As a data company, we believe it’s important that we provide a general overview on Waylay and the GDPR that is written in plain English and is as free from legalese as a text talking about a legal document can be. Important obligatory note: this text is for information purposes only and can not be considered legal advice or legally binding in any way or form.
On May 25th, 2018, the European Union’s new data protection regulation, the General Data Protection Regulation (GDPR) enters into force. In our borderless digital world, this piece of legislation is an important update and will impact any business handling data that can be used to personally identify EU residents, which in GDPR terminology are called “data subjects”.
As an Internet of Things company, when thinking about handling personal data there is already a useful distinction to be made between industrial and consumer IoT use cases.
For industrial applications, Waylay primarily handles machine data for customers. In most cases, this data and its associated metadata cannot be linked to individuals and hence does not classify as personally identifiable data.
GDPR will have greater impact on consumer IoT use cases, where our customers’ end users are private persons and where IoT applications will almost always require handling personal data and where device data can be associated with individuals.
Irrespective of the nature of the application, industrial or consumer, and regardless of whether it’s pure machine data or explicit human user data that we handle, Waylay is committed to going the extra mile in protecting data subjects. This article provides an overview of the data-related roles and responsibilities when you’ve chosen Waylay as your IoT orchestration platform and will explain Waylay’s efforts to live up to the values and requirements of the GDPR.
GDPR makes a clear and important distinction between two types of responsibility levels of organisations handling personal data of EU data subjects: the responsibilities of the data controller and those of the data processor.
Simply put, in our case, Waylay acts as data controller when it comes to personal data of you as our customer and as a data processor when it comes to personal data of your end users that you manage using the Waylay application.
Using the Waylay application to manage data about your customers means that you have engaged Waylay as a data processor to carry out certain processing activities on your behalf.
According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article).
These two documents also serve as your data processing contract, setting out the instructions that you are giving to Waylay with regard to processing the personal data you control and establishing the rights and responsibilities of both parties, unless there is a specific data processing contract in place with more detailed instructions. Waylay will only process your Customer Data based on your instructions as the data controller.
Waylay acts as the data controller for the personal data we collect about you and/or the users that manage the Waylay application, the user/admin of the Waylay application and admin console. Examples of such information include your name, email address, phone number, credit card info, etc.
Collecting and processing this data is necessary for us to perform our contract with you (GDPR Article 6(1)(b)) and to to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.
As the controller for your personal data, Waylay is committed to respect all your rights under the GDPR. If you have any questions or feedback, please reach out to our Data Protection Officer by email at firstname.lastname@example.org.
As a company founded and headquartered in Europe, Waylay has been closely following the updates on EU data privacy regulations and is very familiar with the implications that the new EU General Data Protection Regulation has for businesses worldwide.
We take the privacy needs of Waylay users and of their customers very seriously and, as such, have implemented — and will continue to improve — technical and organizational measures in line with the GDPR to safeguard the personal data processed by Waylay.
Ownership over your own personal data is a fundamental concept promoted by the GDPR, which Waylay fully supports and stands by. This is why for data where we act as data controller we have made sure to have the proper processes in place to respond to your request as a data subject to delete, modify, or transfer your data. You will always be in charge of what personal data we collect, store and process and we make sure that you always have a handy and clear way of submitting personal-data requests.
An important thing to stress here is that we have no direct relationship with your customers so we do not process any such requests from them. It is your responsibility to make sure you have all the processes in place for such requests coming from data subjects for whom you act as data controller.
It is important to note here that all Waylay employees and team members are bound by strict confidentiality agreements and extensive training efforts are made within the company so that the GDPR compliant processes we’ve put in place are followed. Sessions on data privacy and security are an integral part of our onboarding process and each department receives training that is tailored to their work involving personal data.
We hope that this article was useful to understand where all parties involved stand when it comes to handling personal data of EU data subjects when using the Waylay application. If you have any questions with regard to any of the above, you’re welcome to reach out to us at email@example.com and we’ll do our best to help out.
We believe that a new era of handling personal data begins with the GDPR coming into force and that data companies such as Waylay will have a prime role not only in ensuring legal, transparent and ethical use of personal data but also in contributing to making our software-driven future world a safer place for all.