What is GDPR
The European Union’s General Data Protection Regulation (GDPR), which becomes effective on 25 May 2018, is a new regulation that extends the protection of Personal Data for European Union citizens. Under the GDPR, companies have new obligations regarding Personal Data collection and processing.
Retently complies with GDPR and will take every step required to ensure our Clients’ Personal Data security, as data collector and processor.
Retently as Data Processor
Our Clients have the possibility to import to Retently the data subjects (“contacts”, “customers”) that they control. The contacts’ information may include Personal Data such as full name, email address, company name, title, location, and any other kind of data that can be attached as tags for further segmentation of contacts.
We have no direct relation with our Clients’ contacts, but we only store and process data, therefore, Retently acts as Data Processor.
We have added a set of new features to make sure that we as Data Processor, as well as our Clients as Data Controllers, comply with the GDPR regulations.
The changes are mostly related to the right to withdraw consent and the right to be forgotten. Now, data subjects (in this instance “contacts”) have the following options:
- Data Processing Opt-Out: Contacts can unsubscribe from surveys, which means that Retently will stop processing their data. Our Clients will not be able to send any further surveys to contacts that unsubscribed, or contact them through our service.
- Access, Correction, and Deletion: Contacts can request to view their Personal Data that Retently processes, ask to view all their collected data while using our service, and request our Clients to correct or delete their information. Clients can export all their contacts’ personal information and other data that may have been collected using Retently (ex: survey responses).
Since Retently is acting as Data Processor, it’s the Client’s responsibility as Data Collector to satisfy data subjects’ requests by doing so directly or ask our team to do it (we reserve the right to charge for volume).
Retently as Data Controller
In our role as Data Controller to our data subjects, we have implemented the following changes:
Consent to collect and process information
Retently does not include automated check marks to obtain a customer’s consent.
Withdraw consent and data deletion
Clients can withdraw their consent at any time during their lifecycle by canceling their subscription, which means that Retently will stop processing their Personal Data.
Our data subjects can also view all their data Retently has collected or is processing, and can choose to permanently delete their account and all associated data. Once an account is deleted, it will also be removed from all our third-party services Retently is using, while our data security team will make sure no residual information is left.
Right to Access Data
Clients can request our team to hand over of any of their collected information, or their contacts’ information, in a common format, without any additional charge.
Data Protection Officer (DPO)
Retently has appointed a DPO to make sure that our service is fully compliant with GDPR, including all future updates in relevant regulations. The DPO will constantly monitor Personal Data processing activities, will make sure that security checks are made on a strict regular basis, will deal with Data Security requests from our Clients and their Data Subjects, and will supervise Data Removal audits.
The DPO will also make sure that the third-party services Retently is using for its operations are GDPR compliant, or can provide any other certification to ensure that data transfers are made securely.
Personal Data security
Retently has implemented and maintains reasonable, commercially acceptable security procedures and practices, appropriate to the nature of the information we store, in order to protect it from unauthorized access, destruction, use, modification, or disclosure.
However, please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the Personal Information we have collected from you.
How we store data
Your Personal Information collected through our service will be stored, processed or transferred based on your location.
- USA: If you are located in the United States, your Personal Data will be stored and processed in the USA. Retently leases dedicated servers in SoftLayer’s data centers in the USA.
- Personal Data transfer: Please note that in order to ensure full efficiency of our processes and to be able to provide you our service, your Personal Data, as well as the Personal Data you control, may be shared with third-party services that are located in the USA or another country. We take all required measures to make sure that our third-parties comply with GDPR and can also provide any other certifications to ensure a secure Personal Data transfer and storage.
- Other countries: Your Personal Information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
Access to your Personal Data and Data Subjects you control
A number of key employees may have access to your Personal Data. Below we will list all the people who have access to your data, what is their role in our company, and to what degree they can access or modify your data:
- Product Management team (access: web interface): Use Personal Data to get in touch with Clients, analyze user behavior and for troubleshooting. The lead Product Manager can modify or remove Personal Data from third-party services; doesn’t have access to data stored on servers.
- Customer Success team (access: web interface): Use Personal Data to get in touch with Clients, analyze user behavior and for troubleshooting. Can not modify, export or remove Personal Data; does not have access to data stored on servers.
- Development team (access: web interface and/or source code): Use Personal Data for troubleshooting. Does not have access to stored Personal Data.
- System administration team (access: source code, server infrastructure, backups): might use Personal Data for troubleshooting and service monitoring; can modify or remove data under the supervision of the Data Protection Officer.
The access to Personal Data is authorized by the Chief Executive Officer (CEO) and the Data Protection Officer. An employee is given access to our admin panel or third-party services that store Personal Data. The access is given, but not guaranteed, for the whole period of employment at our company.
Before being granted access to Clients’ Personal Data and their Data Subject, new employees pass an on-boarding training. Clients and customers’ data handling are extensively covered during the on-boarding.
Employees are provided a corporate email address that they use to sign up and/or log in to the admin panel, and third-party services. Each email address is set up to provide access to the admin panel and third-party apps with limited roles that are decided by the CEO and DPO. Email addresses are disabled by the DPO at employee’s contract termination, therefore removing all access to Clients’ Personal Data and their Data Subjects.
We backup Clients’ Personal Data, and the data they have imported to Retently or collected with our service on dedicated servers leased with Hetzner Gmbh, in Germany.
Personal Data is retained during the subscription period of an active client. If a client cancels the subscription, we reserve our right to keep the data for up to 90 days, so returning Clients can resume their activity in the account. After the 90 days period expires and the client did not reactivate the account, all data is deleted.
Personal Data can and will be removed upon a data subject’s request.
Retently has in place two main security levels to keep processed Personal Data secure.
- 1 level (web interface): We control employees’ data access and actions within our product or third-party services where we store Personal Data.
- 2 level (server-side): Firewalls, all data transfer is encrypted with SSL, 24/7 monitoring.
Accounts with admin access require two-factor authentication and only the CEO and DPO have access to credentials, therefore no unauthorized employee can access them.
Notifications and alerts have been set up to notify the CEO and DPO whenever Client or customer’s data is being exported.
Personal Data destruction
Retently is responsible for destroying the stored Personal Data at the end of the retention period.
CEO & DPO can authorize Personal Data destruction. If authorized, the data is digitally removed from our system and backups.
At the end of the destruction procedure, our Server administration teams will perform an audit to check if all relevant PII has been destructed and will provide reports upon request.
Handling data breaches
In the event that Personal Data is compromised due to a breach of security, Retently, as Data Controller, will notify our country’s supervisory authority of data breaches, as well as our Clients, within seventy-two (72) hours after the breach has been detected (unless the data is encrypted or anonymized), in compliance with applicable law.
We will also take any needed measure to mitigate the consequences of the data breach.