Top GDPR Frequently Asked Questions

Disclaimer – These FAQs contain generalised answers for guidance on GDPR in the context of the MiX Relationship. For specifics on GDPR definitions and articles refer to associated websites resources e.g. ICO and CNIL.

Select your role to find out how GDPR affects you.

 

  • Top 10 FAQ's

    What is the GDPR?

    The GDPR (or General Data Protection Regulation) is the new European Union Regulation set to replace the Data Protection Directive (95/46/EC) and The UK Data Protection Act 1998.

    The regulation intends to strengthen and unify data protection for all individuals within the European Union (EU) as well as addresses the export of personal data outside the EU.

    When will the GDPR come into effect?

    The GDPR comes into effect on 25 May 2018. Due to this being an EU Regulation and not a Directive (as was the case with the legislation it is replacing), it comes into effect automatically across the EU on this date, without member states having to pass a specific law.

    Who does the GDPR affect?

    The GDPR will apply to businesses and organisations located within the EU but also includes organisations located outside of the EU if they offer goods or services which store personal information of EU data subjects.

    It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

    What kind of information does the GDPR apply to?

    Similar to the Data Protection Directive (95/46/EC) and The UK Data Protection Act 1998, the GDPR applies to personal data. The current Data Protection Directive defines personal data as any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

    This definition mostly remains unchanged, but it is more detailed now in that it includes online identifiers, such as IP addresses and email addresses, that are also classed as personal data.

    Other information the GDPR also refers to is sensitive personal data. It is defined as special categories of personal data which uniquely identify a person. This includes genetic and biometric data.

    What responsibilities will organisations have under the GDPR?

    If an organisation handles personal data, the Information Commissioner’s Office (ICO) states:

    “You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and privacy by design are now legally required in certain circumstances. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”

    What are the main data protection principles of the GDPR?

    Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

    • Processed lawfully, fairly and in a transparent manner.
    • Collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
    • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
    • Accurate and kept up to date.
    • Kept in a form which permits identification of data subjects for no longer than is necessary.
    • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

    What rights will individuals have under the GDPR?

    There are 8 fundamental rights of individuals under GDPR. These are:

    The right to be informed Organisations must provide fair processing information with transparency over how personal data is used.

    The right of access Individuals will have the right to confirm their data is being processed and have access their personal data.

    The right of rectification Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.

    The right to erasure Also referred to as “the right to be forgotten”. This right enables an individual to request the deletion or removal of their personal data without the need for a specific reason.

    The right to restrict processing Refers to an individual's right to block or suppress the processing of their personal data.

    The right to data portability This allows individuals to request, obtain for their own purpose or transfer data to an alternative IT environment.

    The right to object Individuals are entitled to object to their personal data being used. This includes use of personal data for the purpose of direct marketing, scientific and historical research, or, for the performance of a task in the public interest.

    Rights of automated decision-making and profiling The GDPR introduces safeguards to protect individuals against the risk of a potentially damaging decision being made without human intervention.

    What will the penalties be for failing to comply with the GDPR?

    The GDPR has introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed.

    The maximum fine a company can face is 4% of their annual global turnover or €20 million, whichever is the highest.

    Less serious violations, such as having improper records or failing to notify of any breaches, can be fined a maximum of 2% of annual global turnover or €10 million, whichever is the highest.

    What is the impact of Brexit on the GDPR?

    None. Firstly, the GDPR will only come into effect before the two-year leave deadline of Brexit (April 2019), therefore UK firms must comply. Secondly, even after the Brexit process is complete, UK firms that offer goods or services to EU citizens still need to comply.

    Do all organisations now have to appoint a Data Protection Officer (DPO)?

    It is not necessarily compulsory for all organisations to appoint a DPO. This will be dependent upon a number of factors. According to the ICO, a company should appoint a DPO if they:

    • Are a public authority (with the exception of courts acting in a judicial capacity)
    • Carry out large scale systematic monitoring of individuals, such as online behaviour tracking
    • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences

    Any organisation is able to appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn't apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.

  • For drivers

    What is a Data Subject?

    GDPR defines this as a natural person whose Personal Data is processed by a Controller or Processor. Users of MiX Fleet Manager or individuals who are recorded as a Driver or a Contact where details are stored are therefore regarded as a Data Subjects.

