What is the EU GDPR?
The General Data Protection Regulation, in place since May 25, 2018, regulates the protection of personal data across the EU member states. The GDPR replaces the previous European Data Protection Directive of 1995. The GDPR applies to organizations both inside and outside the European Union that are processing the personal data of residents and citizens of the European Union (“EU”).
What is the scope of personal data protected by the GDPR?
GDPR is focused on the protection of the personal data of individuals in the European Union. Under the GDPR, Personal Data is defined broadly in Article 4 (1) as follows:
“[A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Examples would be: name, personalized e-mail address, mail address, phone number, IP addresses (or a combination of these things which when put together can identify an individual).
Does the GDPR require EU personal data stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU.
How does GDPR apply to Quickbase?
The GDPR has different requirements depending upon whether an organization is a “controller” or a “processor” of the applicable personal data. Quickbase processes the personal data of persons in the European Union, both as a “controller” and a “processor”.
For our marketing, customer relationship management, human resources, finance and other related systems, Quickbase is a controller for the personal data that it collects.
As operator of the Quickbase platform, Quickbase is a processor for personal data for which our business customers are the controller. Customers may collect the personal information of EU individuals, through their Quickbase apps or 3rd party systems, which Quickbase will then process through the Quickbase platform.
What steps has Quickbase taken to be compliant with the requirements of GDPR?
In many ways, Quickbase’s preexisting practices and policies enabled us to align with the requirements of GDPR without major changes. While Quickbase utilizes sub-processors for certain activities like log management, email delivery and data center hosting, Quickbase does not and has never shared customer app data with any 3rd party. Quickbase is committed to transparency with regards to our control environment and privacy practices. Quickbase commits to informing our customers of any suspected or any data breaches expeditiously (our internal SLA is 24 hours). We have additionally taken the following actions:
- We have built and maintain accurate data inventory of our 3rd party vendors (sub-processors in GDPR parlance) we share data with and published our sub-processor list on our web site.
- We have named a Data Privacy Officer
- We have created GDPR-aligned Sub-processor Data Processing Agreement
- We have created GDPR-aligned Customer Data Processing Agreement
- We created and documented a right to be forgotten process
- We incorporated privacy by design criteria into our Architecture Review Board
- We became Privacy Shield certified in 2017 and updated our Privacy Policy to meet GDPR requirements.
What steps should customers take to be compliant with the requirements of GDPR?
As noted, customers are the controller for data they collect, store and process in Quickbase apps. There are 99 articles in the GDPR setting out the rights of individuals and obligations placed on controllers covered by the regulation. These requirements necessitate organizations process personal data lawfully and transparently, to limit the processing to only that which is necessary, and to provide data subject rights in regards to their personal information.
Customers may solidify their rights and legalize transfers of EU personal data from the EU to Quickbase by executing Quickbase’s Data Processing Agreement, which includes the European Commission’s standard contractual model clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA).
Summary
Quickbase views GDPR as an opportunity to deepen our commitment to privacy and data protection best practices. Similar to existing legal requirements, compliance with the GDPR requires a partnership between Quickbase and our customers in their use of our platform
In addition to ensuring our own compliance with the provision of GDPR under our responsibilities as a controller, Quickbase’s updated Data Processing Addendum, available upon request, contains additional provisions to assist customers with their compliance with the GDPR.
As we move forward, we will continue to align with best practices with regard to GDPR and data protection. GDPR is another important part of our robust security program incorporating industry standards and frameworks designed to protect customers’ data as described on our Security and Compliance page.