GDPR FAQ: Customer data stored in Winshuttle products

What is the GDPR?
The General Data Protection Regulation (GDPR) European Union (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. GDPR went into effect on May 25, 2018, all organizations doing business with EU Data Subjects must comply with the regulation.
What does it mean to be GDPR-ready?
Winshuttle customers are responsible to secure and harden their on-premise environments for Winshuttle Foundation and Studio and LMS (License Management System) to protect any employee’s personal Information stored in these products. For Winshuttle customers who just purchased and only use Winshuttle Studio with Connect, then Winshuttle Connect has some employee information required to license and manage product usage. For Winshuttle customers who use LMS or Foundation that synchronize usage log data into Connect that data isn’t associated with a personally identifiable employee. Winshuttle is similarly responsible for securing and hardening the cloud-based Winshuttle Connect software.
What customer employee information is stored in Winshuttle software?
A customer’s employee’s corporate email address, name, department, and employee phone number are stored within Winshuttle software. Note that corporate email addresses are required as part of user account credentials in Connect and thus are a required element for usage of our products.
How can a customer manage their personal information in their product today?
A customer’s Winshuttle product administrators should be deleting employee’s accounts when the employees no longer need them so that their personal information is removed from the Winshuttle products.

If the customer is using only Winshuttle Studio with Connect, then you can contact Winshuttle customer support to have the Winshuttle Connect data privacy mode set to Secure Anonymous so that user information is only displayed as “Private Users.” This anonymizes the employee identifier data by selecting secure anonymous privacy mode. Click here for more details. However, requesting a Connect privacy mode change from Secure to Secure Anonymous is only recommended if you don’t require usage reports for your users since anonymizing such data renders it unusable for user reports.

What happens to the employee data stored in Connect when a Winshuttle customer provides written notice of termination of their overall contractual Master Service Agreement (MSA) with Winshuttle?
Winshuttle will anonymize their employee’s personal information from Connect such that it is can be considered destroyed within 60 days of written notice by the customer of their contract termination. Winshuttle retains the right to store anonymized transactional data for product usage analysis reporting purposes.
What happens to the employee data stored in Connect if a Winshuttle customer reduces the number of active licenses that they have contracted Winshuttle for?
The customer will need to assign or re-assign employees to the reduced number of licenses that the purchased. Any employee’s transactional data that was previously associated with a license will be automatically anonymized such that the employee’s personal information is removed from Connect and the license will be freed up for assignment to another employee.
What happens to the Connect data when a Winshuttle customer terminates or doesn’t renew their Winshuttle customer support maintenance agreement and its employees with perpetual licenses continues to use Studio with Connect?
For customers who have European Union employees who have licensed access to Winshuttle Studio, then GDPR still applies to the licensing information stored by Winshuttle’s cloud based Winshuttle Connect service. Winshuttle administrators will set the Winshuttle Connect data privacy mode to Secure Anonymous so that user information is only displayed as “Private Users” if this wasn’t already done previously. This anonymizes the employee personal data by selecting Secure Anonymous privacy mode. Click here for more details. The customer will still be able to use their Studio software licenses however users cannot view usage or dashboards reports due to the secure anonymous mode required to eliminate the employee personal information from Connect. If customers want to maintain access to view their usage or dashboard reports, they are required to maintain their support agreement with Winshuttle.
What is Winshuttle’s responsibilities for GDPR compliance if the customer has purchased Winshuttle Managed Services (WIMS) for Foundation?
Winshuttle is responsible for the maintenance of Foundation and its dependent Microsoft software services included in the WIMS offering, but the customer is still fully responsible for GDPR compliance by securing and hardening their server and network environment to protect it against any data breaches.
What is Winshuttle’s responsibilities for Winshuttle’s hosted Foundation product?
Winshuttle is responsible for GDPR compliance for the Winshuttle hosted Foundation product since they are maintaining all the Foundation related software services included in the WIMS offering and securing and hardening their data center environment to protect it against any data breaches. Removal of all the employee personal information in the hosted Foundation product will occur upon termination of the Winshuttle hosted Foundation agreement.