What is GDPR?
The General Data Protection Regulation (“GDPR”) is the primary data protection and privacy law of the European Union (“EU”), which is effective from May 25th, 2018. GDPR was conceptualized to strengthen and deliver the right to data protection of individuals in the EU, and provide such individuals with a greater say over how organisations collect, process and maintain their personal data. This has significantly changed the way personal data is collected, accessed, and stored.
The GDPR focuses on long-standing data protection principles of transparency, lawfulness, security, and accountability among others, and implements a new set of obligations on organizations that offer goods or services to or monitor the behavior of EU individuals. The GDPR is also applicable outside the EU in order to regulate the processing of personal data of EU residents by organizations that are located outside the EU.
Who must comply with GDPR?
Any organisation that processes the personal data of individuals in the European Economic Area for its own purposes or on the behalf of another organisation is required to comply with the GDPR.
What is Personal Data?
Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
What is Beaconstac’s role with respect to processing its customers’ personal data?
We will be the processor of its customers’ service data that is transmitted to us for the performance of our services to them and the customer will be the controller. What this means is that we will process any personal data that our customer transmits to us only on our customer’s behalf. While it is the responsibility of the customer to ensure compliance with GDPR as a controller, Beaconstac will, as a processor, enable customer in its compliance in accordance with the agreements signed with the customer.
Commitment of Beaconstac toward GDPR compliance
At Beaconstac, we are committed to being GDPR compliant and work hard to ensure that we are up-to-date with new developments to the legislation. We make constant efforts to adopt, implement and maintain industry best practices for data protection and privacy. We continue to make modifications to ensure that, as further guidance emerges from data protection authorities, our process and practices meet new requirements.
Here are some of the steps we have taken toward GDPR compliance:
Data Processing Agreement
We are required to implement contractual commitments as a part of GDPR’s requirements. Our standard terms and conditions include Data Processing Agreements that automatically apply when you sign up for our services. We work extensively with our legal team to ensure that such agreements incorporate continuing developments in EU’s data protection law and are kept up-to-date.
Standard Contractual Clauses:
GDPR requires one of the approved transfer methods to be put in place beforehand to ensure that the protection guaranteed within the EU travels with personal data when it is transferred to a third country outside the EU. The Standard Contractual Clauses (“SCCs”) is one such transfer method. The SCCs are a set of compulsory clauses required to be included in contracts between data exporters and data importers. Our Data Processing Agreements incorporate the updated SCCs published by the EU Commission on June 4th, 2021.
We comply with the Privacy by Design principle of the GDPR, and incorporate privacy in our organizational practices including product development. Our product is designed with privacy features that apply by default. Such features include the implementation of encryption in transit and encryption at rest in securing and protecting your data, giving the customer more control over how their personal data are collected and processed, portability of data, and obtaining consent for the data that we hold. Further, our customers who build their applications on our platform also get a number of data protection and privacy management features for their applications. Our product team works closely with our IT and legal teams to ensure that any new products, product updates, and features are rolled out with no risk to data security and privacy.
Internal policy on data protection for employees
We have established internal policies and processes concerning the handling of personal data, response to data subject access requests, governmental requests, and reporting of data breaches, etc.
We implement appropriate technical and organizational measures to protect service data in our possession and to ensure that we serve our customers with secure products. These comply with SOC 2 Type 2 requirements.
Internal Policies on data protection
We have established internal policies, guidelines, and processes concerning the handling of personal data by our employees including policies on access control, confidentiality, data backup, data classification, data retention, data protection, data recovery, encryption, endpoint security, information security, security incident management, media disposal, password, physical security on the premises, risk management, vendor and vulnerability management.
Right to Opt-out of marketing communication
We only send marketing and promotional emails where we have obtained consent as required in the EU. We provide an opt-out mechanism in the emails that we send and maintain a do-not-disturb list of recipients that have unsubscribed to our marketing communications.
Accountability and Governance
We recognize the need to ensure that our employees understand the importance of data protection and are trained on the basic principles of GDPR. We extend training programs to our employees who handle personal data in the course of their employment in order to familiarize them with GDPR compliance. We also ensure that we implement measures to demonstrate that we fulfil obligations under GDPR.
We are committed to providing data privacy and security to our customers in accordance with industry best practices. To this effect, we have SOC2 Type 2 certification which will confirm that we have stringent data protection policies and measures in place to protect your service data.
We conduct the required due diligence to evaluate the security, privacy and confidentiality practices of our vendors prior to engaging them. We also execute agreements that impose GDPR-equivalent obligations on them.
If ever you need to know more about our compliance with GDPR, please send an email to email@example.com
The content above is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with your legal and other professional counsel to determine exactly how GDPR may or may not apply to you and compliance with GDPR as applicable to you.