25 May 2018 marks the start of enforcement of the European Union’s General Data Protection Regulation. This new piece of legislation has had a great impact on anyone whose business involves handling personal data about EU residents or within the EU. Naturally, personal data is at the core of working in sales, so SEAtS and our users have also been busy to make sure that we are compliant.
This article provides an overview of the data-related roles and responsibilities when you’ve chosen SEAtS as your CRM platform and will explain SEAtS efforts to live up to the values and requirements of the GDPR.
SEAtS as the Data Processor
Lastly, it is important to check Section 17 of our Terms of Service to see which SEAtS entity is your contractual partner. All EU customers have a contractual relationship with our EU entity, based in Estonia.
One topic that often comes up with customers is data transfers outside of the EEA. The GDPR establishes strict requirements for moving data outside of its scope of protection. This is only natural – otherwise it would be impossible for the law to fulfill its purpose.
Who is responsible for meeting these data transfer requirements? As our EU customers have a legal relationship with our EU entity, this data transfer remains within the EEA. If SEAtS subsequently engages sub-processors outside the EEA, it is our job to ensure that we transfer the data lawfully.
We will keep an up-to-date list of sub-processors in our Terms of Service to be fully transparent about these transfers. This list will also explain what data is involved and how we have ensured that the data is adequately protected even after it leaves the EEA. We do this by making sure that our third-party service providers have either certified under the EU-US Privacy Shield framework or signed the EU Commission’s standard contractual clauses for data transfers with us.
Hopefully this helps you to better navigate the EU’s data protection requirements.
SEAtS as the Data Controller
Additionally, SEAtS acts as the data controller for the personal data we collect about you, the user of our web app, mobile apps, and website. First and foremost, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b). Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR. Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
What are these ‘legitimate interests’ we talk about?
Improving the app to help you reach new levels of productivity. Making sure that your data and SEAtS’s systems are safe and secure. Responsible marketing of our product and its features.
As the controller for your personal data, SEAtS is committed to respect all your rights under the GDPR. If you have any questions or feedback, please contact our Data Protection Officer by email at [email protected]
What is SEAtS doing for the GDPR
As a company with roots in Europe, SEAtS is very much up to speed with the implications that the EU General Data Protection Regulation has for businesses. We appreciate the privacy needs of SEAtS users as well as their customers and, as such, have implemented — and will continue to improve — technical and organisational measures in line with the GDPR to safeguard the personal data processed by SEAtS.
Internal Processes, Security and Data Transfers
A large part of GDPR compliance is making sure that there are procedures in place that ensure that data processes are mapped and auditable. We have added elements to our application development cycle to build features in accordance with the principles of Privacy by Design. Any access to the Client Data that we process on your behalf is strictly limited. Our internal procedures and logs make sure that we meet the GDPR accountability requirements in this regard.
We have established a process for onboarding third-party service providers and adopting tools that makes sure that these third-parties meet the high expectations that SEAtS and its customers have when it comes to privacy and security. We have further launched a datacenter in Germany to store the databases of EU customers to improve performance and provide additional assurance that your data enjoys the level of protection envisioned by the GDPR.
Readiness to Comply with Subject Access Requests
Data subjects’ ownership of their personal data is at the heart of the GDPR. We have created a readiness to respond to data subject requests to delete, modify, or transfer their data. This means that our Customer Support Specialists along with the Engineers that assist them in their work are well-prepared to help you in any matters involving your personal data, in addition to providing the awesome customer support experience that you are accustomed to.
The Right to Erasure (Formerly the Right to be Forgotten)
Originally known as the ‘right to be forgotten’, broadly speaking this principle dictates that an individual can request for their data to be removed or deleted when there is no compelling reason for a business to continue processing that information. The GDPR legislation has termed this as ‘the right to erasure’
In Article 17 of the GDPR, the right to erasure states that in certain circumstances, an individual can submit a request to the data controller to have personal information erased or to prevent further processing of that data. SEAtS respects this and the right to erasure applies when:
- The personal data is no longer necessary or relevant in relation to the purpose for which it was originally collected
- The individual specifically withdraws consent to processing (and if there is no other justification or legitimate interest for continued processing)
- Personal data has been unlawfully processed, in breach on the GDPR
- The data must be erased in order for a controller to comply with legal obligations (for example, the deletion of certain data after a set period of time)
If one of the above conditions applies under this right to erasure, it is the responsibility of the data controller (SEAtS) to delete and remove the data ‘without undue delay’ and specifically within a month unless specific circumstances apply.
All of the above is supported by extensive training efforts within the company so that the GDPR compliant processes we’ve put in place are followed. Sessions on data privacy and security are an integral part of our onboarding process and each department receives training that is tailored to their work involving personal data.
SEAtS is firmly convinced that meeting GDPR requirements is much more than just checking off boxes in a list. For us, the GDPR is truly a lifestyle of respect to individuals’ privacy and responsibility in handling personal data.