There is no doubt in the fact that Zoho has to comply with the GDPR not just because we have set up our Data Center and office there, but even because we provide goods, services to European businesses and because our customers process personal data of European data subjects. And yes, we comply!
We've worked hard to ensure that our compliance project is expansive and inclusive of all aspects of data processing by Zoho. You can find more information about our GDPR compliance efforts here.
This blog is an attempt to showcase the interwoven aspects of the ISO 27701 (Privacy Information Management System) that Zoho is certified with, with the requirements of the GDPR, and to bring to the reader's understanding how Zoho endeavours to demonstrate compliance with the GDPR through the PIMS.
- This blog is just an attempt and should not be construed as legal advice. This blog does not capture minuscule details of the compliance but is to be understood as a summary of the programs.
- The terms PII, Personal Information and Personal Data are used interchangeably in this blog though there are definitive variations between each.
- PII Controller and PII Processor are equivalent to those as defined in the GDPR as Data Controller and Data Processor.
ISO 27701 applies to both PII Controllers and PII Processors. Learn more about Zoho's compliance with the ISO 27701, its scope and applicability.
Here's an alignment layout of the major articles of the GDPR with the PIMS.
Principles relating to processing of personal data
Article 5 - The principles laid out by the GDPR form the base framework of the PIMS as the privacy principles of the system are based on the ISO 29100 (Privacy Framework).
Lawfulness of processing
Article 6- Control 7.2.2 of the PIMS requires the identification & documentation of the lawful basis of processing. The lawful basis of processing mentioned by the GDPR are captured in our descriptive documentation of the activities.
Conditions for consent
Article 7 - Control 7.2.4 of the PIMS sets out the requirements to followed while obtaining and recording consent. The GDPR specific requirements are captured in the internal documentations and changes have been made in our processes where applicable.
Conditions applicable to child's consent
Processing of special categories of personal data
Article 9 - The above mentioned controls of the PIMS has additional guidance on the processing of data belonging to special categories(also referred to as, 'special categories of data' in the GDPR).
Processing which does not require identification
Article 11 - Controls 7.4.4 and 7.4.5 of the PIMS provide guidance on the need for de-identification and the possible methods to achieve it. Our internal policies contain detailed processes for achieving the same.
Rights of the data subject
Articles 12, 13, 14 - Controls 7.3.2, 7.3.3, 7.3.6 of the PIMS provide information on the requirements for transparency, provision of notice to data subjects, timing requirements and the information that must be present.
Right of access by the data subject
Article 15 - Controls 7.3.8 of the PIMS capture the requirement to provide data subjects with a copy of their data, formats, exceptions, timing requirements and the information to be provided.
Right to rectification
Article 16 - Control 7.3.6 of the PIMS capture the requirement to allow data subjects to access and correct their information without undue delay unless there are exceptions for the same.
Right to erasure
Article 17 - Control 7.3.6 of the PIMS capture the requirements to have written processes to handle the requests for erasure of personal information.
Right to restriction of processing
Article 18 - Control 7.3.4 of the PIMS requires the need to have a mechanism to allow data subjects to restrict certain processing of their personal information.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 19 - Control 7.3.7 of the PIMS captures the need to inform all the relevant parties of these changes in the data pertaining to the requests for rectification and/or erasure or restriction of processing.
Right to data portability
Article 20 - Control 7.3.8 of the PIMS captures this requirement to provide the personal information of the data subject to them and where feasible to directly transfer it to another PII Controller.
Right to object
Article 21 - Control 7.3.5 of the PIMS requires the provision to allow data subjects to object to the processing of their personal information.
Automated individual decision-making, including profiling
Article 22 - Control 7.3.10 of the PIMS provides guidance on automated decision making. GDPR's specific requirements are captured in our policies and procedures in order to be followed if and when such processing is performed by Zoho.
All the above controls have been reinforced with GDPR's specific requirements.
