How we help you comply: GDPR

How we help you comply: GDPR

What is the GDPR?

The General Data Protection Regulation (GDPR) is the first major overhaul of European privacy regulation since the Data Protection Directive (Directive 95/46/EC). 

The GDPR sets the benchmark for privacy compliance and sets out a number of principles and requirements that must be met when personal data is processed, many of which are now being reflected in privacy movements in other jurisdictions around the globe.

Personal data is any information which are related to an identified, or identifiable, natural person (an individual that the legislation then refers to as a data subject).

Are other data laws relevant?

Yes.  EU member states have the right to make certain local laws relating to specific ways that the GDPR is implemented in their territory.  Adherence to these is also key to overall compliance.

Why is it important to us?

We have obligations both in respect of the data that we control and process as a Controller, and in respect of the activities we carry out on behalf of our customers and users.  We are mindful of our obligations to the companies and people using our services where we act as either a Processor or sub-Processor under the GDPR.

Why is it important to you?

If you use our services to process personal data of UK or EU citizens then this activity will be subject to the requirements of the GDPR.  You will need to make sure that you comply with your obligations as either a Controller or Processor (depending on the role that you are undertaking) and we can help you meet these.

Compliance tools

With data protection at the core of our software and services, and compliance programmes, we are perfectly placed to help you to ensure the security and confidentiality of the personal data you control.  Encryption is a key aspect of our service delivery and our software and services can provide you with tools to ensure that only those who you want to access your Content (and any personal data in it) can do so.

Software and services focussed on compliance

Our software and services are firmly focussed on ensuring regulatory compliance – not just with the GDPR, but with other privacy regulations around the globe.  You can find out more information on each of these using the links above or the Products and Solutions tabs at the top of the page.

Protect your Content

Our communication and file sharing services provide security and encryption to protect your Content and help to ensure that it remains confidential and secure.

User controls and access permissions

Our software and services can provide you with tools to ensure that only those who you want to access your Content can do so.  These editable and auditable permission controls provide key regulatory compliance when sharing secure information and personal data with colleagues and third parties, and ensure that you remain in control of your Content.

Taking steps to prevent breaches before they happen

Through our Prevent tool we also provide tools that guide user behaviour to help prevent incidents before they arise.

Secure hosting

Where you subscribe to a service that we host on your behalf, we use market leading providers to ensure that your Content (and any personal data in it) remains safe and secure.  You can find our more information here and here.

Transparency and information

We provide a wide range of information and resources on our Legal and Compliance hubs to enable you to conduct your own risk assessments on us to ensure that you are able to meet your own obligations under the GDPR. 

Some of these may be subject to controls to ensure the confidentiality of any information that we provide to you, so please bear with us if we ask you to sign up to user terms or non-disclosure obligations prior to giving you access.

Egress’ DPA

What is a DPA?

DPA is an easy way to refer to a Data Processing Addendum or Agreement.  These often provide contractual clauses that are specific to meeting certain regulatory requirements that may not be common in each jurisdiction in which a vendor operates.

Our DPA ensure that:

  • our relationship meets the requirements of the GDPR (including Article 28).
  • we detail how individual rights under the GDPR are met.
  • you are able to use our services to lawfully transfer personal data to us outside of the EEA through use of either the Standard Contractual Clauses or our Privacy Shield certification.

Where can you find our DPA?

You can find it via the link on our Legal Hub at here.  Please note that this link starts a Docusign process, but do not worry – simply entering your name and email address provides secure access to our document but you will not sign it unless you complete the process.

Does our DPA take GDPR into account?

Yes.  Our DPA expands on the obligations placed on us under our standard Master Subscription Agreement to ensure that our contractual relationship contains clauses that meet the requirements of the GDPR (including Article 28). 

Does our DPA deal with expiry of the Brexit Transition Period?

Yes. Our DPA contains the EU Standard Contractual Clauses which help to protect transfers of personal data from the EU to third-countries. On expiry of the Brexit Transition Period the UK may be a third-country and so we have included the SCCs in such a way as to deal with transfers to the UK where necessary.

