At smeMetrics, we care deeply about the security of the data you store on our servers, as well as the protection of your personal data you provide to us to manage your smeMetrics account.
We support the new data protection laws that have recently or will soon be coming into effect, as they raise the bar for data protection, security, and compliance in the industry.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law which becomes enforceable on 25 May 2018. It aims to strengthen the security and protection of personal data in the EU.
The law determines how entities must process, protect and notify users regarding their personal data for anyone living in the European Union. This includes all aspects of collecting, storing, transferring or using that data.
While we only have a small number of EU customers, we take the protection of your personal data very seriously and have positioned ourselves to comply with relevant data protection laws.
What is POPIA?
The Protection of Personal Information Act (POPIA) is a new South African privacy law which becomes enforceable on 1 July 2021. It aims to strengthen the security and protection of personal data in South Africa.
POPIa is very similar to the GDPR but uses slightly different terminology.
- Rather than a controller, POPIA refers to a responsible party.
- Rather than a processor, POPIA refers to an operator.
- Rather than personal data, POPIA refers to personal information.
What is Personal Data?
“Personal data” as defined by data protection law is broad and includes:
- Direct personal information e.g. names and contact details, as well as
- Indirect identifiers such as email addresses and IP addresses.
Note: GDPR applies to the personal data of natural persons and not legal persons, like companies. This differs from POPIA, which applies to the personal information of both natural and legal persons.
What is smeMetrics’ role as defined by data protection law?
Two main roles are identified in the legislation:
- The Controller (or responsible party) of Personal Data: the entity which determines why and how the data is processed.
- The Processor (or operator) of Personal Data: the entity which processes personal data on behalf of the controller.
Examples of Processing are storage, recording, organisation or retrieval. In the context of different activities, smeMetrics is both a Data Processor and a Data Controller.
Controller: We act as a data controller for the customer information we collect from you when you order products and services from us. This personal data includes details such as names and contact information.
Processor: We act as the data processor and you are the controller of data that is uploaded to your smeMetrics account, as we store this data on your behalf.
Your smeMetrics accounts may capture the personal information of your clients e.g. client information and treatments, processing payments or sending out reminders. You control this data and how it gets collected and used, and smeMetrics processes this data by storing it on our servers.
Does the GDPR apply to smeMetrics Clients?
Yes, if you provide products or services to people in the EU.
A Client of smeMetrics acts as a processor and smeMetrics becomes a sub-processor of the information uploaded to your smeMetrics account.
If you have EU clients, then you need to comply with the GDPR in the following roles:
- You will be the controller of the personal data that you store in order to contact your customer.
- You will also be a processor of personal data uploaded to your smeMetrics account on our servers.
What personal customer data do we collect and store?
We store personal data that is voluntarily provided by customers when:
- registering with smeMetrics
- placing orders for our products and services
- requesting customer support
- signing up for our newsletters.
While we control what information is collected and stored, you are able to amend or remove your personal details at any time by sending an email to email@example.com.
Only the information that is required to implement our services is stored. Customer personal data is forwarded only to accredited third-parties that we have contracted to offer specialist services, such as medical aid submissions.
We also may collect other identifying information from our customers, such as IP address, SSH public keys or Oauth tokens for external services.
EU personal data may be stored on our servers when customers use their smeMetrics account to collect or store data. We have no knowledge, control or access to this data, but as we store the data, we act as the data processor.
What is the “Right to be forgotten”?
The “right to erasure” or “right to be forgotten” means that you have the right to update or have your personal information deleted when it is no longer needed, such as if you cancel the smeMetrics services.
You can update or delete any contact details by sending an email to firstname.lastname@example.org or updating it in your own smeMetrics account. If you no longer have services with us and want to delete your entire smeMetrics account, contact email@example.com.
Note that historic invoices, which contain name and contact details, can not be deleted for legal reasons.
What has smeMetrics done to comply with data protection laws?
- We have conducted an audit of business processes that deal with personal data of individuals and other subjects, including how we collect, process and store this data securely.
- We have received and implemented qualified legal advice from The Chartered Governance Institute of Southern Africa, South African Institute of Tax Professionals and Werksmans Attorneys.
- We have audited our “Right to be Forgotten” process to ensure that customers leaving smeMetrics can have their personal information deleted.
Does smeMetrics have a Data Processing Agreement (DPA)?
As the controller, data protection law requires you to conclude agreements with your processors when they process the personal data of your data subjects. Some customers require their processors to sign a Data Processing Agreement (DPA) to fulfil this requirement.