AdvantageCS supplies the Advantage software system (and related services) that manages customer transactions and interactions for the products and services you provide to your customers. These services include customized solutions as well as software support.
AdvantageCS personnel advise, train, help you configure your operations, and provide support.
However, AdvantageCS is not a Processor according to the definitions provided in the GDPR:
- "Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalfof the controller;"(Article 4.8 of the EU General Data Protection Regulation (GDPR)
- “Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4.2 of the GDPR)
Data Protection Responsibilities
While not technically a GDPR Processor, AdvantageCS partners with clients to create an effective system that, when in operation, is compliant with regulations such as GDPR and PA-DSS.
The AdvantageCS Data Protection Team has the following responsibilities:
- Compliance tracking: Documentation of policies. Verification of training. Logging activities and events.
- Security regarding access to AdvantageCS systems
- Security regarding access to client systems
- Training for AdvantageCS personnel
- Functionality of the Advantage system
This team meets regularly to review Data Protection issues and initiate changes as needed.
AdvantageCS operates on a “need-to-know basis,” meaning that access to client data by AdvantageCS personnel is restricted and can only be accessed when it is necessary for specific operations.
AdvantageCS personnel do not share clients’ data, nor transfer clients’ data, outside a client’s private network without permission. Clients’ data is accessed for support purposes only and only on occasions when requested by the client.
AdvantageCS does not exploit your customer data for purposes unrelated to providing support services. We do not use your customer data for advertising or similar commercial purposes.
AdvantageCS trains its employees to follow company data privacy policies.
AdvantageCS personnel access to client data is intended for support purposes only.
While AdvantageCS is responsible for building services and features that facilitate compliance with data protection and privacy regulations and standards, it is up our clients to configure services and train their employees to use those services in a way that maintains compliance requirements.
Also, though it is up to AdvantageCS to create strong operational controls to protect Personal Data, it is up to our clients to use those controls in a way that limits unintended data sharing and access.
Data Protection by Design and by Default
Article 25 of the GDPR describes the concept of “data protection by design and by default”. The Advantage database is designed with data protection in mind.
A Single Customer Record
An overriding principle is that a person is on file a single time, with all their activity using the same single customer record. The Duplicate Consolidation module allows our clients to combine duplicate customer records, which can get created if data provided by the customer does not match closely enough with the data on file.
Limited Personal Identifier Locations
Personal Identifiers are a subset of Personal Data, that enable one to relate data to a specific Data Subject so that this data may be defined as “personal.” Personal Identifiers are stored in a limited set of tables, mainly on the customer and address tables, and are replicated only in very limited cases.
For many analysis reports, summary tables are populated supporting statistical tallies. These summary tables do not contain Personal Data. Similarly, information transferred to the Advantage Business Intelligence module does not contain Personal Data.
Personal Data in Advantage
Personal Data is defined by the GDPR as follows: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (Article 4.1 of the GDPR)
AdvantageCS maintains lists of the Personal Data commonly stored in Advantage, and also areas which may possibly contain Personal Data, depending on a specific client’s use of Advantage. This information is available to all Advantage clients.
There are several Advantage user security features related to data protection, including client-defined security groups, multi-factor authentication and user log-in limits, change history and update logging, the ability to anonymize a non-production database, and data purge processes.
Related Blog Posts
"GDPR Summit in Copenhagen Highly Productive," January 29, 2018
"Data Ownership and Consent," August 23, 2019
"Customer Permissions the GDPR Way," July 19, 2017