The GDPR, which is enforceable as of May 25, 2018, lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
This new Regulation applies to the processing of personal data in the context of the activities of an establishment of an organization (controller or processor) in the E.U. It also applies to the processing of personal data of data subjects who are in the E.U. by an organization (controller or processor) not established in the E.U., where the processing activities are related to (i) the offering of goods and services to such data subjects in the E.U. or (ii) the monitoring of their behaviour as far as their behaviour takes place within the E.U.
By its terms, the GDPR thus applies only to a small segment of our clients, since the vast majority of Tyler's clients (and their end-users) are located outside of the E.U. (primarily, in the United States), and the processing activities for these clients are related to activities that take place outside the E.U. (primarily, in the United States) and do not involve the processing of personal data of data subjects who are in the E.U.
For the small segment of Tyler clients the GDPR does apply to, Tyler has engaged or will engage with those clients specifically to address GDPR compliance. For all other Tyler clients, Tyler will continue to adhere to applicable industry standards, contractual commitments, and laws to address the security and privacy of relevant client data.
To the extent the GDPR applies to Tyler and its clients, then:
- Tyler, as a data processor, will partner with its client, the data controller, to memorialize each party's respective roles and responsibilities under the GDPR.
- The personal data that Tyler's software will be used to process may include account numbers, physical addresses, email addresses, IP addresses, names, and telephone numbers. End-users may choose to enter additional types of information into open-text fields. Tyler stores the information in a database hosted on Amazon Web Services ("AWS") servers in Ireland. Learn more about GDPR compliance on AWS.
- Tyler will only process personal data to perform services in accordance with its contract with the Tyler client.
- The Tyler-client contract will include terms and conditions to account for GDPR requirements, including standard contractual clauses (also known as E.U. Model Clauses) relating to the transfer of data from the E.U. to the United States.
- Tyler has implemented a set of certified security processes and controls to help protect the client data we process under the GDPR, which helps us comply with security and privacy regulations such as ISAE 3402, SOC 1 Type 2, and SOC 2 Type 2 Report. Tyler is also in the process of being ISO 2700x certified on relevant Tyler products. For more information, please visit our compliance section.
- Tyler products are developed with "privacy by design" elements, including, for example, the ability to redact sensitive information and/or to configure roles and responsibilities to limit certain levels of data access. Tyler will continue to enhance these "privacy by design" elements consistent with its overall product roadmap.
- We are continually updating our library of privacy practices and policies to comply with evolving record-keeping requirements.
- We have an in-house dedicated security team, as well as external providers that assist with threat detection and monitoring. As noted above, Tyler's Security Officer is Peter Higgins. Peter and the security team may be contacted at firstname.lastname@example.org or 1-888-55TYLER. Based upon our E.U. presence and our role as a data processor, Tyler has not appointed an E.U. representative or a Data Protection Officer. Should the basis for Tyler's evaluation change, Tyler will update the security team and this Privacy Statement accordingly.
It is important for Tyler clients to whom the GDPR applies to remember that the GDPR is a shared compliance journey. As the data controller, you, as Tyler's client, will determine the personal data we process and store on your behalf, if any. If you opt for a hosted solution, we may process personal data for you depending on the products we are hosting for you and the information you choose to make available on that platform. As a controller, you will provide privacy notices to individuals detailing how you use and collect their information, and obtaining required consents, if any. If those individuals want to know what data you maintain about them, or to discontinue their relationship with you, you must respond and process those requests. If we happen to receive such an inquiry directly, we will redirect it to you.
When we act as the data processor, we process and store the personal data you make available to us. We will only process that personal data in accordance with our contract with you. If your data is maintained in a product that we host, and you need assistance with an end-user inquiry, we will partner with you through the processes, products, services and tools to help you respond to that inquiry.
An individual end-user of a Tyler software or service who seeks access to, or correction, amendment or deletion of, personal data, should direct his or her request to the Tyler client on whose behalf Tyler is processing that data (in other words, the data controller). If that Tyler client then asks Tyler to correct, amend or delete the corresponding personal data to comply with the GDPR or similar regulations, Tyler will respond to the Tyler client's request within thirty (30) business days. Tyler clients may submit such requests to email@example.com.