PushCrew has always honored its users’ rights to data privacy and protection. Over the years, we’ve demonstrated our commitment to this by consistently exceeding industry standards. We have no need to collect and process users’ personal information beyond what is required for the functioning of our products, and this will never change. We have a privacy-conscious culture here and GDPR is an opportunity for us to strengthen this even further.
The General Data Protection Regulation (GDPR) is one of the most significant legislative changes made since 1975. To be effective from May 25, 2018, the primary goal of these changes is protection of personal data and rights of EU residents.
The GDPR is an EU-wide privacy and data protection law that regulates how EU residents' data is protected by companies and enhances the control the EU residents have over their personal data.
The GDPR is relevant to any globally operating company and not just the EU-based businesses and EU residents. Our customer data is important irrespective of where the customers are located, which is why we have implemented GDPR controls as our baseline standard for all our operations. GDPR is effective from May 25, 2018.
We have been certified for the following certifications to ensure GDPR preparedness:
PushCrew has put in place processes and procedures to comply with various provisions of GDPR—data subject rights, GDPR core principles, data protection addendum, data deletion, data retention, and pseudonymization, which align with our core values of customer trust and data privacy.
Over the last one year, we have covered a lot of ground understanding and analyzing how GDPR will impact our customers and making appropriate changes to our product and processes. This was possible with the help of a focused group comprising experts on Corporate Security and Compliance and members from our senior leadership. Below is a glimpse of our analysis and the steps we took to ensure we are compliant well in time:
At PushCrew, we take utmost care to ensure that our customer data is secure and easily accessible. While we are constantly working hard to ensure that our internal data practices are GDPR-ready, an equally important part for us is to assist our customers and partners in their journey toward compliance. With that in mind, we have introduced the following updates to the PushCrew platform:
We take utmost care to ensure that our customer data is secure and easily accessible. While we are constantly working toward enhancing our security parameters under the GDPR guidelines, PushCrew includes the following out-of-the-box capabilities geared toward protecting personal data and privacy:
The GDPR is focused on organizational compliance instead of product-level compliance. However, we attach utmost importance on how we build our products and have adopted a Privacy and Security by Design approach. Our products are designed with privacy and security in mind and as a core component of our development process.
As a data controller, you need to ensure that you are compliant with your own obligations under the GDPR. However, if you buy a PushCrew product, we aim to ensure that you can use our product in a GDPR-ready manner, helping you to satisfy your obligations under the GDPR. For example, we design our products to facilitate data minimization and provide better insight into and control over your data flows, to make it easier for you to satisfy your GDPR obligations as a data controller.
PushCrew has strong security policies in place to comply with the GDPR. We maintain a high standard for security and have multiple third-party validations for many of our SaaS offerings. PushCrew payment security adheres to strict PCI standards that include encryption of data in motion and data in rest. We maintain a robust incident response plan, reviewed monthly with annual table top exercises to ensure that we are prepared to respond to any security event. Should we experience a personal data breach that affects you, PushCrew will tell you without undue delay, to enable you to comply with your obligations under the GDPR.
The EU's General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection directive to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents' personal data.
The GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.
This law doesn't have territorial boundaries. It doesn't matter where your organization is from—if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.
A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).
Data protection by design means ensuring only the required personal data to be collected, and also incorporating privacy features and functionality into products and services from the time they are first designed.
Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (such as name, email, and phone number) and indirect (such as date of birth and gender).
Data protection by default means that businesses must implement appropriate measures to mitigate privacy risks at the time of data collection, as well as by extending it at the time of processing it.
The data controller can choose from 6 data processing bases. These are:
Consent: Also a lawful basis to process data. Consent of the data subject means "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Contract: Applies when you need to process a customer's personal data to fulfill your contractual obligations, or to take some action (such as sending a quote or invoice) based on the customer's request.
Legal Obligation: Applies when you must comply with an obligation under any applicable law (Example: Providing information in response to valid requests, such as an investigation by an authority).
Vital Interests: Applies to urgent matters of life and death, especially with regard to health data.
Public Task: Applies to activities of public authorities.
Legitimate Interests: Can include commercial interests, such as direct marketing, individual interests, or broader societal benefits. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment (LIA).
The data of PushCrew.com customers will reside in the US data centers and that will be certified with EU-US Privacy Shield.
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfer of personal data outside the EU. Data transfers from the EU to outside can be legitimized in many ways including:
PushCrew uses the above-mentioned methods to legitimize data transfers. Therefore, customers do not need to move their data or restrict data to the EU.
Here are some links you can refer to for additional reading on the GDPR:
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period. Unlike a Directive, the GDPR will not require any enabling legislation to be passed by the government; which means it will be effective from May 25, 2018.
The GDPR applies not only to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the location of the companies.
A controller is an entity that determines the purposes, conditions, and means of the processing of personal data; while a processor is an entity that processes personal data on behalf of the controller.
You can refer to the following links for more information about the GDPR and how you can prepare for it.
Please feel free to ask questions and share concerns with us at firstname.lastname@example.org.
Last updated: Oct 15th, 2018