GDPR From Hosting Perspective: FAQ¶
General Data Protection Regulation is a new legislature, that came in effect on May 25, 2018. GDPR affects every entity that gathers or processes personal data about EU citizens. This includes companies and institutions that are based outside Europe, but operate in the EU market (source). Therefore, GDRP also affects hosting companies and their clients.
What is personal data processing?¶
Personal data processing is an action, or actions, that data controller or processor executes on personal data, automatically or otherwise. It includes gathering, recording, sorting, structuring, saving on a media, giving access, editing, modifying, searching, inspecting, using, transferring, publishing, archiving, trading or combining, blocking and destroying said data. In other words, it includes operation of an e-shop that saves personal data into database or otherwise processes them.
What is considered personal data under GDPR?¶
Personal data is all information that identifies a physical person. General personal data include name, sex, age, data of birth, marital status, as well IP address and photography. Because GDPR also covers entrepreneurs, personal data also includes the so-called organization data, such as e-mail address, phone number and various identifying information issued by governments. More information about personal data is available here.
Do we need to sign a new contract with the hosting company?¶
If you are running a service where personal data is being processed by the hosting company, you need to sign a personal data processing agreement. In case of some services, such as server hosting, dedicated servers or CDN, the hosting company does not process any data, so no extra contract is necessary. If the hosting company processes personal data (typically in managed services), it prepares the contract draft.
Is VSHosting ready for GDPR?¶
Yes, all our services are compatible with Regulation (EU) 2016/679 of the European Parliament and of the Council), better known as GDPR.
What is the role of a hosting company's client? Controller or processor?¶
The client's role depends on whether their customers are directly subjects to personal data protection (in this case, they are controller) or they sell their application or platform to a 3rd party, whose customers are subjects to personal data protection (in this case, they are processor). Example of controllers are operators of e-shop or any company towards their own employees. Example of processors are web agencies. The role of VSHosting is processor (if their client is the controller), or another processor (if the client are processor themselves).
Do we have a right to be forgotten, if we make backups?¶
Backup is a carbon copy of data to a given date and it is not advisable to modify it for technical reasons. Because the backups expire after 30 days, they meet GDPR requirements - there is no need to erase the personal data immediately. The right to be forgotten is given only in specific circumstanced spelled out by the GDPR.
How to satisfy GDPR when logging?¶
Logging done on the server-side applications (typically web server) does not include any personal data. Slow query log can be problematic, because it can potentially include personal data. However, like all other logs on the server, the slow log is automatically deleted when it expires. Authors of the client application (controller or processor) need to rotate and delete old logs in their application themselves.
Is it necessary to encrypt disks?¶
Encryption is not mandatory according to GDPR. Personal data need to be secured adequately to risks, including data breach, and encryption can help with that. However, it protects data only from physical intrusion, which is prevented by other measures.
How do you ensure that no unauthorized person can steal a server with data?¶
Data of VSHosting clients resides in our ServerPark data center. ServerPark has above-standard security measures, including thick concrete walls, reinforced doors, CCTV, anonymized server labels and most importantly, restricted, electronically secured access to the data center.
Will I be GDPR-compliant after signing the personal data processing agreement?¶
You will be GDPR-compliant in relation to the hosting company, but not generally. Every entity covered by the GDPR legislation (not only e-shop operators, but doctors, lawyers and other professions working with personal data), has to fulfill all requirements, not just only in regards to hosting. Most importantly, informing subjects to personal data protection about data processing, entering a personal data processing agreement with all personal data processors, keeping internal documentation (with records of data processing), creating internal processes etc.
Is it necessary to keep server updated to be GDPR-compliant?¶
You need to expend maximum effort to prevent personal data misuse. That is why you should keep the server upgraded, so a potential attacker cannot take advantage of an unsupported software component. We have been recommending upgrades to our clients even before GDPR came to effect. However, the biggest hurdle is usually compatibility with client's applications. So we always recommend keeping your applications compatible with up-to-date versions of PHP, Java etc., otherwise it leads to unnecessary risks.
Do we need to implement any new technical measures between us and VSHosting to be GDPR-compliant?¶
There is no need for invasive new technical measures. On our side, we are working on several features, that are nice to have, but not required. An option for secure communication is coming to our administration interface - you will get notifications by email, but the message contents will be available only in the administration interface.