Simpleview and the EU General Data Protection Regulation

Updated as progress continues. Simpleview is committed to data security, privacy and transparency. We have an in-house, cross-functional GDPR task force to oversee and manage the requirements of the GDPR and to implement changes to ensure that our company and our products are compliant with these new regulations. We’ve requested a thorough, third-party review of our business operations and GDPR obligations via TrustArc. In addition, our in-house team will address the effect across our partners and integrations, to help guide and work together on compliance.

We will provide updates on this webpage between now and the May 2018 deadline, communicating the steps we are taking to ensure that both our company and our products are compliant with the GDPR in advance of the deadline. Product updates to meet compliance will also be announced in the client portal.

We recognize that GDPR compliance is a shared responsibility between Simpleview, our clients, and our partners. Therefore, we’re happy to consult and provide guidance on compliance steps or information about partner compliance for our customers upon request.


Commitment to Data Protection

Simpleview has always been committed to data security, privacy, and transparency. You can view our current privacy notice here. We work with Edge Hosting for managed server and site hosting. Edge Hosting is EU-U.S. Privacy Shield Framework certified, which means we’ve been in compliance with EU privacy standards protecting data, matching the same standards as the European data centers. We’re also compliant with Canada’s Anti-Spam Laws and guide our partners to meet the same requirements. The GDPR adds new protections for the personal data of EU residents, and we will continue to honor our commitment to data privacy through achieving and maintaining compliance with this important law and encouraging our data partners to uphold the same responsibility.

Please note that the information shared here is accurate as of the time this web page was published, February 27, 2018. For the most timely, accurate information, please visit the European Commission's Data Protection in the EU page.


FAQs About the GDPR
 

  1. Who does GDPR affect?
  2. How does the GDPR define “personal data”?
  3. Does GDPR affect me if my company is U.S.-based?
  4. How have consent conditions changed?
  5. Does GDPR apply to contact information we already have collected? Do we have to ask our customers for their permission again, so that the new requirements are met?
  6. What is meant by ‘Right to be forgotten’?
  7. Is the right to be forgotten absolute? [If a customer orders goods, and I need his information to complete the order, do I have to delete that information upon request?]
  8. What if we work with agencies or other 3rd parties?
  9. How is profiling and automated decision making affected by the GDPR?
  10. We keep record of data and store them in cloud services, for example Google Suite. There are data protection tools provided and security rules can be set. Is this enough? 


Who does GDPR affect?

  • The GDPR protects European Union residents and citizens, even if they are residing outside of the EU.
  • The GDPR ensures EU citizens the right to the protection of their personal data.
  • The GDPR applies to organisations located within the EU and to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
  • It applies to all companies that process or store personal data of data subjects residing in the European Union, regardless of the company’s location.


How does the GDPR define “personal data”?

  • Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
  • This can include a name, a photo, an email address, posts on social networking websites, location data, or a computer IP address or cookie string.


Does GDPR affect me if my company is U.S.-based?

  • Yes. If any of your data subjects are EU citizens, you must comply with GDPR requirements.
  • The GDPR protects EU citizens no matter where you are located.
  • The GDPR applies to organisations located within the EU, and it also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
  • It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
  • It applies to controllers and processors of data.
    • A controller determines the purposes and means of processing personal data. For example, most DMOs or marketing agencies would be considered controllers.
    • A processor is responsible for processing personal data on behalf of a controller. For example, Simpleview, our partners, and integrated affiliates are processors.
    • Both are responsible for compliance with the GDPR.
    • The GDPR introduces direct obligations for data processors for the first time.
    • “Clouds” are not exempt from compliance.


How have consent conditions changed?

  • You must obtain consent from the data subject to store and use data.
  • Consent must be active (opt-in), not passive (opt-out).
  • You must be able to show that you were given consent.
  • Consent must be specific and informed, meaning you have to tell data subjects how the data will be used.
  • Requests for consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
  • It must be as easy to withdraw consent as it is to give it.


Does GDPR apply to contact information we already have collected? Do we have to ask our customers for their permission again, so that the new requirements are met?

Yes, GDPR does apply to information collected before May 25th, 2018. It is recommended to re-request consent, and to make sure you are clear and specific about how the information gathered will be used.


What is meant by ‘Right to be forgotten’?

Individuals have the right to have their personal data deleted, in the event that it is no longer needed. ‘Right to be forgotten’ is in support of freedom of expression.


Is the right to be forgotten absolute? [If a customer orders goods, and I need his information to complete the order, do I have to delete that information upon request?]

The right to be forgotten is not an absolute right. It is possible to put it into effect only if the data is no longer necessary for the purpose it was originally gathered or processed for. Another case in which personal data cannot be deleted is when there is another legal obligation or law that directly obstructs the deletion (for instance the archiving law – which requires some documents containing personal data to be kept for a time period defined by law).


What if we work with agencies or other 3rd parties?

If they have lists (individuals with their contact information) and they process personal data for your organization on your behalf, you should understand how they are doing it and how the information is protected.


How is profiling and automated decision making affected by the GDPR?

  • The GDPR has provisions on and applies to all:
    • automated individual decision-making (making a decision solely by automated means without any human involvement)
    • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
  • Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other significant effects on him or her, unless they have given explicit consent.
    • Exceptions to this include if it is a) necessary for entering into or carrying out a contract between the data subject and data controller; b) if it’s authorised by Union or Member State law to which the controller is subject and which also provides suitable safeguarding measures of the data subject’s rights, freedoms, and legitimate interests.
  • The data controller must implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interest, at least the right to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision.


We keep record of data and store them in cloud services, for example Google Suite. There are data protection tools provided and security rules can be set. Is this enough?

Providers of these type of services have to ensure compliance of their services with GDPR. Both Google and Microsoft have announced that they have been working to be in compliance with GDPR, yet it is important to mention that by using these services you are not automatically free from responsibility for complying with GDPR. GDPR impacts your whole organization and by just transferring all personal data to others, you will not be doing enough to be in compliance.


Simpleview CRM & the GDPR

Simpleview CRM handles a lot of data. How does it help to comply with GDPR?

CRM is only a tool (system) which collects and processes personal data. The security of the system is supported by Simpleview CRM’s features and configuration options, as well as the communication and database backups, including the necessary anonymization of data. Since GDPR also places demands on organizational and personal requirements beyond the scope of the software solution, we can provide recommendations about how to use our products with the needed process and policy changes. Contact your Account Manager for details.

In CRM we keep record of email addresses and phone numbers of our customers’ employees. Will we now need to ask for explicit permission to store them?

It depends on if you already asked for consent when collecting the information, and why you collected it. If you must process the data in order to provide products or services, then the data can also be minimally processed without consent. For example, you definitely need an address to be able to send a product to a customer. In your case, you have to consider whether or not you really need the contact information of each customer – it depends on your purposes.


Additional Resources/ Resource Links

 

 

Need help preparing for GDPR?

Contact us to find out how Simpleview can help your company secure sensitive personal data in compliance with GDPR.

 

Please note this webpage, website, and its content are not exhaustive resources on GDPR policy and they should not be relied on as legal advice. Because legal information is not the same as legal advice – the application of law to one’s specific circumstances, we recommend consulting a lawyer if you need legal advice on how to interpret the legislation. This content is information for awareness purposes and to inspire you to review your current policies and practices.