    What Personal Data is stored within the MiX system?

    The actual information is dependent on the products, services and options purchased by the MiX Customer (Data Controller), so this will need to be confirmed by them, however MiX Fleet Manager typically processes the following types of personal information:

    • Identification (Name, Surname, Identification number / License number, Tachograph Drivers card number, Picture),
    • Identifiers (Driver ID, Related Site ID and Asset ID),
    • Contact Information (Contact number, Email address),
    • Authentication (Username and Password),
    • Behavioural (Driver behaviour – score and events),
    • Video,
    • Compliance and fatigue (driver work hours),
    • Location (GPS co-ordinates, Country),
    • Professional (Employer, Employee ID, Company ID),

    What is the purpose of MiX processing Personal Data?

    MiX Telematics uses the data to provide our customers with products and services to help optimise the efficiency, safety, compliance and security of their fleets.

    Do I need to provide consent?

    Consent is one lawful basis for processing but there are five others, including the performance of a contract, compliance with a legal obligation, to fulfil a task in the public interest or to pursue legitimate interests. This should be clarified with the Data Controller, which will normaly be your employer (the MiX Customer).

    What rights do I have to see my data?

    Under the GDPR, individuals will have the right to obtain:

    • Confirmation that their data is being processed;
    • Access to their Personal Data; and
    • Supplementary information which corresponds to the information that should be provided in a privacy notice.

    These are termed “Data Subject Access Requests” and should be made to the Data Controller (your employer) and typically will need to be supported by proof of identity.

    For further information you should check with the Data Controller and obtain their process for handling these requests.

    In addition to the right to access your Personal Data, you also have the following rights:

    • rectification of any errors
    • erasure of data, when there is no longer a lawful basis for processing
    • restriction of processing, in other words, the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data

    Who has access to personal information held within the MiX Systems?

    The MiX systems is permission-based and only those Users with the relevant roles will be able to access data. This is usually restricted to certain Users defined by the MiX Customer (your employer). In addition, these users MiX Telematics Customer and Technical support personnel have access. These personnel only have access to support and processing activities and are fully trained in the obligations and requirements of GDPR concerning Personal Data.

    If I have concerns, do I raise these with MiX?

    No, MiX is only the Data Processor only. All concerns or questions should be raised direct with your employer. They have the role of Data Controller and are therefore responsible for addressing your concerns and any Data requests you may have.

    What do I do if I have further questions?

    Any further questions should be directed to the Data Controller. This will usually be your employer or the organisation managing your contract.

  • For customers

    What is a Data Controller?

    The Controller determines the purposes for which and the manner in which any Personal Data are, or are to be, collected and processed. Any Direct Customer to MiX Telematics will act as and perform the function of a Controller because of their direct business interface and responsibility of their employees, drivers, customers and system users.

    Can we use MiX products after 25 May 2018?

    You can continue using all MiX products as we are currently in the process of achieving compliance. The regulation approved by the EU parliament in April 2016 provides businesses an adapting period of 2 years until the enforcement date of May 2018. Preparing for GDPR is a company-wide challenge involving a large amount of time, resources and expertise. MiX is working towards it and will be GDPR compliant by May 2018.

    What are my responsibilities as a Data Controller within the MiX relationship?

    As an organisation it is your responsibility to:

    • identify a lawful basis for processing Personal Data under GDPR, whether this is within the MiX Fleet Manager or any other of your business systems;
    • ensure any of your personnel who have access to and/or processes Personal Data within MiX Fleet Manager are obliged to keep the Personal Data confidential;
    • manage consent and Data Subject Requests; ensure personal information is accurate and up to date as well as provide privacy notices to the Data Subject;
    • ensure personal information added on MiX platforms must relate to the purpose for which it is being recorded;
    • not allow the personal information of any 16 year old individuals to be added;
    • develop and publish processes for rectification and the erasure of Personal Data;
    • create awareness on processes for data subject requests and the outputs; and
    • train authorised users in the processing of data within MiX Fleet Manager.

    MiX Fleet Manager has the capability to support Web Services access to data. This may be used by your company to provide additional services. This and the relationship should be checked to ensure that if Personal Data is collected, that there is a lawful reason for the processing and that the Third Party is within the EEA and is GDPR compliant.

    What are the types of Data Subjects processed within the MiX system and what Personal Data is stored?

