Frequently Asked Questions
What is the General Data Protection Regulation (GDPR) and when did it come into effect?
- The GDPR (Regulation (EU) 2016/679) is an EU law with mandatory rules for how organizations must process personal data. One of the key objectives of the GDPR is to strengthen and unify personal data protection for all individuals within the EU.
- The GDPR restricts transfers of personal data outside the European Economic Area, unless the rights of individuals in respect of their personal data are protected.
- The GDPR took effect May 25, 2018.
- The GDPR also forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (often referred to as “UK GDPR”).
Who does the GDPR affect?
- The GDPR applies to any organization established in the EU or the UK that processes personal data. The GDPR also applies to organizations outside the EU or the UK, if they target offering goods or services to, or monitor the behavior of data subjects in the EU or the UK.
What constitutes personal data?
- Any information that relates to a natural person or “data subject,” that can be used to directly or indirectly identify the person. It can be anything from a name, photo, email address, bank details, social networking posts, medical information or a computer IP address, among others.
Does FIS have a GDPR Compliance program?
- Yes. FIS has undertaken an enterprise-wide review and has implemented processes and procedures designed to be compliant with the GDPR.
Does FIS have a Data Protection Officer?
Does FIS use subcontractors to provide services to my organization? If yes, how does FIS inform my organization, as the controller of the personal data, of the use of those subcontractors?
- FIS uses subcontractors throughout its business.
- While the GDPR allows a wide degree of leeway for data controllers to use processors who sub-contract services, subcontractors are contractually required to comply with all applicable laws and regulations, including the GDPR.
- FIS remains responsible to the data controller for the actions or inactions of any subcontractor.
- The Data Protection Addendum (DPA) provides your general consent for FIS to subcontract.
- FIS is required under the GDPR to identify those subcontractors and give you sufficient time to object to new sub-processors.
- These communications are managed through our Client Portal, that is made available to Client’s designated representatives upon request.
How do I know if my contract with FIS needs to be amended?
- If your organization is subject to the GDPR, one of the requirements under the GDPR is that a compliant Data Processing Agreement/Addendum (DPA) is in place.
- FIS has developed a DPA that will meet the requirements of the GDPR.
- To request a copy of the DPA, send an email to firstname.lastname@example.org.
GDPR applies to my organization. How do I amend my contract to include the required provisions?
Can FIS determine if a client needs a GDPR-compliant DPA?
- Each client is responsible for their compliance program and must determine whether the GDPR applies to their business.
- However, FIS suggests that if the client believes that GDPR may apply to any of the products or services provided by FIS, a DPA be executed.
Are FIS contracts updated to include the new Standard Contractual Clauses for international data transfers?
- Yes, the FIS DPA has been updated to include the new Standard Contractual Clauses for international data transfers as issued by the European Commission in June 2021. The FIS DPA also incorporates the UK International Data Transfer Addendum to the EU SCCs.
What are the penalties for non-compliance?
- The GDPR provides data protection authorities with different options in case of non-compliance. They have the right to issue warnings, reprimand or a ban on the processing of personal data. The authorities may also impose a fine on companies failing to comply.
- There are two tiers of fines under the GDPR: up to €10 Million, or 2% of your annual global turnover – whichever is greater; or up to €20 Million (US$21.5 Million), or 4% of your annual global turnover – whichever is greater. The fines are based on the specific articles in the GDPR. For example, an organization that does not enter into a DPA with a processor that is processing personal data on their behalf could be subject to a fine of 2% of its turnover. However, the lack of not putting in place a DPA could also result in a transfer of personal data outside the EEA without a valid transfer mechanism (for example, because the SCCs are not applicable), which could trigger another fine of 4% of its turnover.
- Compliance with the DPA and transfer restriction requirements in the GDPR is a responsibility of both the data exporter as well as the data importer.
My contract already says that FIS will comply with all applicable laws and regulations. Why do I need an addendum that specifically references GDPR?
- The GDPR requires specific provisions be included by contract and these provisions are included in the DPA.