Aphelion is not located inside the European Union.  However, we work with a number of clients based in the European Union, in some cases via clients with wholly-owned subsidiaries located in the European Union. GDPR, therefore, applies to us as to how we handle personal data about European subjects and we are fully committed to achieving full compliance. 

We have identified the areas in which GDPR affects our work:

• Our website, which stores visitor personal information and provides forms for visitors to use to contact us or comment on posts. We also use service providers to support the site which, according to GDPR, act as processors for analysing visitor data.
• In our back-office systems in Mauritius where we store data about client contacts in emails, in documents and other ways.
• We are processors for our European clients who handle personal data of European subjects. Mostly this is done remotely from our office and the data itself remains on European servers.  In most cases, our role is to support the systems and not process personal data.  But, to support the systems, we will in many cases need to have access to the personal data itself.  We will sign relevant agreements with all clients where this is required to ensure that we and our clients are compliant with the GDPR.

The right to privacy of our clients, their employees and customers are our top priority.  We are fully committed to maintaining compliancy with the GDPR legislation ensuring that individual privacy is maintained and respected in every way.

GDPR stands for the General Data Protection Act, legislation which provides comprehensive pan-European data protection.  GDPR will be introduced in the European Union and the European Economic Area (EE/EEA) replacing the 1995 Data Protection Directive.  The Data Protection Directive was implemented in different ways across different countries while GDPR will be the same (with certain minimum differences/additions for membership countries).

GDPR regulates authorities and organisations as to how they are allowed to process data (called ‘personal data’) about individuals in the EU (called ‘data subjects’) including collecting, storing, transferring or use.

GDPR gives individuals free of charge rights to control their data.  Individuals have the right to know what data an organisation stores about them and to request correction, deletion or even transfer to another organisation when that is applicable.  GDPR requires organisations to report breaches within 72 hours of discovery.  The regulatory bodies in each country are getting significantly more ability to enforce compliance and impose high fines for non-compliance and breaches.

Here’s our high-level roadmap for GDPR compliance, with our current status mentioned:

• Research which areas of our business and services are impacted by GDPR – COMPLETED
• Assess our need for compliance with our website – COMPLETED
• Prepare a draft Data Protection Agreement based on the EU General Clauses for our clients – COMPLETED
• Assess which of our clients we work with where we have access to personal data of EU subjects and get processor agreements with them – COMPLETED
• Assess all security aspects, required for compliance with the GDPR – COMPLETED
  
• Create a Privacy Policy for our website, forms, emails and any other way customers can contact us or we contact them – COMPLETED
• Update our mail footer to link to the Privacy Policy on the website – COMPLETED
• Sign agreements with processors handling personal data or tracking cookies collected from our website and ensure compliance – COMPLETED
• Assess our need for compliance in how we handle personal data such as client contacts and marketing data in our company in India – COMPLETED
  
• Develop a strategy and requirements for how to address the areas of our services are impacted by GDPR – COMPLETED
• Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – COMPLETED
  
• Sign new Work Agreements/NDA’s with all employees – COMPLETED
  
• Finalise and communicate our full compliance – COMPLETED

The PHPSESSID is only used inside a session and is deleted and therefore allowed as per GDPR.

The __cfduid cookie is set by our Content Delivery Network (CloudFlare) and is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. For example, if a certain laptop is used in a local area network where there are laptops infected with viruses, but the specific person’s laptop is trusted (e.g. because they’ve completed a challenge (within your Challenge Passage period), the cookie allows CloudFlare to identify that client and not challenge them again. It does not correspond to any user ID  and does store any personally identifiable information.

Because Cloudflare uses this cookie to identify both HTTP and HTTPS requests from known clients, we do not set the “secure” flag on it. This is not a risk, however: as mentioned above the cookie does not contain sensitive data.

It is not possible to block the Cloudflare cookie at the moment. A Content Delivery Network ensures good performance of websites across the globe. We have been in touch with CloudFlare and they say that they consider this cookie to be allowed as per the GDPR which states in that some cookies are exempt from this requirement. Consent is not required if the cookie is:

• used for the sole purpose of carrying out the transmission of a communication, and
• strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.