Is Proxycurl Compliant with GDPR?
On May 25, 2018, The European Union began enforcing EU General Data Protection Regulation (GDPR) in an effort to strengthen the security and protection of the personal data of EU residents. The GDPR has different requirements depending on how your business interacts with personally identifiable user data (PII).
Personal data means data which relate to a living individual who can be identified –
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Data controllers are companies that supply goods or services to EU residents, or that track or monitor EU residents and decide why and how data is collected and processed. If you collect data about EU residents or you employ residents of the EU, you are considered a data controller under the GDPR. One of your requirements as a data controller is to work only with compliant data processors.
Data processors are vendors or businesses that process data on behalf of data controllers. As an enrichment API platform and SaaS provider, Proxycurl is considered a data processor when acting on your behalf.
Below is a list of the commitments Proxycurl makes as one of your data processors:
- A Data Processing Agreement (DPA): Our DPA reflects the additional requirements of the GDPR.
- Secure data transfer and storage outside the EU: Transfers of personal data outside the European Economic Area (EEA) are permitted as long as certain safeguards apply. Our DPA contains the EU Model Clauses, which are industry standard for data safety. This means that Proxycurl agrees to protect any data originating from the EEA in line with European data protection standards.
- Technical and organizational security measures: Proxycurl takes a holistic, risk-based approach to security. This means the platform restricts and secures data access and provides continuous incident monitoring.
- Processing according to controller instructions: We process data according to instructions from the data controller (our clients).
- Prompt breach notifications: Proxycurl will promptly inform you of any incidents involving your data.
As a data controller, you will be managing individuals’ requests to exercise their rights as defined by the Regulation. To help you comply with user requests related to the right to erasure (the right to be forgotten), the right to object (the various rights to halt certain processing), and the right to restrict processing (the right to restriction), Proxycurl will support:
- Deletion requests: We make it easy for you to honor requests related to the right to be forgotten. Just send an email to [email protected] to request a deletion.
- Automatic suppression: To help you comply with requests related to the right to object or restrict, any PII associated with a deletion request that you submit via email to [email protected] will automatically be placed on a suppression list. For any PII on the suppression list, we will block all incoming personal data pertaining to that PII.
- Honor the rights to access and portability: Under the GDPR, EU residents have a right to access their personal data and are entitled to obtain their personal data in a commonly used format, such as a CSV file. Proxycurl enables you to compile all data you have submitted or collected about a person and export it in a structured format such as CSV or JSON file.
- Rectify user data: The GDPR also empowers individuals to correct any personal data that is deemed inaccurate or incomplete. Proxycurl will update data about a user upon the request of a client submitted via email to [email protected]. Data about the user will be suppressed until the requested changes are verified.
If you have any questions about the GDPR or want to learn how Proxycurl helps you be compliant, please contact us at [email protected].