How SMART-TRIAL Continues to Protect Customer Data

December 3, 2020
in
 - written by 
Jon I.
Bergsteinsson
smart-trial-iso

The purpose of this article is to clarify how SMART-TRIAL ensures GDPR compliance, privacy, and security of SMART-TRIAL customer data. Since the ruling from the Court of Justice of the European Union (CJEU) on the EU-U.S. Privacy shield in July 2020, questions have been raised by the industry on data protection and potential non-compliant transfer of data from the EU to third countries.

Because of this, we have found ourselves forced to clarify and document, even further, how we protect our customers and their data, to ensure that all contractual agreements between SMART-TRIAL and clients are withheld and still comply with the EU GDPR requirements on data processing.

Privacy by Design

Since SMART-TRIAL’s first public release back in 2014 we have strived to ensure that all data processing complies with data protection regulations and industry standards for data privacy.

Honesty and quality are two of the fundamental principles we build our company on, which has led us to implement extensive quality processes to ensure that we deliver a reliable and compliant Electronic Data Capture platform that our customers can trust.

SMART-TRIAL is developed with privacy by design and all our efforts in doing so are thoroughly documented and tested. For this reason, we conduct and document risk-analysis on our system, production environments and all sub-processors.

The method has led us to implement various technical and contractual safeguards to ensure that we can offer a service that complies with applicable standards and regulations.

All SMART-TRIAL data is encrypted at all times, both during transfer and rest, and all our security and service measures are documented in the SMART-TRIAL security and service statement - which describes how we ensure compliance with updated regulations or standards for data protection.

In addition, we enter contractual data processing agreements with all data sub-processors (which include Standard Contractual Clauses or SCC) to ensure that all data processing is only conducted according to our specifications, which follows both industry standards and the EU GDPR requirements for data processing. This is documented in Data Processing Agreements (DPA) we enter with all customers.

Ensuring EU compliant data protection and limiting non-compliant third-country data transfer

One of the fundamental requirements of the EU GDPR is to ensure that data processing is thoroughly documented and any transfer of data is only conducted as described in data processing agreements between data controllers and data processors.

Even before the ruling by the CJEU, SMART-TRIAL had both contractual (SCC) and technical safeguards implemented to ensure that data processing complied with the requirements of the EU GDPR. Neither SMART-TRIAL nor our sub-processors relied on the EU-U.S. Privacy Shield framework alone.

According to the European Data Protection Board (EDPB) guidance published in November 2020, data processors (or data exporters) should implement both contractual and technical safeguards to limit non-compliant third-country data transfers.

SMART-TRIAL’s technical safeguards are described in the SMART-TRIAL security and service statement and contractual safeguards are documented in DPAs with customers, along with DPAs we make with our sub-processors.

All SMART-TRIAL services (and customer data) are stored and backed up within the EU (Ireland), by using privately managed hosting services from Microsoft Azure. This makes Microsoft in Ireland SMART-TRIAL’s primary sub-processor for hosting SMART-TRIAL and customer data.

To limit Microsoft’s access to customer data in SMART-TRIAL, we encrypt all data during transfer and at rest. This ensures that even in the unlikely event that a non-compliant data transfer occurs, data will not be accessible in clear text. Secondly, we have a DPA that ensures that Microsoft only processes data according to SMART-TRIAL’s specifications. According to the DPA Microsoft is not allowed to process SMART-TRIAL’s data (and our customer’s data) in other means than described in the DPA and technical configurations of Azure services used by SMART-TRIAL, without our consent. 

Microsoft also incorporates and implements a series of organisational, contractual, and technical requirements according to a range of privacy and security standards and regulations, such as ISO 27001 and 27018, to which Microsoft is audited every year. Audits done by third parties on Microsoft and its Azure data centres, confirm that Microsoft complies these standards and legislative requirements. By using e.g. the ISO 27001 and 27018 as references, Microsoft ensures that data will not be processed on our behalf without our consent, such as transferring data outside of regions that we have selected (EU/Ireland). 

On the 21st of July 2020 Microsoft further enhanced the Data Processing Agreement with SMART-TRIAL with the following statement, to ensure that standard contractual clauses would overrule the EU-U.S. Privacy Shield Framework - to eliminate any confusion that the DPA would be invalidated by the CJEU ruling.

Furthermore, by mid November 2020, Microsoft provided an addendum to the Data Processing Agreement with SMART-TRIAL to respond to the European Data Protection Board (EDPB) guidance with new commitments that demonstrate the strength of Microsoft’s conviction to defend customer data. These new commitments assure us, and SMART-TRIAL clients, that Microsoft is striving to protect the confidentiality of personal data and continue to comply with EU GDPR requirements for data protection and processing.

New technical safeguards by SMART-TRIAL to comply with recommendations from the EDPB

To illustrate that SMART-TRIAL is committed to further enhance data privacy, and comply with the recommendations published by the EDPB, we will be implementing new technical safeguards immediately. Existing technical safeguards (which include many of the recommendations published by the EDPB) are already described in the SMART-TRIAL security and service statement.

The new technical safeguards contain technical and process improvements on SMART-TRIAL's production environments. The goal of these improvements is not to correct any non-compliances, but further enhance our data protection standards as recommended by the EDPB guidelines. We expect to complete this task by the 1st of January 2021.

With new technical and contractual (with sub-data processors) safeguards in place we can assure our customers that SMART-TRIAL is committed to follow latest recommendations on data protection to comply with the EU GDPR.

Questions

For further questions or information on this topic you can contact us at dpo@smart-trial.com

SMART-TRIAL, K. Christensens Vej  2 L, 9200 Aalborg, Denmark