Choosing the right service provider, especially for cloud services, is essential to meet your own personal data protection obligations.

Definition

Understanding the real and precise issues at stake in a European regulation is not always easy, especially when it contains 99 articles, 173 recitals and many guidelines to clarify its interpretation. However, this is essential in order to avoid any risk that could result from an overly broad or imprecise interpretation of the regulatory obligations incumbent on your structure. A good understanding of the few terms defined below is therefore essential:

• Personal data : any information relating to an identified or identifiable natural person. An identifiable natural person is defined as a natural person who can be identified, directly or indirectly.
• Processing : any operation or set of operations carried out or not using automated processes and applied to personal data or sets of data (collection, recording, transmission, storage, storage, retention, retrieval, consultation, use, interconnection, etc.).
• Data controller : the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of the processing.
• Subcontractor : the natural or legal person, public authority, department or other body processing personal data on behalf of the controller.

KissLabs as a subcontractor and its commitments

It is certainly in this capacity that your expectations of KissLabs are most important. KissLabs is referred to as a 'subcontractor'. when we process personal data on behalf of a controller.

This is typically the case when you use KissLabs services and store personal data on our infrastructure. Within the limits of its technical constraints, KissLabs will only be able to process the stored data according to your instructions, and only on your behalf. As a subcontractor, KissLabs undertakes in particular to implement the following actions:

• Process personal data solely for the purpose of the proper performance of the services: KissLabs will never process your data for any other purpose (marketing, etc.)
• Do not transfer your data outside the EU or outside the countries recognised by the European Commission as having a sufficient level of protection: provided that you do not select a Datacenter in a geographical area outside the EU.
• You should be informed of any use of subcontractors who may process your personal data: to date, no services involving access to the content stored by you as part of the services are subcontracted outside KissLabs
• A to implement high security standards in order to provide a high level of security for our services.
• You should be notified as soon as possible in the event of data violations.
• You assist in meeting your regulatory obligations by providing you with adequate documentation of our services.

These commitments are concretely transcribed through our General Terms and Conditions of Sale (GTC). As such, and unless otherwise specified, they are enforceable by any customer against KissLabs in its capacity as a subcontractor.

KissLabs as processor and its commitments

KissLabs is qualified as a 'processor' when it determines the purposes and means of 'its' processing of personal data.

This is typically the case when KissLabs collects data for billing purposes, collection management, service quality and performance improvement, direct marketing, commercial management, etc. But also when KissLabs processes the personal data of its own employees.

In this case, 'your' data, the data you store on KissLabs' services, are not concerned. On the other hand, some information about you or your employees (identity and contact details of the KissLabs contact person when requesting technical assistance, for example) may be. This is why KissLabs would like to give you some insight into the guarantees implemented to ensure the protection of this personal data.

• limit the collection of data to those that are strictly useful: it is as part of this process that when ordering a service, you only provide information that is necessary for KissLabs to provide billing and support services or to comply with its own legal obligations regarding data retention.
• do not use the data collected for purposes other than those for which they were collected.
• keep personal data for a limited and proportionate period of time. For example, data processed for the purpose of managing the relationship between the customer and KissLabs (surname, first name, postal address, e-mail, etc.) are kept by the company for the duration of the contract and the following thirty-six (36) months. At the end of this period, they are deleted on all media and backups.
• do not transfer this data to third parties.
• implement appropriate technical and organizational measures to ensure a high level of security (audit, physical and logical access limits, security of infrastructure and related equipment, monitoring, vulnerability management, incident management, business continuity management, employee training...).

Owner of the personal data stored on our infrastructure

Your data hosted on our infrastructure is your property and you are the sole owner.

KissLabs only accesses and uses it when necessary for the performance of the services and within the limits of its technical constraints. KissLabs refrains from reselling the said data, as well as any use for personal purposes (such as datamining, profiling or direct marketing activities).

Access to personal data stored on our infrastructure

KissLabs accesses data only in two situations:

• During the tasks of technical support, access to customer data remains restricted thanks to specific authorizations and control and security measures:
  • When the customer contacts the KissLabs support, depending on the purpose of the assistance, two categories of data can be accessed. On the one hand, in order to process the customer's request as efficiently as possible, the support takes note of the information provided by the customer when creating his KissLabs account (name, first name, telephone number, e-mail address, etc.). On the other hand, and only at the express request of the customer, and subject to the technical constraints specific to each service, the support can have access to the data stored by the customer on the KissLabs services, in order to identify the origin of the problem encountered and to solve it.
• In order to meet the legal obligations in the context of judicial and/or administrative requests . These requests are very strictly regulated:
  • In order to act in accordance with the regulations in force, KissLabs is required to respond to requests from judicial and/or administrative authorities. As access requests are subject to a strict legal regime, KissLabs will only authorize them after ensuring that the request is valid and well-founded. In addition, as soon as the request or the law does not prohibit it, KissLabs undertakes to inform the customer of the request.

Data location

All data stored by KissLabs are hosted in Switzerland in a datacenter meeting Tier III, ISO 27001:2005, ISO 90001:2008 and FINMA standards near Geneva.

Data transfer outside the European Union

KissLabs never transfers data from customers whose selected geographical area is in the EU to the United States of America or any other country outside the EU.

And what about our suppliers ?

We pay a lot of attention to the proper management of your data, so it seems natural to us to ensure that our suppliers do the same thing. Several of our suppliers are already RGPD compliant and therefore offers a lot of documentation on this subject:

• Microsoft: The Redmond firm's publisher provides many articles, advice and tools to help you validate its RGPD compliance. You will find all the resources directly in its Microsoft Trust Center.
• Citrix: The publisher also offers a space dedicated to the RGPD theme containing all the necessary resources and tools. More information on How to prepare for the General Data Protection Regulation (GDR) with Citrix solutions
• VEEAM: Backup solutions publisher proposes a white paper on Veeam's compliance with RGPD
• VMware: also proposes a white paper on its personal data management for different services. You can find it directly here
• Bitdefender: it also offers a resource centre on how and tools made available to meet the RGPD requirements. More information on the Ent GPDR
Infomaniak: offers a page that explains its compliance with RGPD and its areas of work.

This list is likely to evolve according to the partners with whom KissLabs works.

Some of our partners are not subject to RGPD legislation by their locations and the nature of their services. However, KissLabs ensures that the data collected is limited to the strict minimum in order to be able to fully provide their services. We also ask that they be stored in accordance with good domain practices and accessed only by authorized persons.

Data Protection Officer (DPO)

KissLabs has chosen to appoint a DPO, whose role and missions are partly provided for by European regulations. The DPO is perfectly independent in the performance of its missions: it is the internal guarantor of the compliance of KissLabs' data processing activities.

Fully dedicated to this mission, Romain Amardeil, DPO at KissLabs, has the necessary resources to exercise his role without conflicts of interest and in complete independence. He advises the company's operational staff and managers, in compliance with the obligations and best practices that KissLabs must implement in terms of personal data protection. In practice, it regularly raises awareness and trains the group's employees, responds to their requests for privacy, implements a 'privacy by design' and 'privacy by default' approach, particularly in the development of new offers offered to customers, ensures relations with the supervisory authorities...

It is also the contact person for all customers wishing to have appropriate guarantees regarding the measures implemented to ensure their compliance with the regulations, including the RGPD. He can be contacted directly at the address dpo at kisslabs dot ch or via the contact form.