GDPR Awareness Statement
The EU General Data Protection Regulation (“GDPR”) is a privacy regulation that came into force across the European Union on May 25, 2018. The regulation aims to standardize data protection laws and processing across the European Union, empowering individuals with the right to control their personal information. Any business that deals with customer data processing in the EU must comply with GDPR requirements.
Action1 is GDPR Compliant
At Action1, we understand the importance of privacy matters and make it our priority to ensure the protection of customers’ personal data. Concerning our European clients, we are in comply with the General Data Protection Regulation (GDPR) effectively from May 2020. This statement summarizes our GDPR actions to date and continuing objectives for GDPR compliance. They include developing and implementing data protection roles, policies, procedures, controls, and measures to ensure maximum and ongoing compliance.
After consulting with external GDPR advisors, we have approached the process of planning our GDPR compliance strategy with our engineering, product, security, and legal teams to implement the necessary procedures and best practices for achieving and maintaining GDPR compliance. Based on the GDPR compliance assessment, we have created protocols and disseminated them to and briefed all employees.
What We Are Doing / The Actions Taken
Policies & Procedures
We have revised data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
We have revised our central policy and procedure document for data protection to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities, with a dedicated focus on privacy by design and the rights of individuals.
Data Retention & Erasure
We have updated our retention policy and schedule to meet the “data minimization” and “storage limitation” principles. According to the regulations, we created protocols for storing, archiving, and destroying personal information compliantly and ethically. Dedicated erasure procedures have been put into place to meet the ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply, along with any exemptions, response timeframes, and notification responsibilities.
Our GDP protocols include breach procedures to ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time.
International Data Transfers
At Action1, we care about your privacy and are always on guard, making sure your data is safe with us. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate precautions to protect the information, ensure enforceable data subject rights, and have effective legal remedies for data subjects where applicable.
Nothing in the GDPR prevents businesses from storing data outside of the EU, provided that the hosting providers adhere to the necessary regulations and protections. Our servers are hosted in the certified data centers run by Amazon Web Services, which takes a solid stance on securing customer data. Please refer to AWS General Data Protection Regulation (GDPR) Center, AWS Compliance Programs, and AWS Cloud Security for more information about Amazon security controls and regulations.
We have carried out an audit of Action1’s data collection practices to identify and assess what personal information we hold, where it comes from, how and why it is processed, and if and to whom it is disclosed.
- Why we collect data
- How their data is used
- What are the users’ rights
- Who the personal information is disclosed to
- What safeguarding measures are in place to protect personal information
We have revised the process by which we receive consent for obtaining personal data, ensuring that individuals understand what data they provide and how we use it with a way to withdraw consent at any time.
We have adjusted the processes for direct marketing, including precise opt-in mechanisms for marketing subscriptions, a clear notice and method for opting out, and providing unsubscribe features on all subsequent marketing materials.
Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy to access information via our website for an individual’s right to access any personal information that MSP360 processes about them and to request information about:
- What personal data do we hold about you
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has / will be disclosed
- How long do we intend to store your personal data
- The right to have incomplete or inaccurate data about you corrected or completed and the process for requesting this
- The right to request the erasure of personal data (where applicable) or to restrict processing under data protection laws
- The right to object to any direct marketing from us
Information Security &Technical and Organizational Measures
Action1 considers the privacy and security of individuals and their personal information of paramount importance and takes every reasonable measure and precaution to protect and secure the personal data that we process. We employ the latest data protection technologies. Our experienced team of engineers established real-time security auditing and monitoring to provide the highest level of protection such measures as:
- Access controls
- Password policy
- End-to-end encryption
- Data restriction
- Multi-factor authentication
More about GDPR
Additional information is available on the European Commission’s website: https://ec.europa.eu/info/law/law-topic/data-protection_en.