GDPR FAQ: Customer data stored in Winshuttle products

What is the GDPR?
The General Data Protection Regulation (GDPR) European Union (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. GDPR went into effect on May 25, 2018, all organizations doing business with EU Data Subjects must comply with the regulation.
What does it mean to be GDPR-ready?
To protect personally-identifying information stored in these products, Winshuttle customers are responsible for securing and hardening their on-premise environments of Winshuttle products, including: Evolve, Studio Manager, Foundation, User Governance, Studio, and LMS (License Management System). For Winshuttle customers who just purchased and only use Winshuttle Studio with Connect, then Winshuttle Connect has some employee information required to license and manage product usage. For Winshuttle customers who use LMS or Foundation that synchronize usage log data into Connect that data isn’t associated with a personally identifiable employee. Winshuttle is similarly responsible for securing and hardening the cloud-based Winshuttle Connect software.
What customer employee information is stored in Winshuttle software?
A customer’s employee’s corporate email address, name, department, and employee phone number are stored within Winshuttle software. Note that corporate email addresses are required as part of user account credentials in Connect and thus are a required element for usage of our products.
How can a customer manage their personal information in their product today?
A customer’s Winshuttle product administrators should be deleting employee’s accounts when the employees no longer need them so that their personal information is removed from the Winshuttle products.

If the customer is using only Winshuttle Studio with Connect, then you can contact Winshuttle customer support to have the Winshuttle Connect data privacy mode set to Secure Anonymous so that user information is only displayed as “Private Users.” This anonymizes the employee identifier data by selecting secure anonymous privacy mode. Click here for more details. However, requesting a Connect privacy mode change from Secure to Secure Anonymous is only recommended if you don’t require usage reports for your users since anonymizing such data renders it unusable for user reports.

What happens to the employee data stored in Connect when a Winshuttle customer provides written notice of termination of their overall contractual Master Service Agreement (MSA) with Winshuttle?
Winshuttle will anonymize their employee’s personal information from Connect such that it is can be considered destroyed within 60 days of written notice by the customer of their contract termination. Winshuttle retains the right to store anonymized transactional data for product usage analysis reporting purposes.
What happens to the employee data stored in Connect if a Winshuttle customer reduces the number of active licenses that they have contracted Winshuttle for?
The customer will need to assign or re-assign employees to the reduced number of licenses that the purchased. Any employee’s transactional data that was previously associated with a license will be automatically anonymized such that the employee’s personal information is removed from Connect and the license will be freed up for assignment to another employee.
What happens to the Connect data when a Winshuttle customer doesn’t renew their Winshuttle customer support maintenance agreement and its employees with perpetual licenses continue to use Studio with Connect?
For customers who have European Union employees who have licensed access to Winshuttle Studio, then the GDPR still applies to the licensing information stored by Winshuttle’s cloud based Winshuttle Connect service. However, for perpetual licensed Studio users to still work with Winshuttle Connect, the licensed employee information was be retained until either the licensed is transferred to another user and the customer provides written notice of termination of their overall contractual master service agreement (MSA) with Winshuttle. If customers want to maintain access to view their usage or dashboard reports, they are required to maintain their support agreement with Winshuttle.
What is Winshuttle’s responsibility for GDPR compliance if the customer has purchased Winshuttle Managed Services (WIMS) for Foundation, Evolve, and/or Studio Manager?
Winshuttle is responsible for the maintenance of Foundation and its dependent Microsoft software services included in the WIMS offering, but the customer is still fully responsible for GDPR compliance by securing and hardening their server and network environment to protect it against any data breaches.