NAVER CLOUD PLATFORM and
The General Data Protection Regulation (GDPR) is a revised personal information protection law for the protection of personal information of European Union information entities,
It has been widely recognized as the privacy law with the widest regulatory scope and concept among the well-known privacy laws of the past 20 years.
All companies around the world that deal with the privacy of EU residents must comply with this law.
NAVER CLOUD PLATFORM is committed not only to GDPR compliance,
but also to helping its customers comply with the GDPR in their own business activities.
NAVER CLOUD PLATFORM Efforts to comply with the GDPR
NAVER CLOUD PLATFORM is making every effort to internally inspect and reach its own
GDPR compliance and to confront the problems facing customer privacy protection.
In order to secure the safety of personal information and guarantee maximum rights, we have received reliable legal advice from local law firms and the EU legal counsel in order to comply with the GDPR, which requires strict handling of personal information.
We have revised the Privacy Notice (Personal Information Handling Policy) in order to comply with the GDPR, such as providing relevant information to the information owners, in order to ensure fair and transparent customer information handling. We will continue to update the Privacy Notice in the future to ensure transparency in the processing of personal information.
If customer information is handled in compliance with the GDPR and NAVER CLOUD PLATFORM, a Data Processing Addendum (DPA) will be provided using the agreed contractual agreement. The customer is the controller of their personal information, and the NAVER CLOUD PLATFORM is designated as the customer data processor. The DPA includes the EU Model Clauses. Customers who wish to transfer their personal information from the European Economic Area (EEA) to countries outside the EU can receive the same high level of privacy protection as in the EEA environment through the NAVER CLOUD PLATFORM.
Even before the GDPR came into effect, we were working on personal information protection for services and products before the design phases and have been focused on developing security technologies. This is a principle that we abide by. In addition, we regularly inspect and monitor our products and services to ensure that they do not infringe on the privacy rights of our customers.
In order to protect customer privacy and comply with the GDPR, the NAVER CLOUD PLATFORM, as a processor, is investing in the highest level of security to ensure that appropriate technology and organizational measures are implemented. We are internationally certified in ISO/IEC 27001 Information Security Management for systematic and continuous security management, ISO/IEC 27017 Security Controls for Cloud Security, and ISO/IEC 27018 Protection of Personally Identifiable Information. Also, we are certified in Service Organization Control (SOC) 2 and 3 for an international level of compliance in internal control audits, and we are also certified in PCI Security Standard Council (PCI DSS) for international data security standards for secure payment information protection. We are the first Korean cloud service provider to be CSA STAR certified and have a proven record of cloud service security. NAVER CLOUD PLATFORM will continue to verify its security and privacy levels in order to provide our customers with the best certified service.
Support GDPR Compliance
- What is the GDPR?
- The General Data Protection Regulation (GDPR) is a new European Union privacy law that took effect on May 25th, 2018. GDPR replaced the EU Data Protection Directive (also known as Directive 95/46/EC) and is a strong privacy law for the EU that applies a universally binding data protection law to each EU member state.
- Who must comply with the GDPR?
- (1) All companies in the EU handling personal information, and (2) Organizations that provide products or services to EU information entities or monitor activities within the EU if they handle personal information, even if they are not established in the EU. In other words, the GDPR is applicable not only for companies in Europe but also for companies all over the world.
- What is the difference between the GDPR and the previous EU Directive?
- The previous Directive was a recommended level of regulation while GDPR is a binding law that applies equally to all member states. The GDPR includes new content, such as the designation of a data protection officer (DPO), recording and maintenance of personal information handling history, conducting privacy impact assessments, and strengthening company responsibilities, such as by designating representatives across regions, restrictions on information handling, rights to move information, and the rights of the data subjects.
- How is the NAVER CLOUD PLATFORM prepared for the GDPR?
- The NAVER CLOUD PLATFORM has heavily invested in our own regulations and technologies. Not only that, we have been focused on security and privacy protection even before the GDPR came into effect and have maintained compliance with various Korean and international standards.
On top of that, we have already reviewed our processes for handling personal information and conducted a separated review for GDPR requirements. Data handling contracts that comply with GDPR regulations are also provided to our customers and are automatically applied to their services.
In order to protect customer privacy based on the GDPR, the NAVER CLOUD PLATFORM, as a processor, is investing in the highest level of security to ensure that appropriate technology and organizational measures are implemented. To show our dedication to this principle, we have obtained ISO/IEC 27001, 27017, 27018 certification, SOC 2 and 3 certifications, and PCI DSS (PCI Security Standard Council) certification. We are the first Korean cloud service provider to be CSA STAR certified and have a proven record of cloud service security.
- What services does NAVER CLOUD PLATFORM provide to help your customers comply with the GDPR?
