GDPR in a Few Words

The GDPR (General Data Protection Regulation), or Règlement général sur la protection des données (RGPD in French) is a European community regulation that, since May 25, 2018, has given European residents back control and ownership of their personal data. Its aim is to make organizations that are, in effect, custodians of individuals' personal data, more accountable.

The National Commission for Data Protection and Liberties (CNIL - France, or Commission nationale de l’informatique et des libertés in French) published a revised Personal Data Security Guide (Guide de la sécurité des données personnelles) in 2024.

Personal Data

The CNIL describes personal data as “any information relating to an identified or identifiable natural person”.

In other words, data is considered “personal” if it can be used to identify someone. Addresses, names, telephone numbers, photos, biometric data, opinions and geolocation data are all examples of the huge amount of sensitive information that is used by various entities, whether companies, associations or local authorities.

Types of Identification and Processing of Personal Data

There are two types of identification:

  • direct identification (surname, first name, etc.);
  • indirect identification (identifier, number, etc.).

It should also be noted that the processing of personal data consists in carrying out an operation or a set of operations involving personal data, such as, for example, the following:

  • keeping a customer file;
  • collecting prospect contact details via a questionnaire;
  • updating a supplier file.

Reasons Behind the Introduction of the GDPR

In today's digital world, whether we are customers, suppliers, users or employees, we leave behind a wealth of personal data, more often than not without our knowledge.

Even if we have nothing to hide, our personal data is information we do not want to pass on to just anyone. And yet, whether through carelessness, ignorance or simply because we cannot do anything about it, we do it all the time!

That is why, in 2018, the European community had to implement the GDPR to force entities in possession of our data to be more transparent about how it is used.

Objectives of the GDPR

The GDPR essentially has three objectives:

  • to strengthen the rights of individuals;
  • make data processors more accountable;
  • give credibility to regulation through enhanced cooperation between data protection authorities.

Entities subject to the GDPR

Whether they are located in Europe or notcompanies, associations and local authorities in possession of personal data of European Union residents shall absolutely comply with the GDPR.

The provisions of the GDPR are directly applicable in all 27 member states of the European Union. They are also valid for business entities in Canada and Switzerland.

Adequacy status in Canada and Switzerland

Based on an assessment report dated January 15, 2024, Canada has adequacy status, allowing Canadian companies to transfer personal data from the EU to Canada without additional protection measures. Country reports are available in this article from the European Commission: The Commission estimates that EU personal data flows can continue with 11 third countries and territories.

Commercial organizations in Canada and Switzerland meet the requirements, as shown in the European Commission's article Adequacy decisions.

PlanetHoster and the GDPR

As far as PlanetHoster is concerned, have no fear in this regard, as we are subject to Canadian and Quebec law. Our strict security policy obliges us to rigorously protect your personal data. What is more, the necessary measures have long been ingrained in our corporate culture.

Implementing the GDPR

One might be led to believe that implementing the GDPR is complex. However, this is not the case. For each piece of personal data, all you need to do is identify how it is processed and ask yourself:

  • what are the means of securing it;
  • with whom it is shared;
  • how it will be used by third parties.

More specifically :

  • all information must be recorded in a personal data processing register;
  • data must be sorted, i.e. only really necessary data should be collected;
  • all European citizens must be able to request access to their personal data, rectify it or even have it deleted.

Consequences of Not Complying with the GDPR

Since May 25, 2018, entities that are not GDPR-compliant have been penalized. A payment of 10 to 20 million euros or 2 to 4 % of their worldwide sales may be required. They may even be subject to class actions.

The image of an offending entity is obviously severely compromised. All the more reason to comply!

How does PlanetHoster Ensure GDPR Compliance?

At PlanetHoster, we are committed to continually implementing the necessary actions to ensure our compliance with all GDPR requirements.

First of all, it should be emphasized that we do not consult data. We only store essential data. Furthermore, data is not transferred outside the cloud zones of each country.

Data Processing at PlanetHoster

Natively, PlanetHoster retains little information:

  • first and last name;;
  • postal address;
  • invoicing details transmitted anonymously for payment processing.

Connection Logs

For data hosting, with regard to connection logs to the PlanetHoster customer area:

  • we do not access or use customer data;
  • customers may request additional restrictions on their accounts and services;
  • data and backups remain in the country selected to be GDPR compliant.

Communications

Communications use private, encrypted links between PlanetHoster sites.

Data Center Compliance

With regard to data security:

  • ISO 27001:2022 (planned);
  • ISO 27017 (planned);
  • ISO 27018 (planned);
  • SecNumCloud (planned);
  • SOC-1 Type II;
  • SOC-2 Type II;
  • PCI-DSS;
  • HIPAA.

For availability (uptime) :

  • TIER III (99,982% uptime);
  • TIER IV.

Other standards contributing to our compliance :

  • ISO 50001;
  • ISO 14001;
  • ISO 9001.

ICANN Compliance

PlanetHoster rigorously complies with the requirements of the Internet Corporation for Assigned Names and Numbers (ICANN). For further details, please consult the ICANN website: https://www.icann.org/en.

Compliance with Quebec Privacy Laws

Bill 25 (Loi 25 in French), adopted in Quebec in 2021, has brought significant changes to Quebec's privacy laws. As a Quebec company, PlanetHoster must comply. It should be noted that this law is much more demanding than the GDPR in several respects.

The Commission d'accès à l'information du Québec (Quebec’s commission for access to information) governs this law. For more details, we refer you to the Commission's publication entitled Vers la conformité à la Loi sur le privé (Towards compliance with the Private Sector Act).

Cookies

Our websites comply with the requirements of the GDPR. Here is a summary.

Prior Information Obligation

Before installing cookies on the user's device, our websites provide clear information on:

  • the types of cookies used (technical, analytical, advertising cookies, etc.);
  • the purpose of these cookies (for example, to personalize the user experience, track browsing patterns, perform statistical analysis, etc.);
  • how long the data collected by cookies is kept;
  • the possibility of managing or withdrawing consent at any time.

Easy Withdrawal of Consent

Users can withdraw their consent as easily as they gave it.

For example, a link or button to manage cookie preferences (or to deactivate them) is accessible at all times on the site.

Exemption for Strictly Necessary Cookies

Some cookies do not require prior consent. These “strictly necessary” cookies are essential to the proper functioning of the website, such as those used to maintain an active user session (session cookies) or to ensure site security.

The user is always informed of the presence of these cookies and their function.