    Data Subjects within MiX Fleet Manager can include:

    • Users - any of your personnel that have an Account on the MiX system.
    • Drivers - any of your Drivers (including Contract and Temporary Drivers) where name, Driver ID or Tachograph cards is present.
    • Contacts - these are set per account and, used for subscription reports and notifications. These contacts may be customers or other companies you interact with.
    • Workers (MiX Go).

    Typically MiX Telematics processes the following types of personal information (not all fields will be used for all Data Subjects):

    • Identification (Name, Surname, Identification number / License number, Tachograph Drivers card number, Picture),
    • Identifiers (Driver ID, Related Site ID and Asset ID),
    • Contact Information (Contact number, Email address),
    • Authentication (Username and Password),
    • Behavioural (Driver behaviour – score and violations /events, Video, Compliance, fatigue and driver work hours),
    • Location (GPS coordinates, Country), and
    • Professional (Employer, Employee ID, Company ID).

    Special categories of Personal Data as defined by the GDPR are not processed by MiX Fleet Manager.

    Who within MiX has access to personal information held within the MiX Systems?

    MiX Telematics Customer and Technical support personnel. These personnel only have access to supporting customers and processing activities. As part of our ongoing internal compliance processes, personnel is fully trained in the obligations and requirements of GDPR concerning Personal Data.

    What is the responsibilities of MiX as the Data Processor?

    • Implement organisational and technical measures to secure the Personal Data which is processed and support the Controller;
    • Carry out day-to-day processing activities;
    • Archive data which includes Personal Data;
    • Back up data which goes to different/various locations;
    • ETL of data-to-data warehouses;
    • Pseudonymisation/anonymisation of data for Third Parties;
    • Machine learning and data modelling;
    • Data linking (driver ID to asset data);
    • Workflows, rules-based systems and algorithms;
    • Detect and record security incidents and their effects, security breaches and responsive actions taken, and protect against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, Personal Data;
    • Notify the Data Controller processor without undue delay after becoming aware of a Personal Data breach; and
    • Support the Data controller with Data Subject Access Requests.

    Where does MiX host the Personal Data on MiX Systems?

    MiX Fleet Manager Data is hosted in the Amazon Web Services (AWS) environment in Dublin. This is a secure centre with industry-leading functionality and a long list of internationally-recognised certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI’s Common Cloud Computing Controls Catalogue (C5).

    Our MiX Learning Centre System (MLC) Data is hosted in Falkenstein, Germany at Hetzner Online. This facility is certified in accordance with DIN ISO/IEC 27001.

    Does MiX Process Personal Data outside the EEA?

    Data is hosted within the EEA but access is provided to Customer and Technical Support personnel within the MiX CSO organisation in South Africa for specialised support and processing activities.

    These operations are controlled by robust processes and documented within MiX Processor to Processor agreements.

    Does MiX pass Personal Data to Third Parties and if so for what purpose?

    Yes. It is passed on to:

    • Hosting Centre (AWS)
    • Installation Partners (to carry out installations and service visits)
    • Customer/Technical Support and Training personnel
    • Mapping providers which used anonymised positional data to improve the quality and accuracy of mapping products.

    How long does MiX keep Personal Data?

    Personal Information will be kept for the period outlined within contractual agreements between you, the Controller, and MiX. Your organisational policies and agreements with employees should be aligned accordingly. This period will usually be no longer than the duration of the contract.

    How will MiX ensure that it maintains compliance with the requirements of GDPR on an ongoing basis?

    Prior to GDPR, MiX have always understood the sensitivity of Personal Data. The GDPR programme is a phase that is part of a process that is already in progress, not just to be compliant on 25 May 2018 but to maintain compliance on an ongoing basis.

    Information Security, Ethical Conduct and GDPR awareness training is a compulsory part of MiX training to ensure that MiX personnel are fully and regularly updated on legislation and their obligations.

    Robust processes and procedures have been developed to manage compliance with existing data protection legislation and in line with the requirements of GDPR. These processes will be continually monitored, reviewed and updated to ensure effectiveness with new operational scenarios.

    How can MiX help when I receive a Data Subject Access Request?

    The MiX Fleet Manager platform enables customers to address access requests by:

    • Using Driver, User and Contacts lists to confirm whether or not Personal Data is being processed;
    • Using Insight report suite when access to specific data is needed; and
    • Addressing requests from Customers’ Users concerning rectification, erasure and restriction.

