FAQ’s about GDPR compliance and Animana’s new GTCs and DPA

The GDPR (General Data Protection Regulation) is a new EU privacy regulation that provides higher levels of protection for EU citizen data. See here for more information.

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will be enforced by the authorities after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by government; meaning it comes into force across the EU on the 25th May 2018.

The GDPR has a very far-reaching scope. It does not only apply to organizations located within the EU but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding personal data of data subjects residing in the European Union, regardless of the company’s location.

(When the regulation refers to EU, it should be understood EEA (i.e. The 28 EU Member States plus Norway, Iceland and Liechtenstein).

Organizations can be fined up to 4% of annual worldwide turnover or €20 Million for serious GDPR breaches.

IDEXX Animana considers the proper processing of personal data to be highly important and is working towards GDPR compliance by 25th May 2018. In this respect, we, for example, have drafted a Data Protection Agreement that you have received in Q4 2017. IDEXX will continue to update and educate our customers as we move closer to May 2018.

One of the requirements of the GDPR for both IDEXX Animana (as data processor) and your veterinary practice (as data controller), is to have a Data Protection Agreement (“DPA”) in place. This DPA helps you fulfil one of your obligations as data controller.  In order to align our General Terms and Conditions (“GTCs”) with the DPA, we needed to make changes to these as well.

Regarding the GTCs – You need to read the new GTCs and 30 (thirty) days after the new GTCs have been sent to you these will be considered approved by you.

Regarding the DPA – The DPA describes the rights and obligations of both parties, data controller and data processor, as required by the GDPR so it is important for you to read and understand it. Additionally, you are requested to electronically confirm your acceptance to the DPA as it is part of your agreement with IDEXX. To do so, please go to Animana Data Protection Agreement Acceptance. If you fail to do so, you will not fulfil your obligation as a data controller to have a DPA in place and you will not be able to continue using IDEXX Animana’s software.

IDEXX Animana is committed to General Data Protection Regulation (GDPR) compliance and to help its customers with their own compliance journey. We are rolling out DPA and this updated version of GTCs well in advance to facilitate your compliance assessment and GDPR readiness when using IDEXX Animana

A data controller determines the purposes and means of processing of personal data. A data processor processes personal data on behalf of a data controller. Animana customers will typically act as the data controller for any personal data they provide to IDEXX Animana in connection with their use of Animana. IDEXX Animana is the data processor and processes personal data on behalf of the data controller when the data controller is using Animana.

Data controllers are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data. You can find guidance related to your responsibilities under the GDPR by regularly checking the website of your national or lead data-protection authority under the GDPR (as applicable), as well as by reviewing publications by data-privacy associations, such as the International Association of Privacy Professionals (IAPP). A list of the appropriate resources is included at the end of this document.  You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation.

The GDPR will probably impact your veterinary practice as you collect and process EU personal data. We recommend you contact your legal counsel for advice or check the website of your local Data Protection Agency. Some of the new GDPR obligations may not be applicable to your practice depending on your size, hence why we advise you to get legal advice.

We strongly recommend you contact your legal counsel for advice or check the website of your local Data Protection Agency. You will need to consider the expanded responsibilities of ‘data controllers’ with regards to the personal data of your employees, clients, website visitors, applicants, vendors, etc…

Controllers and processors all over the EU are currently working towards implementation of the GDPR requirements as we all need to adapt to the new regulation before May 2018. IDEXX is ahead of the curve and decided to not wait until the last moment to make those adjustments.

Just as IDEXX is being transparent to you, you also have a transparency/information duty towards your clients, the pet owners. Your clients should be informed that you use data processors such as IDEXX and how IDEXX processes their data, including our market analysis activities on aggregated and anonymized data.

You can use any communication method that you would normally use to inform your pet owners of your processing activities (e.g. via your website, privacy statement, or if you use any other type of statement to inform pet owners that you use IDEXX Animana as your practice management tool etc…).

Austria

Österreichische Datenschutzbehörde
Hohenstaufengasse 3
1010 Wien
Tel. +43 1 531 15 202525
Fax +43 1 531 15 202690
e-mail: dsb@dsb.gv.at
Website: http://www.dsb.gv.at/
Art 29 WP Member: Dr Andrea JELINEK, Director, Österreichische Datenschutzbehörde

Belgium

Commission de la protection de la vie privée
Rue de la Presse 35
1000 Bruxelles
Tel. +32 2 274 48 00
Fax +32 2 274 48 10
e-mail: commission@privacycommission.be
Website: http://www.privacycommission.be/

Denmark

Datatilsynet
Borgergade 28, 5
1300 Copenhagen K
Tel. +45 33 1932 00
Fax +45 33 19 32 18
e-mail: dt@datatilsynet.dk
Website: http://www.datatilsynet.dk/

Germany

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstraße 30
53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
e-mail: poststelle@bfdi.bund.de
Website: http://www.bfdi.bund.de/

Ireland

Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800
Fax +353 57 868 4757
e-mail: info@dataprotection.ie
Website: http://www.dataprotection.ie/

Luxembourg

Commission Nationale pour la Protection des Données
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel. +352 2610 60 1
Fax +352 2610 60 29
e-mail: info@cnpd.lu
Website: http://www.cnpd.lu/

Netherlands

Autoriteit Persoonsgegevens
Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
e-mail: info@autoriteitpersoonsgegevens.nl
Website: https://autoriteitpersoonsgegevens.nl/nl

Sweden

Datainspektionen
Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
e-mail: datainspektionen@datainspektionen.se
Website: http://www.datainspektionen.se/

UK

The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1625 545 745
e-mail: international.team@ico.org.uk
Website: https://ico.org.uk