legal

Your one-stop shop for Intermedia-related legal information

General Data Protection Regulation (GDPR)

What you need to know, and how Intermedia can help you comply with the GDPR’s requirements

Effective May 25, 2018, the General Data Protection Regulation (GDPR) is a European privacy law that imposes significant new requirements on any company or entity that handles, stores, collects, processes, uses or analyzes any personal data of individuals located in the European Union (EU). It gives these individuals greater control over the data that companies have about them, and it creates heightened security, disclosure, access and notification obligations on any business that uses personal data of individuals located in the EU.

Intermedia has extensive expertise managing a highly secure infrastructure and complying with complex regulations. Intermedia maintains a security environment that meets the requirements of the GDPR, and we offer GDPR-compliant Data Processing Addendums (DPAs) to our partners and customers to help assure them that our processing and handling of their data will meet the GDPR’s standards. Ultimately, every business needs to carefully assess their own business activities and their compliance with the GDPR, but we can help by managing GDPR compliance on the services we provide.

What are the key elements of the GDPR?

The GDPR is complex, but the following is a high-level summary of its key elements:

  • Individuals Have Greater Control Over Their Data:Under the GDPR, individuals in the EU (referred to as data subjects) have “data subject rights,” which include the right to (a) be informed how their personal data is collected and used; (b) access that data; (c) make corrections to, or delete, incorrect information about them; (d) “erasure (which means they have the right to request that their personal data be deleted under certain circumstances); (e) limit or object to automated processing of their personal data; and (f) port the personal data provided by the individual.
  • Companies Must Maintain a Comprehensive Security Program:Entities that handle, store, collect, process, use or analyze any personal data of individuals located in the EU must implement and maintain a comprehensive security program with appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which includes, at a minimum, specific security measures identified in the GDPR (such as pseudonymization and encryption of personal data and a process for regularly testing, assessing, and evaluating the effectiveness of those technical and organizational security measures).
  • Companies Have Stricter Disclosure and Notification Obligations:The GDPR imposes duties on companies to provide prompt notification of security breaches to data protection authorities and affected individuals. The GDPR also obligates entities to disclose to individuals the basis for processing their personal data, if their personal data is being processed by third parties, how their personal data will be transferred (if applicable), and how their data will be used.
What data is subject to the GDPR?

The GDPR applies to any personal data of individuals located in the EU. “Personal data” consists of any information that can be used to identify a person. In some cases, it’s easy to identify personal data as it directly identifies a specific individual – for example, an email address, taxpayer or employee ID number, or a person’s name. However, personal data may also include less obvious types of information such as a person’s credit card number, location information and/or IP address.  It can also include indirectly identifying information (such as age or postal code) that is used in combination with directly identifiable information. It is very broadly defined.

What types of agreements does Intermedia offer regarding GDPR compliance?

The GDPR states that data controllers (such as Intermedia’s customers) may only use data processors that provide sufficient guarantees that meet key requirements of the GDPR. Intermedia meets that requirement, and we are pleased to offer a Data Processing Addendum (DPA) to any Intermedia partner or customer. Our DPA contains contractual commitments to comply with the GDPR, as well as the other commitments described below. Please contact your Intermedia account representative for assistance putting a DPA in place.

What commitments are contained in Intermedia’s Data Processing Addendum?

Intermedia’s DPA includes a number of commitments on the part of Intermedia, in its capacity as a processor of personal data of individuals located in the EU, to comply with the GDPR. The GDPR requires that processors such as Intermedia commit to:

  • Obtain the controller’s consent before using subprocessors and remain liable for the activities of any subprocessors;
  • Only process personal data of individuals located in the EU on instructions from the controller;
  • Ensure that personnel, such as employees and contractors, who process personal data are trained and committed to confidentiality;
  • Implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk;
  • Assist controllers in complying with their obligations to respond to data subjects’ requests to exercise their GDPR rights;
  • Upon becoming aware of a security breach, provide timely notice of the breach and help the controller comply with its disclosure obligations;
  • Assist controllers with data protection impact assessments and consultation with supervisory authorities;
  • Make reasonable information available to customers to help them assess the processor’s security program;
  • Delete or return personal data once the services are terminated (except as needed by the processor to continue to provide services or manage its business); and
  • Support the controller with evidence of the processors’ compliance with the GDPR.
Once I sign a Data Processing Addendum with Intermedia, am I done with GDPR compliance?

No! The GDPR is a far-reaching privacy law that touches any business that handles any personal data of individuals within the EU. Intermedia can help support your GDPR compliance efforts by fulfilling our obligations as a processor of any personal data that you, your customers and your users submit to Intermedia in connection with the services we provide. However, there are a number of other actions you should be considering, such as:

  • Consider the types of personal data that you handle, store, collect, process, use or analyze in the conduct of your business.
    • Do you have any employees in the EU?
    • Do you have any customers with offices in the EU?
    • Do you (or, if you resell Intermedia services, do your customers) handle personal data of individuals, potentially located in the EU, in the normal course of business (such as medical insurance billing, HR or payroll services, etc.)?
    • Do you collect individualized tracking information (including the use of cookies) regarding users of your website, some of whom may be located in the EU?
    • Do you provide services to your customers where you do not know the content of what you are processing (such as email or archiving services)?
    Any personal data that you have in connection with these or similar activities may be subject to the GDPR’s requirements.
  • Review your own security infrastructure and ensure that it is sufficient to protect any personal data that you store that may be subject to the GDPR.
  • Make sure you understand and can comply with the GDPR’s notification, disclosure, consent and other requirements in your handling of any possible personal data of individuals located in the EU.
  • Obtain DPAs from any vendor or service provider to which you or your customers may be sending personal data of individuals in the EU for processing.
  • Prepare and offer GDPR-compliant DPAs to your own customers who may require such agreements for the services you provide to them.

GDPR compliance requires a very detailed and business-specific analysis. Intermedia provides GDPR-related assurances regarding the services we provide. Most companies that, directly or indirectly, have contacts or dealings with the EU are working with outside legal and compliance advisors to help them understand how the law applies to their own business and what they need to do to comply.  Intermedia strongly recommends that, if you have any questions regarding GDPR compliance for your own business, you seek the advice of your legal advisors.