The General Data Protection Regulations (GDPR) of the European Commission go into law beginning May 25, 2018. These regulations were created to protect personal data of citizens whose countries are part of the European Union (EU). What this means is that worldwide, every business that handles personal information of EU citizens must comply with the GDPR.
What is the GDPR?
The GDPR is a data protection law, designed to enhance privacy and data security of citizens of the European Union (EU). The primary principle of the GDPR is to allow consumers to have control over their personal data that companies collect. This new legislation will not only affect EU-based businesses, but also any company outside of the EU that offers services or goods to EU citizens or monitors their online behavior. Additional information regarding the GDPR can be found on the European Commission website.
How Does the GDPR Affect You?
The GDPR means more transparency and visibility of how our company processes your personal data. No matter your location, implementation of the GDPR means that customer data is now safer than ever.
What are Some Data Types that the GDPR Covers?
- Standard identity information such as your name, address, and phone number
- Digital data such as your location, IP address, and data gathered from cookies
- Ethnicity or Racial information
- Web data such as your location, IP address, and information collected through cookies
CommonAccess and the GDPR
We want to be transparent about the data that we and any of our vendors may collect as well as how that information will be used so that our users will have control over their personal information. That is why we ensure the following for our clients:
Legal Basis for Processing
- We have reviewed the purposes of our processing activities and selected the most appropriate legal basis for all activities.
- We can ensure that the processing is necessary for the relevant purpose and are satisfied that there are no other reasonable ways to achieve that objective.
- We have documented our decision on which legal basis is applicable to help us demonstrate our adaptation of the GDPR.
Consent and Opt-Out Options
- We ensure that consent is the most suitable legal basis for processing.
- We have made the request for consent prominent and separate from our terms and conditions.
- We don’t use pre-checked boxes or any other default consent methods.
- We only use clear, everyday language that is easy to understand; no tech jargon here.
- We state why we want any data and let our clients know what we’re going to do with it.
- We give separate distinct (‘granular’) options to consent to different purposes and types of processing.
- We name our organization and any third-party vendors who will be relying on the consent.
- We inform all of our clients that they may withdraw their consent.
- We ensure that individuals may refuse to consent without prejudice.
- We avoid making consent a precondition of a service.
- We currently do NOT offer online services directly to children; however, if any future products or services are made available to persons under the age of 18, we will only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
- We know how to and keep records about how we obtain consent from our users.
- We keep a history of what exactly we tell our users when seeking consent.
- We regularly review consent to check that the relationship, processing and/or the purposes have not changed.
- We use privacy dashboards or other preference-management tools as a matter of good practice.
- We make it easy for our clients to withdraw their consent at any time.
- We quickly act on withdrawals of consent (24-48 business hours).
- Anyone who wishes to withdraw consent, may without penalty.
- We know how to recognize a request for deletion and we understand when the right applies.
- We have processes in place to ensure that we respond to a request for erasure without undue delay and within (30) thirty days of receipt.
- We have procedures in place to inform our clients if we erase any data that we have previously shared with them.
We provide users with the following privacy information:
- The name and contact details of our company.
- The purposes of processing.
- The legal basis for processing.
- Any and all legitimate interests for the processing.
- The recipients and/or categories of recipients of the personal data.
- The retention timeframe for all collected personal information.
- The user’s rights concerning processing.
- The right to withdraw consent.
- The right to lodge a complaint.
- We know how to recognize a request for modification and, we understand when this right applies.
- We have procedures that ensure that we respond to a request for modification without undue delay and within (30) thirty days of receipt.
- We have appropriate systems to correct or complete information.
- We have plans in place to inform our users if we modify any data we have shared with them.
- As part of our approach to the GDPR, we are and will continue to strengthen our security measures across all platforms.
- In addition to industry standard practices around encryption, our team is continuously improving our systems for authentication, authorization, and auditing to better protect our clients' data.
- We will provide all additional details on these security measures as they are implemented via our client dashboard as well as via our email system.
Sub-Processors We Authorize to Process Client Data for Our Services
CommonAccess and its Affiliates have integrated with a range of third-party sub-processors.
These third party sub-processors include:
Active Campaign: https://www.activecampaign.com/privacy-policy/
Amazon Web Services (AWS): https://aws.amazon.com/privacy/
Google Analytics: https://policies.google.com/privacy
If you have additional questions concerning your personal data, email us at [email protected]