GDPR and Data Protection Compliance

Your data is yours. When handling personal information, BUNCH complies with the strictest Data Protection standards.

The GDPR has become a global standard for data protection. In order to support our EU clients with their own compliance with this regulation, BUNCH (as a data processor) has undergone a full GDPR compliance transformation.

Frequently Asked Questions

1. Does BUNCH have obligations under the GDPR?

In short, yes. While BUNCH is a Hong Kong incorporated entity with production centers in the Philippines, and although our clients are not always located in the EU, a number of our clients store personal data from customers from all over the world (including EU citizens). In this regard, BUNCH is required to comply with GDPR in order to become a eligible vendor for certain services involving personal data such as customer support, outbound sales and other specialised tasks. In most cases, our services do not involve any personal data at all. In all cases, we do not hold or store any personal data from supporting client campaigns. Accordingly, under the GDPR, BUNCH falls into the category of a data processor and not a data controller (see below).

2. Is BUNCH a data controller or a processor?

The GDPR distinguishes between the roles of a data 'controller' and a data 'processor' – each having different compliance requirements. The GDPR defines a controller as an entity that determines the "purposes and means" of the data processing and/or stores or holds personal data may arise of individuals from the EU. A processor, on the other hand, is defined as an entity that "processes personal data on behalf of the controller”.

As a service provider, BUNCH holds no personal data. Our clients own their data at all levels. Clients maintaining data ownership in accordance with their own internal policies as well as strict obligations of confidentiality are at the foundation of BUNCH’s data protection policy (even prior to GDPR compliance). Our specialists only access information through our client’s software platforms, and nothing is stored locally on or in our remote servers (or otherwise). BUNCH is therefore a data processor and complies with GDPR in such capacity.

3. What is BUNCH doing about GDPR?

Since May 2018, we have been transforming our processes in order to comply with the GDPR at the data processor level. We take data protection seriously and therefore we saw GDPR compliance as the logical (and indeed, necessary) next step in order become an eligible vendor for global clients who store or otherwise control personal data of EU citizens.

Besides our ongoing commitment since ‘day one’ of creating and maintaining a data-sensitive culture (including compliance with local laws in Hong Kong and the Philippines, as applicable), our GDPR compliance milestones to date have included the following measures:

  • We have prepared and signed a data security compliance addendum with our employees and have added GDPR-specific data security provisions to our standard employment contracts
  • We prepared and implemented an internal Code Of Data Conduct to be followed by all BUNCH personnel from top management to agents, support staff and third parties (as applicable)
  • We keep a daily Record of Processing Activities capturing every personal data interaction (on an anonymised basis) within all our campaigns at a company level
  • We improved our Network Infrastructure. We have (i) created a GDPR-ready subnetwork where all devices store no local data (ii) restricted access to USB-drives for all office devices (iii) implemented use of two-stage authentication (iv) implemented SSO access (v) installed biometric security functionality across the office (vi) whitelisted access and (vii) tightened firewall protection
  • We have appointed an informal “Data Protection Officer” who internally oversees compliance, carries out daily, weekly and monthly audits and enforces processes
  • We signed a Data Processor Agreement (DPA) with our existing clients which outlines our relationship as compliant vendor and data processor
  • We put in place a Data Breach Protocol which outlines the steps to be taken in the unlikely event of a data breach, including immediate notification to our clients and to authorities (if required)
  • We prepared and implemented a Subject Data Access Protocol which allows eligible EU individuals to access, modify and delete their information upon their request
  • We crafted a Privacy Policy accessible to Data Subjects (individuals)
  • We are working towards compliance audits with two firms. One based in the UK (specialising in GDPR compliance) and in the Philippines (specialising in local Philippines data protection requirements).

4. When did BUNCH as a data processor become compliant with the GDPR?

With the help of third party auditors, we will complete our transformation process and technical implementation of all the above policies and procedures before August 15, 2018.

The above being said, GDPR compliance is very much an ongoing commitment and process. There is no ‘end-point’ where compliance is achieved and can be put aside. It is necessary to keep reviewing and updating our procedures, security measures and processing activities to ensure that on a day-to-day basis our practices comply with the GDPR requirements and any upcoming amendments thereto. BUNCH is very much committed to doing so and working with our existing affected clients to ensure that our compliance meets (and hopefully exceeds) their own internal standards as regards the GDPR.

5. Has BUNCH been audited as GDPR compliant?

The GDPR outlines the processes and requirements to better ensure the data protection of EU citizens, but it does not require an external audit to certify compliance with the GDPR. Nevertheless, as previously noted, we believe in the value of becoming a certified GDPR-ready vendor and we are discussing terms with a reputable audit firm in the UK and planning to have it ready by Q3 2019.

6. Is my company required to appoint a GDPR compliant vendor like BUNCH?

If you collect, store or hold personal data of European citizens and require vendors to have access to that information, you will need to first ensure your own compliance with the GDPR as a ‘controller’ and then ensure that any vendors you appoint are compliant with GDPR as processors or controllers (as applicable).

On the other hand, if you only manage public domain data or work with project data such as software product development, GDPR compliance may be less onerous.

7. Where does BUNCH store personal data of my users / customers?

Nowhere. As noted above, BUNCH does not store any personal data from client campaigns whatsoever. Our GDPR-ready workstations store no local information, and local files are deleted after every session. We are a cloud-based company and we do not store any client information (including personal data of our client’s users etc) on our remote servers.

Last update: January 2, 2019