What is the GDPR?
The EU General Data Protection Regulation 2016/679 (“GDPR”) is the latest and most comprehensive to date, regulation from the European Union to protect the privacy of EU residents. The GDPR went into effect on May 25, 2018 and replaced the EU Data Protection Directive.
The GDPR Alliance posted an article titled, The General Data Protection Regulation (GDPR) In A Nutshell that outlines the GDPR in simple terms:
- Applies to personal data — any data that relates to or can be used to identify a person in any way.
- Controls what can be done with personal information.
- Requires that consent is given or there is a good reason to process or store personal data.
- Gives a person a right to know what information is held about them.
- Allows a person to request information about them is erased and that they are ‘forgotten’ — unless there is a reason not to do this — e.g. a loan account.
- Makes sure that personal data is properly protected. New systems must have protection designed into them (Privacy by Design). Access to data is strictly controlled and only given when required (Privacy by Default).
- If data is lost, stolen or is accessed without authority, the authorities must be notified and possibly the people whose data has been accessed may need to be notified also.
- Data cannot be used for anything other than the reason given at the time of collection.
- Data is securely deleted after it is no longer needed.
- Allows national authorities to impose fines on companies breaching the regulation.
For more information, here is the full GDPR.
What is the CCPA?
The California Consumer Privacy Act (Assembly Bill 375), as amended (“CCPA”) went into effect on January 1, 2020 and grants California consumers new rights with respect to the collection of their personal data and requires companies to comply with certain obligations related to those rights, including:
- An obligation on businesses to notify a consumer of its data collection practices, including the categories of personal data it has collected, the source of the information, the business’s use of the information, and to whom the business disclosed the information it has collected about the consumer;
- The consumer’s right to receive a copy, in a readily usable format, of the specific personal data collected about them during the twelve (12) months prior to their request;
- The consumer’s right to have such personal data deleted (with exceptions);
- The consumer’s right to know the business’ data sale practices and to request that their personal data not be sold to third parties;
- A prohibition on businesses on discrimination for exercising a consumer right; and
- An obligation on businesses to notify a consumer of their rights.
For more information on CCPA click here.
What is Kustomer doing to comply with GDPR & CCPA?
Data Protection by Design
We ensure privacy is being considered within the design phase of all new features, that we understand where personal data is being processed within internal systems and through our sub-processors so that we can provide the proper level of visibility and control to our users.
Data Protection By Default
Kustomer, by default, only processes personal data when absolutely necessary for the purposes of providing the functionality of the Services. Additionally, once processing is no longer required for a set of personal data, it is either removed or pseudonymization applied.
Kustomer minimizes the personal data being processed where possible and removes processing once no longer required. We do not collect any personal data that is not required for processing.
Security of Processing
Kustomer applies technical and organizational practices to minimize access to systems and data. There are multiple levels of authorization required for individuals to access, audit trails available for understanding access, real-time notifications from our continuous security monitoring tools, and procedures in place to limit and remove access when no longer required.
Kustomer performs data mappings to ensure we understand where personal data is flowing, what specifically is being processed by each sub-processor, and whether it needs to be processed. We ensure that our sub-processors are GDPR and CCPA compliant, and as such, adhere to the same level of sensitivity to data privacy as Kustomer with respect to the data.
Data Processing Addendum
Kustomer offers our Clients a Data Processing Addendum (DPA) to the subscription agreement for our Services that governs the relationship between our Clients (acting as the data controller / business) and Kustomer (acting as the data processor / service provider) with respect to personal data subject to the GDPR and CCPA. The DPA facilitates our Clients’ compliance with their obligations under applicable data protection laws and contains strong privacy commitments, and has been updated to confirm our compliance with the GDPR and CCPA and also contractual commitments to support our Clients in responding to requests from data subjects to to access, correct, amend, delete or exercise other rights with respect to their personal data. A copy of our DPA is available here. Clients who signed earlier versions of our DPA can click on that link to request our current DPA at any time.
How can I manage data subject rights requests within Kustomer’s services?
Our Clients are the data controllers/businesses that collect personal data of their customers/end-users. As such, Clients are responsible for receiving and responding to requests from individuals to exercise any rights afforded to them under applicable data protection laws, including the GDPR and CCPA. Our Services provide the necessary functionality to respond to most, if not all, data subject rights requests, including access, correction, deletion and portability. If requested by a Client to assist with a data subject rights requests, we will respond within a reasonable timeframe and assist with such request in accordance with our Data Processing Addendum if (i) Client is itself unable to respond without Kustomer’s assistance and (ii) Kustomer is able to do so in accordance with all applicable data protection laws.
Additionally, because we may only access a Client’s data upon their instructions, if Kustomer receives a data subject request directly from one of their customers/end-users using our data subject request form, Kustomer will inform that individual to contact the Client directly about any request relating to his/her personal data such as access or deletion, and to the extent that the applicable data protection law does not prohibit Kustomer from doing so, we will refer their request to the Client they specify in their request. Kustomer will not further respond to a data subject request without Client’s prior consent.
Who are Kustomer’s Sub-Processors?
We share some personal data with certain third party companies, including affiliates of Kustomer, that we use as sub-processors to help us provide, manage, secure and improve the Services. A current list of our third party sub-processors is available here and includes the ability for our Clients to subscribe to notifications of changes. We vet each of our sub-processors for their privacy and security practices to ensure compliance with the GDPR and CCPA and enter into contractual arrangements to protect the privacy and security of the personal data that they sub-process. Kustomer remains responsible for the acts and omissions of our sub-processors to the same extent that Kustomer would be responsible if Kustomer was performing the services of each sub-processor directly.