Controller and Processor
Responsibility of the controller
Article 24 - The PIMS is an extension of the ISO 27001 standard and therefore all the applicable technical and organisational policies, procedures and measures are leveraged along with specific inclusions for the processing of personal information.
Data Protection by design and by default
Article 25 - All the sub controls under Control 7.4 provide the principles of data protection by design and by default for all aspects of processing right from the collection to the disposal phase. For a PII Processor, similar requirements are specified under Control 8.4
Article 26 - Control 7.2.7 of the PIMS captures the joint controllership related requirements with guidance on the essentials points to be captured in the agreement between the parties.
Article 28 - All controls under 8 are guidances specific to PII Processors. Technically, since Zoho is ISO 27018 (Protection of PII in public cloud providers acting as PII Processors) certified, majority of the controls under Control 8 of the PIMS are adhered to. Here are some specific details of how this maps with the GDPR.
28(1)- Zoho provides adequate technical and organisational measures appropriate to the level of risk and sensitivity of the data being processed. Our products provide you with the options to choose the level of security and privacy protections required based on the data that you process using our platforms. DPA can also be signed with us in this aspect. Controls 22.214.171.124, 7.2.6 requires to have proper agreements with the third parties whom we engage with for the processing of personal information. They are subject to a stringent onboarding process where their compliance measures are assessed to be in conformance with our requirements for providing adequate technical and organisational measures.
28(2) - Control 8.5.7 lays down the guidance for engaging third party sub processors. Our DPA captures relevant authorisation and the notification requirements.
28(3)- Control 8.2.1, 8.2.4, 8.3.1 lays down the specifics to be captured in the agreement between a PII Controller and PII Processor, and requires PII Processors to help PII Controllers cater to the rights of their data subjects.
28(4) - Control 8.5.7, 8.2.1, 8.5.8 provides guidance on engaging further sub processors.
Processing under the authority of the controller or processor
Article 29 - Control 8.2.2, 6.11.3 of the PIMS requires that personal information be processed on the documented instructions of the PII Controller and for the specified purposes only.
Records of processing
Article 30 - Controls 8.2.6 (PII Processor) and 7.2.8 (PII Controller) of the PIMS lays down the requirement to maintain records of the processing of personal information.
Cooperation with the supervisory authority
Article 31 - Controls 5.2.2, 126.96.36.199, 188.8.131.52, 184.108.40.206, 8.2.1 of the PIMS specify the requirements to co-ordinate with the authorities.
Security of processing
Article 32 - All applicable controls under the ISMS and PIMS provide the structural framework and the implementation of the policies of the systems enable the security of processing. These include technical and organisation measures such as HR, Physical security, IT Security, Awareness and Training, Logging and Monitoring, Encryption, Media Handling, Data Classification, User Access Management, Risk Management, DR, BCP, Capacity Management, Remote Working and the like.
Incident Management & Breach Notification
Article 33, 34 - Controls under 6.13, 8.2.1 of the PIMS require notification of an incident to the relevant stakeholders including to the Supervisory Authorities(as a PII Controller), the PII Controller (as a PII Processor) and the affected data subjects (as a PII Controller). The DPA covers the relevant obligations that are required under these controls.
Data Protection Impact Assessment
Article 35 - Controls 220.127.116.11, 7.2.5, 8.2.1 of the PIMS specify the requirements of a Privacy Impact Assessment and to record the outcomes.
Data Protection Officer
Article 37, 38, 39 - Controls 18.104.22.168, 7.3.1 of the PIMS lay the requirements to have a dedicated person or team to run the compliance program and provide guidance on roles and responsibilities of such persons(s). Has a mention about DPO, but GDPR's requirements of and for a DPO have been included in our policies and procedures.
Transfers of personal data
As mentioned at the beginning, this blog does not aim to provide all the details of the compliance program. You may reach out to firstname.lastname@example.org if you need further information on compliance with specific obligations. Do read our FAQ to find answers to some of your questions!