What is GDPR?

GDPR is a European privacy law enacted on May 25th, 2018. It has four basic requirements

Transparency 

Whenever you ask for someone’s personal information, you must disclose how the information will be used. 

Legitimate reason for using personal information 

The best reason for using someone’s personal data is with their consent. Without their consent, you may still have a legitimate reason (such as a legitimate interest), but it may be harder to prove as legitimate. 

New rights afforded to data subjects 

People have the right to know what data you store about them, to obtain a copy of it from you, to withdraw consent to your use of their data, or to have it deleted. 

Protection of personal data 

You should protect personal data at all times. It is recommended that you encrypt sensitive data about a person whenever possible. Sharing it with third parties is prohibited without consent. 

Failing to abide by GDPR can result in fines of up to $20MM or 4% of annual revenue. 

In the few decades after the internet was commercialized, technology has transformed how we live and work. We ask Google personal questions, read Fox or CNN, send private messages through Facebook, and buy private personal effects on Amazon – these actions say a lot about us. And all of this data is stored, mined, and sometimes traded, with consumers having little control over the process. 

Increasingly frequently, that data is being lost or misused. The Equifax data breach demonstrates that even the largest companies holding the most sensitive data can lack the basic safeguards necessary to protect us. Meanwhile, social networks and search engines mine and monetize us through our data in ways we don’t know. These are real and growing problems that GDPR aims to address. 

GDPR applies to you if you meet any of the following conditions: 

  • You have customers in the EU 
  • You provide services to (paid or free) to EU citizens 
  • You market to EU citizens 
  • You monitor the activities of EU citizens 

If you are outside the EU and run an exclusively local business, you don’t have to worry about GDPR. A flower shop in rural Ohio is unlikely to face the burden of complying, even if someone from the EU stops by your website and is captured by your analytics software. 

It’s not your company’s size, but if EU residents could be seen as part of your target market, that determines your need to comply with GDPR. That means a small SEO company that accepts business internationally is still bound by GDPR.

Our practices, policies, and products fully adhere with GDPR 

  • You will only receive communications that you consent to receiving, and can opt out at any time. 
  • Our privacy policy and terms of service are visible, clear and comprehensive about what data we collect, its uses, and your rights to control it. You can grant or rescind consent to these policies and terms. 
  • You can ask us for a data processing agreement (DPA) that states how we process your data. Email us at legal@ numonixrecording.com, or find it on the billing page. 
  • We only share data with third parties with your direct consent, or if you agree to terms or policies that include those third parties. All our third party data processors comply with GDPR. We never have or will sell your data to third parties or use it for advertising. 
  • To our knowledge, our users’ data has never been compromised. To ensure your data’s protection, we only store data we have consent to store, unless it’s required to provide you with service, or where we have a legitimate interest. 
  • We encrypt sensitive personal data whenever needed to keep your privacy safe, and when can be done without compromising an aforementioned purpose. 
  • You can ask us to see, correct or erase your data, stop us from processing it, or request a copy by emailing us at legal@ numonixrecording.com. 
  • We have appointed a Data Protection Officer that you can contact by emailing [email protected] 
  • We’re arranging similar GDPR-ready data processing agreements with our Vendors. 
  • Persistent disk-level encryption 
  • Automate the request, collection, and use of consents from leads and contacts 
  • Encrypt lead and contact fields at rest 
  • Audit user access and modification of encrypted data 
  • Double opt-in mechanisms for email marketing 

Please note: some of the above features require a specific tier of IXCloud , or subscription.

Start your journey to comply with GDPR 

When you use Numonix & IXCloud, you can trust that your data is safe and that you always have the tools necessary to comply with GDPR. However, the tools must be utilized in the right way. To that end, we recommend learning about GDPR, then updating your policies, practices, and procedures to comply with GDPR. 

To start down that path, it’s helpful to read the full GDPR text (Without endorsing this source – it’s available here). Then find third party sources to learn best practices. Lastly, create a data protection team and make whatever changes necessary for ensuring compliance. 

Data Processing Agreement, What to know!

A Data Processing Agreement (“DPA”) is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data. Article 28(3) of the General Data Protection Regulation (“GDPR”) requires that controllers, processors and sub-processors must enter into written contracts or DPAs to share personal data.
If your company is subject to the GDPR and you are transmitting personal data to the Numonix services for processing, then you should sign the DPA.
  • The main body of the DPA
  • Schedule 1: Standard Contractual Clauses (Module 2: Controller-to-Processor)
  • Annex I: Details Of Processing – this schedule contains specific details of the types of data and the categories of data subjects involved in the processing activity.
  • Annex II: Technical And Organizational Measures
  • Annex III: Sub-Processors
If your company is subject to the GDPR, but doesn’t have offices in the EU, still the DPA applies to your organization.

Yes, Numonix current DPA includes provisions to assist customers with their part of GDPR compliance.

The Numonix DPA is specific to Numonix Cloud services which interoperates with its Terms of Service and other relevant documentation seamlessly. Numonix DPA covers the specific processes and procedures on certain notifications related to privacy, audits, security measures, and sub-processing activities. Using your own organization’s DPA is restricted to exceptional cases that need to be examined on a case by case basis.
The Numonix DPA is an extension of our Terms of Service and reflects our compliance with GDPR requirements as applicable to our products. Just as with our standard Terms of Service, we cannot make any changes to our DPA on a customer-by-customer basis.
Numonix Data Processing Addendum incorporates the EU Controller to Processor Standard Contractual Clauses as a transfer mechanism for Customer Data.
Numonix recommends consulting with your legal advisor to assess the potential impact that your decision not to sign the DPA may have on your particular situation.
We store data in Azure Cloud data centers located in the appropriate regional data centers. We have them in the United States, Germany, United Kingdom, Australia, South Africa, and US Gov Cloud among others. Data is stored in the data center in the applicable data region to ensure data residency chosen by the End Client.
Numonix Subscription Service Agreement and DSR pros Does Numonix assist my company in responding to Individual Rights Requests (Subject Access Request)? Numonix Subscription Service provides you with some controls to assist Data Subjects in exercising their rights under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects (“Data Subject Requests”). To the extent that Numonix can(since the Data is encrypted ), if you’re unable to address a Data Subject Request through the Subscription Service independently, then upon your written request, Numonix shall provide you with reasonable assistance to respond to any Data Subject Requests. Or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. You shall reimburse Numonix for the commercially reasonable costs arising from this assistance. If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Numonix, Numonix if it can Identify the End customer/Tenant will promptly inform you and will advise the Data Subject to submit their request to you directly. You shall be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
Upon termination, cancellation, expiration or other conclusions of the Agreement, Numonix offers the Customer two weeks grace to download or extract their data after which all Customer Data (Tenant data) is securely deleted following the procedures and timeframes specified under Data retention and deletion.
Numonix maintains security incident management policies. Numonix commits to notifying its customers without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data processed by Numonix, a third party or its Sub-processors.Who can I contact with questions regarding GDPR? If you have questions or concerns about how we handle your information, please direct your inquiry to Numonix, the Data Protection Officer at [email protected].
Can’t find what you need? Read our FAQ for more answers
IXCloud FAQ