FAQ’s about GDPR compliance and Animana’s new GTCs and DPA
What is the GDPR?
The GDPR (General Data Protection Regulation) is a new EU privacy regulation that provides higher levels of protection for EU citizen data. See here for more information.
When is the GDPR coming into effect?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will be enforced by the authorities after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by government; meaning it comes into force across the EU on the 25th May 2018.
Who does the GDPR affect?
The GDPR has a very far-reaching scope. It does not only apply to organizations located within the EU but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding personal data of data subjects residing in the European Union, regardless of the company’s location.
(When the regulation refers to EU, it should be understood EEA (i.e. The 28 EU Member States plus Norway, Iceland and Liechtenstein).
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual worldwide turnover or €20 Million for serious GDPR breaches.
Will Animana be GDPR compliant by the effective date?
IDEXX Animana considers the proper processing of personal data to be highly important and is working towards GDPR compliance by 25th May 2018. In this respect, we, for example, have drafted a Data Protection Agreement that you have received in Q4 2017. IDEXX will continue to update and educate our customers as we move closer to May 2018.
Why did IDEXX Animana change its General Terms and Conditions and add a Data Protection Agreement?
One of the requirements of the GDPR for both IDEXX Animana (as data processor) and your veterinary practice (as data controller), is to have a Data Protection Agreement (“DPA”) in place. This DPA helps you fulfil one of your obligations as data controller. In order to align our General Terms and Conditions (“GTCs”) with the DPA, we needed to make changes to these as well.
What do I (IDEXX Animana customer) need to do regarding IDEXX Animana’s new GTCs and DPA?
Regarding the GTCs – You need to read the new GTCs and 30 (thirty) days after the new GTCs have been sent to you these will be considered approved by you.
Regarding the DPA – The DPA describes the rights and obligations of both parties, data controller and data processor, as required by the GDPR so it is important for you to read and understand it. Additionally, you are requested to electronically confirm your acceptance to the DPA as it is part of your agreement with IDEXX. To do so, please go to Animana Data Protection Agreement Acceptance. If you fail to do so, you will not fulfil your obligation as a data controller to have a DPA in place and you will not be able to continue using IDEXX Animana’s software.
Why are you rolling out the Data Protection Agreement and the new General Terms and Conditions for Animana now rather than wait until May 25, 2018?
IDEXX Animana is committed to General Data Protection Regulation (GDPR) compliance and to help its customers with their own compliance journey. We are rolling out DPA and this updated version of GTCs well in advance to facilitate your compliance assessment and GDPR readiness when using IDEXX Animana
What is a data controller? What is a data processor?
A data controller determines the purposes and means of processing of personal data. A data processor processes personal data on behalf of a data controller. Animana customers will typically act as the data controller for any personal data they provide to IDEXX Animana in connection with their use of Animana. IDEXX Animana is the data processor and processes personal data on behalf of the data controller when the data controller is using Animana.
What are my obligations as a customer and data controller?
Data controllers are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data. You can find guidance related to your responsibilities under the GDPR by regularly checking the website of your national or lead data-protection authority under the GDPR (as applicable), as well as by reviewing publications by data-privacy associations, such as the International Association of Privacy Professionals (IAPP). A list of the appropriate resources is included at the end of this document. You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation.
Does the GDPR affect veterinary practices?
The GDPR will probably impact your veterinary practice as you collect and process EU personal data. We recommend you contact your legal counsel for advice or check the website of your local Data Protection Agency. Some of the new GDPR obligations may not be applicable to your practice depending on your size, hence why we advise you to get legal advice.
What do I have to do as a veterinary practice to comply with the GDPR?
We strongly recommend you contact your legal counsel for advice or check the website of your local Data Protection Agency. You will need to consider the expanded responsibilities of ‘data controllers’ with regards to the personal data of your employees, clients, website visitors, applicants, vendors, etc…
What are other companies doing and why are we hearing from IDEXX now?
Controllers and processors all over the EU are currently working towards implementation of the GDPR requirements as we all need to adapt to the new regulation before May 2018. IDEXX is ahead of the curve and decided to not wait until the last moment to make those adjustments.
What are my "information duties towards my clients" as a veterinary practice?
Just as IDEXX is being transparent to you, you also have a transparency/information duty towards your clients, the pet owners. Your clients should be informed that you use data processors such as IDEXX and how IDEXX processes their data, including our market analysis activities on aggregated and anonymized data.
You can use any communication method that you would normally use to inform your pet owners of your processing activities (e.g. via your website, privacy statement, or if you use any other type of statement to inform pet owners that you use IDEXX Animana as your practice management tool etc…).
List of national data protection agencies
Tel. +43 1 531 15 202525
Fax +43 1 531 15 202690
Art 29 WP Member: Dr Andrea JELINEK, Director, Österreichische Datenschutzbehörde
Commission de la protection de la vie privée
Rue de la Presse 35
Tel. +32 2 274 48 00
Fax +32 2 274 48 10
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
Data Protection Commissioner
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800
Fax +353 57 868 4757
Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501