Privacy Policy

RACS NV’s Position on the EU General Data Protection Regulation (GDPR)

On May 25, 2018, the new GDPR regulations came into effect. You have undoubtedly been thoroughly informed about GDPR (General Data Protection Regulation) or AVG (Algemene Verordening Gegevensbescherming) through news, numerous emails, or seminars.

You may also have wondered with whom, and for which products or services, you are required to enter into a specific data processing agreement. We have had this reviewed by our legal team in relation to our own role and would like to share our position with you.

RACS NV, as an organization, is not obliged to enter into data processing agreements with its customers, since we—together with our legal advisors—are of the opinion that we do not act as a processor under the new GDPR legislation in the context of our collaboration with you as a customer. Of course, there are certain boundary conditions that may influence this obligation.

A data controller determines the purpose and means of data processing. A processor acts solely on behalf of the data controller concerning the processing of data. The data in question is transferred to the processor for that purpose. RACS neither collects nor processes customer data, as we merely supply software for installation within the customer’s own environment. Responsibility for the infrastructure lies entirely with the customer or a third party appointed by the customer, not with RACS.

What matters here is the operational environment in which software manipulations and any related data actions are carried out, and for what purpose. RACS will never move, let alone store, data outside of the customer’s environment.

Just because actions are requested within the customer’s environment to operate software, whether or not involving data, and where the data never leaves the customer’s closed working environment, does not mean that we become a processor or are required to enter into a data processing agreement.

All actions involving data are carried out strictly within the customer’s environment. At that point, it is the customer’s responsibility to ensure that the infrastructure in which this takes place meets the safety and prevention requirements stipulated under GDPR guidelines.

Regarding customer information that RACS may handle in relation to the commercial or technical relationship we maintain with our clients, we take all necessary measures to avoid storing unnecessary, personal, or other types of data—only what is strictly necessary for the proper functioning of our relationship and to comply with any legal obligations associated with such a relationship (e.g., invoicing data). In this context, the GDPR legislation clearly states that such data (i.e., non-personal or non-sensitive data) falls outside the scope of the GDPR.

Lastly, we would like to emphasize that the installation of our software only takes place on the customer’s infrastructure and not in a hosted environment set up or managed by RACS NV.

All of the above leads us to conclude—based on thorough legal analysis—that we are not required to enter into data processing agreements.

That said, regarding confidentiality and safety in how we act within the customer’s environment—where one might or might not come into contact with customer data—RACS and, more specifically, all RACS employees, follow extremely strict rules on confidentiality, prevention, and safety as outlined in our internal policy.

We hope this provides sufficient clarity regarding your concerns about GDPR and, more specifically, the use of RACS software. We remain available for any further questions you may have on this matter.