Atea compliance with GDPR

GDPR (General Data Protection Regulation) is the EU regulation for protection of personal data that came into force at May 25th, 2018 and it has replaced the 95/46/EC Directive for protection of personal data. Regulation has strengthen the rights that EU citizens have over their personal data.

Atea values privacy, for both our customers and our employees. We are committed to GDPR compliance. To comply with GDPR requirements, Atea has evaluated all areas related to personal data across Atea:

  • Mapped and analysed all systems/applications collecting personal data to make all systems GDPR compliant
  • Implemented new common Data Subject processes
  • Adjusted processes handling personal data – Services, IT, Sales, Marketing, HR to make processes processing personal data to be GDPR compliant
  • Evaluated services where we process personal data for our customers to sign Data Processing Agreements where needed
  • Evaluated vendors and sub-contractors to sign Data Processing Agreements where needed

In parallel to the GDPR implementation, Atea has evaluated all data centres, offices and infrastructure based on ISO 27001 requirements for securing the best possible security of personal data. GDPR Awareness training has also been carried out to employees across Atea.

All Atea subsidiaries have implemented the same security controls and processes to unify the security level across the Atea Group.

To ensure continuous data protection and fulfilment of GDPR requirements, Atea has Data Protection Officers in all Atea subsidiaries and GDPR compliance will be monitored with regular audits.

Customer information regarding transfer of personal data to third country and the Schrems II case

Atea values data privacy and being a trustworthy supplier we are committed to keep your data secure. In a recent decision, the European Court of Justice ruled in Case C-311/18 (the “Schrems II case”) that the EU-US Privacy Shield Agreement does not provide adequate protection for personal data when  transferred to the US. The invalidation of the Privacy Shield means that personal data controllers within the EU, are no longer allowed to transfer personal data to recipients in the United States on the basis of the Privacy Shield.

Because the court’s judgement had immediate effect, customers have asked how this decision impacts Atea, including our actions taken to ensure that the transfers of data are valid.

Accordingly we review the legal mechanism we use for third-country transfers in our agreements to align with Schrems II court decision. This means that we perform risk assessments for each U.S.- based vendor and sub-processor for required level of protection and use of Standard Contractual Clauses to comply with Chapter V of the General Data Protection Regulation on the transfer of personal data to third countries.

Bruno Jänes
Teenuste- ja müügi arendusdirektor