Smartwaiver and GDPR

Updated: January 2, 2020

What is the GDPR?

The General Data Protection Regulation, or GDPR, took effect on May 25, 2018. This privacy law provides European individuals with certain rights over their personal data including a right to access, correct, delete, and restrict processing of their data. The GDPR regulates the “processing” of data which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU.

Smartwaiver GDPR Compliance

Smartwaiver's tools and processes are compliant with the GDPR. Smartwaiver is also Privacy Shield certified, which means we can lawfully collect, receive, and process personal data from the EU and beyond. We are committed to offering services and resources to our customers to help them comply with GDPR requirements that may apply to their activities.

Are Smartwaiver customers GDPR compliant?

Compliance with the GDPR requires a partnership between Smartwaiver and our customers in their use of our services. Smartwaiver’s Terms of Service outlines our customers’ obligation to lawfully obtain and process all personal data appropriately.

If you collect EU residents' personal data, you are likely to be classified as a “Data Controller” under the GDPR. This means you will have some additional obligations around such things as data subject rights. We urge you to understand these obligations and seek legal advice where you think necessary.

What is Personal Data?

The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.

For a comprehensive list of what the GDPR considers personal data, please read Article 4(1) of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race, religion, political opinions, health data, etc.

Key Principles of the GDPR

Businesses should keep in mind the following principles as you implement software that collects personal data.

1. Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
2. Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
3. Personal data held needs to be kept up-to-date and accurate. It should be held no longer than necessary to fulfill its purpose.
4. EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.
5. All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer (DPO).

What has Smartwaiver done to prepare for GDPR?

Smartwaiver enthusiastically embraces the GDPR and the strong data privacy and security requirements it emphasizes.
Steps Smartwaiver has taken to ensure GDPR compliance include:

1. Smartwaiver is Privacy Shield certified. By complying with the Privacy Shield Principles, we can lawfully collect, receive, and process personal data from the EU and Switzerland in the US and beyond.
2. Making available a GDPR-compliant Customer Data Processing Agreement for Smartwaiver’s processing of personal data under the GDPR on behalf of its customers. If your use of the Smartwaiver service requires Smartwaiver to process personal data within the scope of the GDPR, Smartwaiver’s GDPR Data Processing Addendum is available for e-signature here.
3. Vendor agreements review: To ensure that our customers’ personal data is protected all the way down the sub-processing chain, we proactively review vendor agreements and ensure GDPR-compliant terms are in place with vendors and service providers who process GDPR personal data on our behalf.
4. Making behind the scene changes to ensure that the Smartwaiver platform and services are GDPR compliant and support GDPR rights: Including implementing changes focused on record deletion, waiver privacy policy viewing, opt-in consents, and cookie consents. Smartwaiver is also available to help our customers respond to any data subject requests.
5. Evaluating our Privacy and Cookie Notices and making any updates as needed.

Provisions and definitions of GDPR and how they may relate to your business.

Data Processor vs. Data Controller

Data Controller:

If you are a Smartwaiver customer that collects data from EU subjects, under the GDPR, you are considered a data controller. The controller is a person or organization that determines the purpose of processing personal data. You therefore have the responsibility to ensure that you are fulfilling your obligations under the new GDPR regulations which includes maintaining the lawful processing of personal data of your customers.

A Controller’s General Obligations:

As a controller, you and your organization are required to process data in accordance with GDPR, including (but not limited to):

1. Establishing a process to identify and report data breaches within the timeframes of the GDPR
2. Ensuring that the processed personal data is adequately protected
3. Informing your customers how their data is processed
4. Determining what personal data is processed and for what purposes.
   

Each of your EU customers has the following rights:

1. Right of information and access
   An individual can require information be given regarding the personal data that is being processed, including the purpose of the processing and how long the data will be retained.
2. Right to rectification
   An individual can require that incorrect personal data be edited.
3. Right of portability
   An individual can require personal data be provided so that it can be transferred to another data controller.
4. Right to object
   An individual may object to the processing of their data for direct marketing purposes and/or scientific, historical, research or statistical purposes.
5. Right to erasure (be forgotten)
   An individual may require a controller to have personal data deleted if the processing of their data fails to satisfy the requirements of GDPR.
6. Right to restriction of process
   An individual may require the processing of their data be restricted when the processing is challenged.
   

Data Processor:

Under GDPR, Smartwaiver acts as a data processor of the personal data received by Smartwaiver customers. The processor is the person or organization that processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have mutually agreed upon. This means that Smartwaiver has an obligation to support its customers to ensure the processing of their customer data is secure and to ensure that the tools to accommodate the individual’s rights listed above are provided.

A Data Processor’s General Obligations:

As a Smartwaiver customer, you have chosen us to be the processor of your customer’s personal data - a responsibility we take very seriously. As your processor, we will do our best to assist with YOUR obligations as a controller.

FAQs

Does GDPR require that EU personal data stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Smartwaiver’s security of your customer’s data is our top priority. We’re proud to have self-certified under the Privacy Shield Framework which helps our customers legalize transfers of EU and Swiss personal data outside of the U.S.

Where is Smartwaiver customer data stored?
Smartwaiver customer data is stored on servers located in the United States.

Is all data subject to a right to be deleted upon request?
The right to have personal data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if retaining personal data is required to comply with a legal obligation, such as with contracts (waivers) or financial transactions. Deleting this data may put the business in unnecessary legal liability. We recommend that you get in touch with your legal adviser regarding which data and documents you are legally obligated to remove.

How does Smartwaiver handle requests to delete personal data?
Should there be a request from an EU subject to delete/edit customer information, that request would first need to be directed to the data controller (the business using Smartwaiver). The data controller (the business using Smartwaiver), should send a request noting the document ID(‘s) of the waiver(s) that need to be forgotten. This request should be sent to support@smartwaiver.com. Once received Smartwaiver will process the request.

Why can’t I process a “right to be forgotten” request in the Waiver Console?
Due to the sensitive and legal liability nature of most documents on the Smartwaiver system, we take the protection of your documents very seriously. Accidental deletion can have serious consequences that requires an extra level of protection to guard against this from happening. Because of this, we require these types of requests be processed directly by our support staff.

Since Smartwaiver is in compliance with GDPR, does that mean my business will automatically comply with the GDPR?
No. As a business regulated under the GDPR rules, you will need to evaluate your own obligations (such as opt-in and cookie consent standards). There are multiple resources online that outline what these obligations might be, but it’s always best to consult with your attorney on these matters.