What if you do not sign our DPA?

Our standard Master Subscription Agreement applies across all the jurisdictions that we operate in.  As a result, the requirements of the GDPR may not always be relevant to a customer and so we chose to detail these clauses in a separate document – our DPA.  As a result, if you do not execute it we recommend that you obtain separate legal advice to assess the impact or risks on you and your own compliance efforts.

International transfers

What is an “international transfer” of personal data under the GDPR?

An international transfer is a transfer of personal data outside of the European Economic Area (EEA).  These types of transfers are restricted and regulated to ensure that the rights of individual data subjects are protected. 

How can we help you comply?

Our DPA ensures that you are able to use our services to lawfully transfer personal data to us outside of the EEA through use of either the Standard Contractual Clauses or our Privacy Shield certification.

What are the EU Standard Contractual clauses?

These are sometimes also referred to as the “Model Clauses” and are a set of approved contractual terms that parties can sign that ensure that individual data subjects’ rights are protected when their personal data is transferred outside of the EEA.  These are contained in our DPA.

Currently these are approved by the European Commission, however post-Brexit it is possible that the UK may develop and approve its own clauses for the transfers of personal data outside of the UK.

Does our DPA deal with expiry of the Brexit Transition Period?

Yes.  Our DPA contains the EU Standard Contractual Clauses which help to protect transfers of personal data from the EU to third-countries.  On expiry of the Brexit Transition Period the UK may be a third-country and so we have included the SCCs in such a way as to deal with transfers to the UK where necessary.

What was the EU/US, and Swiss/US, Privacy Shield?

The Privacy Shield was a program through which participating companies were able to evidence the steps that they took to protect individual data subjects’ rights when receiving transfers of personal data from the EU or Switzerland.  It provided a mechanism for ensuring that international transfers of data to the United States were lawfully protected.

We remain fully committed to the principles of the Privacy Shield Programmes, the General Data Protection Regulation and to the protection of the Personal Data that customers and users send, store and share using our Services. In recognition of our continued commitment, in October 2020 we self-certified with the International Privacy Verification programme (IPV). The IPV’s assessment criteria are aligned with those of the Privacy Shield and therefore by certifying with the IPV we are able to continue to demonstrate our compliance with the core Privacy Shield Principles in relation to the protection of personal data transferred outside of the UK and EU.

Were we certified with the Privacy Shield Programme?

Yes.  Egress Software Technologies, Inc. (a Massachusetts corporation) was and remains self-certified with the EU/US Privacy Shield programme.  You can find details here.

We remain fully committed to the principles of the Privacy Shield Programmes, the General Data Protection Regulation and to the protection of the Personal Data that customers and users send, store and share using our Services. In recognition of our continued commitment, in October 2020 we self-certified with the International Privacy Verification programme (IPV). The IPV’s assessment criteria are aligned with those of the Privacy Shield and therefore by certifying with the IPV we are able to continue to demonstrate our compliance with the core Privacy Shield Principles in relation to the protection of personal data transferred outside of the UK and EU.

What steps has Egress taken to prepare for Brexit?

You can find out details here.

 

Disclosure requests

How we respond to a data subject request

Under the GDPR, individual data subjects may have the right to make certain requests of organisations involved in processing their personal data. 

If we receive a data subject request in respect of personal data in the Content we process on behalf of you, we will notify you and in our role as a Processor or sub-Processor confirm to the individual that their request relates to you.  We will attempt to re-direct the individual making the request to make their request to you directly (and may provide your basic contact information to enable them to do this this).

How we respond to a disclosure request from law enforcement

From time to time, we may receive requests or orders from a governmental body (e.g. a court order, law enforcement demand or other local equivalent) relating to Content that we process on behalf of you.

If we receive one of these we will attempt to re-direct the requestor to seek disclosure directly from you (and may provide your basic contact information to enable them to do this this).  If, despite our best efforts, we are compelled to disclose the Content then, provided we are allowed to do so, we will provide notice to you so that you may seek a protective order or other remedy. 

You can find more information on our approach here.

Try Egress for your email security today

Start your free trial Book demo