FAQs: Data Protection Compliance
At xneelo, we care deeply about the security of the data you store on our servers, as well as the protection of your personal data you provide to us to manage your xneelo account.
We support the new data protection laws that have recently or will soon be coming into effect, as they raise the bar for data protection, security, and compliance in the industry.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law which becomes enforceable on 25 May 2018. It aims to strengthen the security and protection of personal data in the EU.
The law determines how entities must process, protect and notify users regarding their personal data for anyone living in the European Union. This includes all aspects of collecting, storing, transferring or using that data.
While we only have a small number of EU customers, we take the protection of your personal data very seriously and have positioned ourselves to comply with relevant data protection laws.
What is POPIA?
The Protection of Personal Information Act (POPIA) is a new South African privacy law which becomes enforceable on 1 July 2021. It aims to strengthen the security and protection of personal data in South Africa.
POPIa is very similar to the GDPR but uses slightly different terminology.
- Rather than a controller, POPIA refers to a responsible party.
- Rather than a processor, POPIA refers to an operator.
- Rather than personal data, POPIA refers to personal information.
What is Personal Data?
“Personal data” as defined by data protection law is broad and includes:
- Direct personal information e.g. names and contact details, as well as
- Indirect identifiers such as email addresses and IP addresses.
Note: GDPR applies to the personal data of natural persons and not legal persons, like companies. This differs from POPIA, which applies to the personal information of both natural and legal persons.
What is xneelo’s role as defined by data protection law?
Two main roles are identified in the legislation:
- The Controller (or responsible party) of Personal Data: the entity which determines why and how the data is processed.
- The Processor (or operator) of Personal Data: the entity which processes personal data on behalf of the controller.
Examples of Processing are storage, recording, organisation or retrieval. In the context of different activities, xneelo is both a Data Processor and a Data Controller.
Controller: We act as a data controller for the customer information we collect from you when you order products and services from us. This personal data includes details such as names and contact information.
Processor: We act as the data processor and you are the controller of data that is uploaded to your hosting account or server, as we store this data on your behalf.
Your website may capture the personal information of your clients e.g. placing orders, email or newsletter subscriptions, processing payment or online bookings. You control this data and how it gets collected and used, and xneelo processes this data by storing it on our servers.
Does the GDPR apply to xneelo Resellers, designers and developers?
Yes, if you provide products or services to people in the EU.
A Reseller of xneelo services acts as a processor and xneelo becomes a sub-processor of the information uploaded to your hosting package on xneelo servers.
If you have EU clients, then you need to comply with the GDPR in the following roles:
- You will be the controller of the personal data that you store in order to contact your customer.
- You will also be a processor of personal data uploaded to your hosting package on our servers.
What personal customer data do we collect and store?
We store personal data that is voluntarily provided by customers when:
- registering with xneelo
- placing orders for our products and services
- requesting customer support
- signing up for our newsletters.
While we control what information is collected and stored, you are able to amend or remove your personal details online at any time.
Only the information that is required to implement our services is stored. Customer personal data is forwarded only to accredited third-parties that we have contracted to offer specialist services, such as domain registrations.
We also may collect other identifying information from our customers, such as IP address, SSH public keys or Oauth tokens for external services.
EU personal data may be stored on our servers when customers use their website or server to collect or store data. We have no knowledge, control or access to this data, but as we store the data, we act as the data processor.
What is the “Right to be forgotten”?
The “right to erasure” or “right to be forgotten” means that you have the right to update or have your personal information deleted when it is no longer needed, such as if you cancel your xneelo services.
You can update or delete any contact details via your konsoleH control panel. If you no longer have services with us and want to delete your entire xneelo account, contact firstname.lastname@example.org.
Note that historic invoices, which contain name and contact details, can not be deleted for legal reasons.
What has xneelo done to comply with data protection laws?
- We have conducted an audit of business processes that deal with personal data of individuals and other subjects, including how we collect, process and store this data securely.
- We have received and implemented qualified legal advice from Michalsons Attorneys, as experts in the field of Privacy and Data Protection.
- We have audited our “Right to be Forgotten” process to ensure that customers leaving xneelo can have their personal information deleted.
- We have implemented a Privacy by Design and by Default Policy (PbD Policy).
- We have appointed a representative in the EU.
- We have updated our incident response policies and procedures.
Does xneelo have a Data Processing Agreement (DPA)?
As the controller, data protection law requires you to conclude agreements with your processors when they process the personal data of your data subjects. Some customers require their processors to sign a Data Processing Agreement (DPA) to fulfil this requirement.
At xneelo, we have taken the proactive step to update our Hosting Terms in line with our requirements in data protection law. This means that you don’t need to use a DPA, because these requirements have been included in our Hosting Terms under the ‘Data Protection’ section.
This section describes the steps we take to ensure that we meet our processor obligations when we provide services to you. You can view our Terms of Service.