CallidusCloud & GDPR: Frequently Asked Questions

What is GDPR & when does it come into effect?

• GDPR stands for General Data Protection Regulation affecting “processing” (which includes the collection, storage, transfer or use) of personal data related to EU citizens, wherever they may be located physically.
• This is a new EU regulatory scheme designed to replace a patchwork of laws with a single regulation that is enforced throughout the entire European Economic Area.
• GDPR protects the privacy rights of EU citizens and empowers their control of the collection and use of their personal data by giving them expended right in relation to their personal data.
• GDPR also places new obligations on organizations that market to, track or handle EU personal data, no matter where an organization is located.
• The regulation will take effect in May 2018.

What constitutes personal data?

• Any information related to a natural person (called a ‘data subject’) that can be used to directly or indirectly identify the person.
• This is very broad and can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer IP address.

What is the difference between a data processor and a data controller?

• A controller is the entity that determines the purposes, conditions and means of the processing
  of personal data.
• A data processor is an entity which processes personal data on behalf of the controller.
• In some instances, an organization can qualify as both.

Is CallidusCloud a data processor or data controller in regard to my personal data?

• CallidusCloud acts as a data processor (or sub-processor) for personal data provided to CallidusCloud through our Customers and other third parties such as partners.
• If a data subject provides their personal data directly to CallidusCloud (such as a website visitor, a conference attendee, an employee, etc.) CallidusCloud acts as the data controller for that personal data. Note, if CallidusCloud also processes that personal data in some fashion, CallidusCloud also qualifies as a data processor in regard to that personal data.

How is CallidusCloud as an organization affected?

• CallidusCloud sees the GDPR as on opportunity to strengthen our commitment to protecting personal data company-wide at a global level. CallidusCloud is instituting an internal Data Protection Program outlining the many ways in which CallidusCloud supports the protection of personal data and ensures compliance with the GDPR (and any similar legislation).
• Our goal is to make CallidusCloud’s data protection policies and efforts more transparent throughout our organization so employees, customers, & partners may fully understand our commitment to data protection and the related practices needed to reinforce that commitment at all levels of engagement.

Is CallidusCloud prepared to handle the new data processor obligations imposed under GDPR?

• For CallidusCloud, keeping customer data secure is the highest priority. Along with ensuring data security, it is important that a customer’s confidence is always maintained and a high level of security around processes and protection is strongly demonstrated.
• At CallidusCloud, we strongly value and base our business on the trust that our customers have placed upon us and will continue to earn and reinforce that trusted relationship by cooperating with requests related to our GDPR obligations.
• CallidusCloud is committed to taking advanced measures to support and continuously enhance the security of our systems, to ensure that we collect and process personal data in a manner compliant with GDPR or any similar legislation.
• CallidusCloud Management strongly believes that “IT Security/Compliance is a key Business Enabler within a cloud company” and “Information Security Objectives and Strategy must be aligned with CallidusCloud’s Business Objectives and Business Strategy”.
• As such, CallidusCloud has established a Data Protection Committee headed by our board-elected Data Protection Officer, Drew Grasham. The Data Protection Committee is tasked with completing CallidusCloud’s internal GDPR compliance initiatives well in advance of the May 2018 GDPR enforcement date.

Who can we reach out to for further details regarding CallidusCloud’s efforts in regard to GDPR compliance?

Should you have any questions on the ways in which CallidusCloud is preparing for and complying with the upcoming enforcement of the General Data Protection Regulation, please reach out to our Data Protection Committee by emailing us at SAP.CX.Legal-Privacy@sap.com.