    Where a customer is unable to carry out the activity, a Support Request can be raised to the relevant support resource. This can be then addressed either through User training or additional processing activities by the support team. Should additional support be required, this will require a formal Service Request to be raised by the authorised Customer representative.

    What if I have other questions?

    If there are any further questions, please contact your Account Manager who will action and coordinate communication with the relevant experts.

  • For Channel Partners

    What processing activities does MiX carry out?

    • Archiving of data which includes Personal Data
    • Back up of data which goes to different/various locations
    • ETL of data-to-data warehouses
    • Pseudonymisation/anonymisation of data for 3rd parties
    • Machine learning and data modelling
    • Data linking (driver ID to asset data)
    • Workflows, rules-based systems and algorithms

    What are my responsibilities as a Data Processor within the MiX relationship?

    As an organisation, in addition to having controls in place for your own Personal Data, it is your responsibility to ensure that you have contractual processing agreements in place to cover the work carried out on behalf of Customers using the MiX systems. This should cover such elements as:

    • Data retention period
    • Consent and a lawful basis for processing Personal Data under GDPR and within the MiX Fleet Manager system
    • Categories of Data Subjects
    • Types of Personal Data collected

    You must ensure that any of your personnel (users/installers) who have access to and/or process Personal Data within MiX Fleet Manager are obliged to keep the Personal Data confidential.

    You must ensure that there are Policies and processes in place to handle:

    • Data privacy
    • Data Subject Access Requests
    • Data Breach notifications

    Ensure Personal Data passed to any Third Parties (such as Web Services/installers) meet the requirements in terms of Lawful Basis and geographical constraints.

    To process all requests relating to Personal Data in a timely and efficient manner, include the notification of MiX of contract terminations and database deletions to ensure that all data is deleted when there is no longer a lawful basis for retaining or processing.

    What if I have other questions?

    If there are any further questions, please contact your Channel Manager who will action and coordinate the communication with the relevant experts.

    How will MiX ensure that it maintains compliance with the requirements of GDPR on an ongoing basis?

    MiX has always understood the sensitivity of Personal Data. The GDPR programme is a phase that forms part of a process that is already in progress, not just to be compliant on 25 May 2018, but to maintain compliance on an ongoing basis.

    Information Security, Ethical Conduct and GDPR awareness training is a compulsory part of MiX compliance training to ensure MiX personnel are fully and regularly updated on legislation and their obligations.

    Robust processes and procedures have been developed to manage compliance with existing data protection legislation and to be in line with the requirements of GDPR. These processes will be continually monitored, reviewed and updated to ensure effectiveness with new operational scenarios.

    GDPR considerations and requirements are included in the product development and planning lifecycle.

    What do I do in the event of a Data Breach?

    MiX as Processor and VARs: Where customers (Controllers) suspect the confidentiality, integrity or availability of Personal Data (DS) may have been system breached, said Controller will be primarily responsible for investigating, quantifying and reporting the breach to Authorities and Data Subjects (as per the GDPR). Towards that end, our customers will or may reach out to MiX Telematics to share information related to the breach incident. And our DPO, in consultation with the MiX DBIRT team, will determine if additional actions from our end will be taken.

    MiX Telematics in the roll of Controller IRO of employee and MiX customer data: Upon initial discovery, any staff member who suspects that a breach of security has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data, must immediately notify their line manager or departmental head. The manager will inform the DPO or the MiX Telematics DBIRT team making use of the Personal Data Breach Checklist Template. Unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the DPO shall, without undue delay and where feasible, no later than 72 hours after having become aware of it, notify the Personal Data breach to the Supervisory Authority.

    As a Channel Partner what happens if I receive a Data Subject Access Request?

    You should have a clearly documented process for these types of requests.

    For MiX Fleet Manager, where you are operating as the Data Processor, on no account should you deal directly with the Data Subject. All such requests should be referred to the relevant Data Controller and you would act on the instruction from your authorised contact.

    The MiX Fleet Manager platform enables Users with the requisite permissions to address access requests as follows:

    • Driver, User and Contact lists to confirm whether or not Personal Data is being processed.
    • Insight report suite when access to specific data is needed.

