Technology Center of Excellence

The General Data Protection Regulation1 (GDPR) was introduced by the EU on 25th May 2018 to protect the citizens of its
constituent countries from personal data misuse by requiring all handling of Personally Identifiable Information 2 (PII) to be
done on a permitted legal basis. For NetSuite customers, the legal basis would be for processing of transactions, employee
information, handling of sales leads, amongst others. As all processing of EU personal data is covered by GDPR, NetSuite
customers need to be cognizant of their responsibilities regardless of where they are based. Stiff penalties can be invoked, up
to €20 Million or 4% of annual turnover, and these can be applied to non-EU countries such as the US, through international law.

NETSUITE AS DATA PROCESSOR AND DATA CONTROLLER

NetSuite’s position is that we are in line with the requirements of GDPR on processors 3, but our customers
must be the ones that are compliant as they are the data controllers3. We can assist them by providing any
information they request relating to data handling and security, but we cannot call ourselves compliant. Note
that because we also have our own NetSuite instance containing information relating to our own customers,
we are also data controllers (but only for our own internal purposes) and are compliant within that scope.

Central to GDPR are the rights of individuals4 that must be adhered to unless there is a legal basis to do so:
The Right to be Informed : The collection and processing of personal data must be transparent.

The Right of Access : Subject Access Requests must provide the individual with a copy of all relevant information.

The Right to Rectification : Any incorrect or incomplete information must be updated.

The Right to Erasure : Any data identifying the complainant must be erased if requested.
The Right to Restrict Processing : The way in which data is processed must acknowledge any limits specified by an individual.

The Right to Data Portability : Upon request, data relating to an individual must be supplied in a machine-readable format
for use in other environments.
The Right to Object : Objections to processing of personal data must be observed and any use must cease.

Rights in Relation to Automated Any process where automated decisions are used must be stopped or reverted to manual
Decision Making and Profiling : processes upon request.

Although the word ‘must’ is used a lot in the list above, there are several restrictions to when companies must comply. Most
commonly, this is if there is a legal basis for not respecting the request—as mentioned previously, with NetSuite this would be
the processing of transactions. Very few parts of GDPR are absolute (the removal of direct marketing being notable) and each
scenario must be considered on its own basis. This is the reason that NetSuite customers must seek specialist advice for their
own compliance. Any company that complies with GDPR without respect to their own processes would have difficulty
per forming many common functions.
Should you need further information regarding NetSuite’s GDPR stance, please contact the Technology Center of Excellence
team. NetSuite GDPR collaterals5 are available upon request.

ADDITIONAL REFERENCES
1 4
Regulation (EU) 2016/679 Individual Rights
2 5
What is personal data? GDPR for Oracle Applications
3
What is a data controller or a data processor?

www.netsuite.com