- The customer is the controller of the third-party personal information contained in the customer business assets on the NCP and must implement appropriate technical and administrative measures to ensure the level of security.
(1) Pseudonymization and encryption of personal information;
(2) Ability to guarantee the continuing confidentiality, integrity, availability, and resilience of processing systems and services;
(3) Ability to restore availability and access of personal information in a timely manner in the event of a physical or technical event;
(4) Regular testing and evaluation of technical and managerial effectiveness to ensure information security;
NCP offers the following specific features and services to help customers meet these GDPR requirements:
O encryption (to ensure confidentiality through the encryption of personal information and data)
E.g. Key Management Service, SSL VPN, IPSec VPN, and Data Teleporter
O monitoring and logging (to provide an overview of NCP assets and ensure integrity and availability through security monitoring and logs)
E.g. Basic Security, Security Monitoring, App Safer, Site Safer, File Safer, Web Security Checker, System Security Checker, App Security Checker, and Cloud Log Analytics
- What can customers do to prepare for the GDPR?
- There are three stages you can consider to strategically prepare for the GDPR, depending on whether the GDPR is applicable to you and the time it takes to meet the GDPR compliance standards.
Checking the personal information handling process to confirm that it should meet GDPR requirements => If the GDPR is applicable to you, immediately start implementing the GDPR with the ones you apply first => You can consider the procedures for the changes, such as budget and manpower required to perform changes in the internal polices or technical measures (e.g. getting a new process for information handling or collecting evidence).
Here are some key factors that can help you meet GDPR compliance:
O Compliance Scope: All organizations established in the EU. Also, organizations established outside of the EU can fall under the scope of the GDPR, depending on their activities.
O Key Principles: Understanding the six principles of personal information handling and the six standards to ensure secure handling are required, and you must comply with the responsibility to provide this in a document.
O Data Subject Rights: Identifying the flow of privacy data from the business is required and appropriate policy or technological measures must be implemented to exercise information rights, such as data movement rights, and opposing rights.
O Controller and Processor: Most of the GDPR is stipulations of obligations, so it is important to identify roles and understand the rules that must be fulfilled for each entity. We are obligated to comply with designated DPOs, designated representatives, records of personal information handling history, privacy impact assessments, data protection by design and by default, personal information infringement reports and notifications.
O Migration of Personal Information outside the EU: The GDPR permits transfer to other countries if the appropriate level of protection of personal information is ensured. There is a need to understand the detailed rules for relocation outside of the EU and choose the appropriate mechanism.
- Is the NAVER CLOUD PLATFORM controller in the GDPR or is it a processor?
- The NAVER CLOUD PLATFORM is a controller and also the processor in the GDPR.
O Controller NAVER CLOUD PLATFORM: The NAVER CLOUD PLATFORM acts as a controller when collecting personal information about the customer account and payment information for the service, and determining the purpose and method of processing personal information collected to support customer inquiries and operations.
O Processor NAVER CLOUD PLATFORM: When customers and partners use this service to process personal information included in customer and partner business content, the NAVER CLOUD PLATFORM will act as a processor. Customers and partners can use NAVER CLOUD PLATFORM products and services to process personal information included in their content. In this case, the customer and partner can act as controllers or processors, and the NAVER CLOUD PLATFORM acts as a processor or subprocessor. The NAVER CLOUD PLATFORM provides a Data Processing Addendum (DPA) for the GDPR that reflects its role and commitment as a processor.
- Does the NAVER CLOUD PLATFORM provide a GDPR-compliant Data Processing Addendum (DPA)?
- All customers who process personal information using cloud services must enter into data processing agreements with cloud service providers to comply with the GDPR. NAVER CLOUD PLATFORM provides GDPR-compliant DPAs to customers. We guarantee the following:
O NAVER CLOUD PLATFORM processes customer data only in accordance with the customer agreement.
O NAVER CLOUD PLATFORM applies robust and flexible technological and administrative safeguards for the use of NAVER CLOUD PLATFORM products and services.
O NAVER CLOUD PLATFORM notifies customers without any undue delays in the event of a privacy breach.
O NAVER CLOUD PLATFORM provides a copy of the certification of privacy and security standards upon the customer's request.
- How does the GDPR affect the relationship between customers and the NAVER CLOUD PLATFORM?
- Cloud service providers typically offer services in the form of IaaS, PaaS, and SaaS. In such an environment, security and regulatory compliance is a shared responsibility between cloud service providers and customers. This shared model has the added benefit of not only operating infrastructure, but also fewer security and compliance burdens.
The same is true of the regulatory environment of the GDPR. The NAVER CLOUD PLATFORM is a processor or subprocessor and is responsible for protecting the underlying infrastructure supporting the cloud - hardware, software, network, and physical facilities. The customer is a controller or processor and is responsible for all personal data handling included in the content stored on the NAVER CLOUD PLATFORM.