    In the event that a Data Controller cannot process the request, this may require you (as their support resource) to provide training of the Controller’s authorised user. If training is not available, the authorised Controller should raise the request (with all relevant details) with an SR.

  • MiX Telematics

    What is a Data Processor?

    The Processor acts on instruction from the Controller, for Personal Data held and processed within MiX Fleet Manager. This is MiX Telematics.

    What are the responsibilities of MiX as a Data Processor?

    For direct customers the responsibility to ensure that the customer has contractual agreements in place covers such elements as:

    • Data retention period
    • Third Party processing
    • Consent and a lawful basis for processing Personal Data under GDPR, within the MiX Fleet Manager system

    MiX must ensure that all MiX personnel and contractors, who have access to and/or process Personal Data within MiX Fleet Manager, are obliged to keep the Personal Data confidential.

    Where is MiX Data Hosted?

    MiX Fleet Manager Data is hosted in the Amazon Web Services (AWS) environment in Dublin. This is a secure centre with industry-leading functionality and a long list of internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI’s Common Cloud Computing Controls Catalogue (C5).

    Our MiX Learning Centre System (MLC) Data is hosted in Falkenstein, Germany at Hetzner Online. This facility is certified in accordance with DIN ISO/IEC 27001.

    What technical or organisational measures are in place at MiX to protect Personal Data?

    MiX partners with Amazon Web Services (AWS) to leverage industry-leading services with internationally-recognised certifications.

    MiX Fleet Manager is a permissions-based platform where access is only provided to the information relevant to each individual user:

    • Passwords are stored as a hash in the back-end environment. Passwords in transit are clear text, however, point-to-point (customer to back-end) connection is encrypted using SSL technologies
    • Storage level encryption includes S3 buckets where back-ups are stored and drives where data resides
    • Vulnerability scanning
    • IDS / IPS (intrusion detection and prevention)
    • Perimeter Firewalls (this includes VPN access for support processes)
    • Encrypted back-ups
    • Regular penetration tests and security assessments (twice per year)
    • Perimeter scanning
    • Access the website through SSL/HTTPS

    Policies, Processes and training have been delivered to MiX personnel to ensure that they are aware of regulations and the responsibilities associated with handling Personal Data. These processes are embedded in MiX’s HR processes for all personnel, new starters and contractors.

    For support personnel with access to Personal Data, all data on laptops are fully encrypted with two-factor authentication to UK National Cyber Security standard CPA accreditation. All removable media is encrypted. USB drives have security vaults (in addition to removable media encryption). All Laptop ports are monitored and/or controlled. MDM – tablets and phones enrolled onto Maas360 IBM asset platform.

    Does MiX Process Personal Data outside the EEA?

    All Personal Data is hosted within the EEA but access is provided to Technical Support personnel within the MiX CSO organisation in South Africa to handle specific support and processing activities.

    These operations are controlled by robust processes, documented within MiX Processor to Processor agreements and will be replaced by Binding Corporate Rules (BCRs) once approved by the Supervisory Authorities.

    How will MiX ensure that it maintains compliance with the requirements of GDPR, on an ongoing basis?

    MiX have always understood the sensitivity of Personal Data. The GDPR programme is a phase that is part of a process that is already in progress, not just to be compliant on 25 May 2018, but to maintain compliance on an ongoing basis.

    Robust processes and procedures have been developed to manage compliance with existing data protection legislation and to remain in line with the requirements of GDPR. These processes will be continually monitored, reviewed and updated to ensure effectiveness with new operational scenarios.

    GDPR considerations and requirements are included in the product development and planning lifecycle.

    What will MiX do if they receive a Data Subject Access Request?

    For MiX Fleet Manager, where MiX is operating as the Data Processor, MiX will not deal directly with the Data Subject (see Data Subject Request Process). The Data Subject will be referred to their relevant Data Controller, usually the MiX Customer.

    In the event that the request comes from a Data Controller who cannot process the request, this may require training of the Controller’s authorised user. If training is not available, the Controller should raise the issue with an SR to ensure full traceability of the request.

    What if I have other questions?

    If there are any further questions, please first check on the MLC as there is further reference material there. Alternatively, you can contact your Line Manager or contact the MiX Data Protection Office at This email address is being protected from spambots. You need JavaScript enabled to view it.. They will action and coordinate with the relevant experts.

Print