GDPR notice
GDPR Notice
On May 25, 2018, the General Data Protection Regulation (GDPR) became fully enforceable across the European Union (EU), creating a higher standard for data protection, privacy, and security for the processing of personal data from the EU. The GDPR applies to the processing of personal data regardless of where that takes place in the world and impacts any company that handles personal data of EU citizens and others within the EU.
The GDPR is an attempt to strengthen and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and remove personal data. In a nutshell, it’s giving EU citizens and residents control over their personal data while simplifying the regulatory environment for international business that takes place in the EU.
The Data Protection Principles include requirements such as:
- Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.
- Personal data should only be collected to fulfill a specific purpose and it should only be used for that purpose. Organizations must specify why they need the personal data when they collect it.
- Personal data should be held no longer than necessary to fulfill its purpose.
- People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization.
Why is it important?
GDPR adds some new requirements regarding how companies should protect individuals’ personal data that they collect and process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach. Beyond these facts it’s simply the right thing to do. At Accept Mission we strongly believe that your data privacy is very important, and we already have solid security and privacy practices in place that go beyond the requirements of the GDPR.
Does Accept Mission offer a DPA?
Accept Mission is committed to GDPR compliance and there are no shortcuts when it comes to meeting these requirements. We offer a data processing addendum (DPA) for our customers who collect data from folks in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers.
Our DPA is already part of the Terms of Service, so no further action is really needed on your part. But if you have any special DPA needs, feel free to contact us. You can always link to https://www.acceptmission.com/gdpr-notice/ in case you need to provide documentation that Accept Mission is indeed a GDPR compliant data processor or download the page as a PDF.
Is Accept Mission GDPR compliant?
Yes, Our Terms of Service have been updated to reflect strict GDPR requirements & compliance. We work with the best in the market to ensure complete compliance and data safety so you can rest easy.
An extensive standardized DPA has been added as an extension of our Terms of Service and includes both the relevant information on data processing along with a list of sub-processors.
We have turned every stone and examined every detail in our design by meticulously reviewing our product, its processes, and procedures to make sure we meet the necessary GDPR standards:
- Privacy Policies / Legal
Compliant. Updated policies and contract language and DPAs.
- Data Protection / Security
Compliant. Updated guidelines, implemented two-factor authentication, audited vendors, and IT systems.
- Data Subject Rights (DSR)
Compliant. Developed processes for DSR requests.
- Data Management / Mapping
Compliant. Completed data mapping and inventory of systems that manage personal data, including implementation of data retention guidelines, data minimization standards, and de-identification methods.
- Awareness / Training
Compliant. Conducted training and implemented additional data controls at the functional level.
- Data Breach Notification
Compliant. Updated enterprise Security Incident Response Plan and Database access logging.
Which Sub-Processors Does Accept Mission use?
We only work with industry standard service providers for Our Service to be able to supply a service that is up to the highest standards of availability, stability, security and privacy. In other words, we are building on the shoulders of giants.
Are your Sub-Processors also GDPR compliant?
Yes, we have in place written Data Processing Agreements (“DPA”) with all Our Sub-Processors.
Training and Awareness
We’ve formed a core privacy team of leaders from each area of the Accept Mission business, headed by our internal Data Protection Officer (DPO). The representatives in this group are the project managers who will ensure all the requirements of GDPR are covered from Marketing to Engineering to People Ops.
Data Inventory
We have reviewed and identified all the areas of Accept Mission where we are collecting and processing Customer data; categorizing and taking inventory of everything from cookies to help desk conversations. Using this matrix, we have validated our legal basis for collecting and processing personal data and double checked that we are applying the appropriate security and privacy safeguards across our entire infrastructure and software ecosystem.
Risk assessment
Having a managed data protection impact assessment (DPIA) process is a requirement for GDPR. A DPIA process is simply a way to help us identify and minimize the data protection risks of a project. The Accept Mission engineering team has always undergone security and privacy due diligence when making tooling and implementation decisions, so this requirement is an easy one for us.
Any time we introduce a change to the way we handle personal data, we spend time discussing the potential impact on Customers of Accept Mission and possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution that will mitigate the data privacy and security risk to anyone who interacts with the Accept Mission platform. We will continue to execute this risk assessment process as we expand the Accept Mission offerings.
Breach management
We already have in place a breach management and communication plan and have updated this existing process to comply with the GDPR regulations concerning the escalation process and requirements for data subject notification.
Your rights under GDPR
Consenting to our Terms of Service is an active step in the sign-up process. However, you’re also free to opt-out and be forgotten as per the GDPR Right-To-Be-Forgotten. As you delete content on your Space, such as a member, all relevant member data will be permanently deleted in our user database, and any peripheral data such as ideas will be transferred to an anonymous placeholder.
You’re always welcome to contact us in case you’d like to access, correct, amend, or delete information that we hold about you.
Clear and concise legal terms
At Accept Mission we practice transparency internally and we believe that transparency extends to our customers. With our updated Terms of Service and Privacy Policy we openly describe which personal data we are collecting, processing, why, how we use it, who we share it with and how long we store it. We have always tried to keep the language in our Terms of Service and Privacy Policy as clear as possible and we have updated these notices to describe how we are respecting and protecting your personal data. We hope you find it concise, transparent, intelligible, and easily accessible.
Consent
We’ve updated our cookie policy to provide you with complete transparency into what is being set when you visit our site and how it’s being used. On our cookie policy page you can also read about steps you can take in order to control how your browser handles cookies.
Individual Data Subject’s Rights
We are committed to helping our customers meet the data subject rights requirements of GDPR. Accept Mission processes or stores all personal data in fully vetted, DPA compliant vendors. We do store all conversation and personal data for up to 6 years unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, within 60 days. Information regarding legal transactions between Customers and Accept Mission will be stored for up to 10 years. We are aware that if you are working with EU customers, you need to be able to provide them with the ability to access, update, retrieve and remove personal data and will assist you with any such GDPR related requests free of charge.
We are here for you
We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data in accordance with GDPR. If you have any questions, please don’t hesitate to reach out.
Accept Mission
Van Nelleweg 1,
3044 BC, Rotterdam