Frequently Asked Questions
The GDPR (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the EU.
- It establishes a framework of rules to protect the personal data for European Union (EU) data subjects. It also addresses export of personal data outside the EU.
- The GDPR takes effect May 25, 2018.
The GDPR applies to companies operating within the EU that process personal data.
- It also applies to companies outside the EU that offer goods and services to individuals in the EU.
Personal data means any information relating to an identified or an identifiable natural person.
- Potential examples of personal data are:
- Email addresses
- Named user ids
- Personal card numbers
- Account numbers of individuals
- Financial data relating to any individual
- Contact data
- IP addresses which can be tied back to an individual
- Location data relating to an individual
- Online identifiers such as IP address.
Yes. FIS has undertaken an enterprise-wide review and we are updating our processes and procedures to be fully compliant with GDPR by the effective date.
- FIS employs an EU Data Protection Officer as specified by the regulation. Patrick O’Kane, the FIS Data Protection Officer, can be reached at Data.Protection@fisglobal.com.
- FIS uses subcontractors throughout its business.
- While the GDPR allows a wide degree of leeway for data controllers to use processors who sub-contract services, subcontractors are contractually required to comply with all applicable laws and regulations, including the GDPR.
- FIS remains responsible to the data controller for the actions or inactions of any subcontractor.
- The Data Protection Agreement (DPA) provides your general consent for FIS to subcontract.
- FIS is required under the GDPR to identify those subcontractors and give you sufficient time to object to new sub-processors.
- These communications will be managed through the following secure website: my.fisglobal.com. That secure website will be active by May 1, 2018, and will validate your email address if registered with FIS, or will provide you with instructions on how to register your email address with FIS to obtain information regarding subcontractors.
- If your organization is subject to the GDPR, one of the requirements under the GDPR is that a compliant Data Processing Agreement/Addendum (DPA) be in place prior to the effective date.
- FIS has developed a Data Privacy Addendum that will meet the requirements of the GDPR. It is available now to all customers to help them prepare for May 25, 2018, when the GDPR becomes enforceable.
- To request a copy of the DPA, send an email to firstname.lastname@example.org
- You can request a DPA that includes your organization's information and is enabled for electronic signature by sending an email to email@example.com.
- The FIS DPA is designed to cover all the products and services that FIS provides to you.
- We have designed the DPA to be applicable to all contracts you or your affiliates have with FIS or its affiliates so that only one DPA with FIS is required to be executed.
- Each client is responsible for their compliance program and must determine whether the GDPR applies to their business.
- However, FIS suggests that if the client believes that GDPR may apply to any of the products or services provided by FIS, that a DPA be executed. Specific language can be included in the DPA to specify that the GDPR provisions are only effective to the extent that the client is subject to GDPR.
- Organizations can be fined up to 4% of annual global turnover for breaching GDPR, or €20 Million (US$21.5 Million). This is the maximum fine that can be imposed for the most serious infringements (e.g., not having sufficient customer consent to process data or violating the core of privacy-by-design concepts).
- There is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
- The GDPR requires specific provisions be included by contract.