Updated: January 2, 2020
The General Data Protection Regulation, or GDPR, took effect on May 25, 2018. This privacy law provides European individuals with certain rights over their personal data including a right to access, correct, delete, and restrict processing of their data. The GDPR regulates the “processing” of data which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU.
Smartwaiver's tools and processes are compliant with the GDPR. Smartwaiver is also Privacy Shield certified, which means we can lawfully collect, receive, and process personal data from the EU and beyond. We are committed to offering services and resources to our customers to help them comply with GDPR requirements that may apply to their activities.
Compliance with the GDPR requires a partnership between Smartwaiver and our customers in their use of our services. Smartwaiver’s Terms of Service outlines our customers’ obligation to lawfully obtain and process all personal data appropriately.
If you collect EU residents' personal data, you are likely to be classified as a “Data Controller” under the GDPR. This means you will have some additional obligations around such things as data subject rights. We urge you to understand these obligations and seek legal advice where you think necessary.
The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.
For a comprehensive list of what the GDPR considers personal data, please read Article 4(1) of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race, religion, political opinions, health data, etc.
Businesses should keep in mind the following principles as you implement software that collects personal data.
Smartwaiver enthusiastically embraces the GDPR and the strong data privacy and security requirements it emphasizes.
Steps Smartwaiver has taken to ensure GDPR compliance include:
Data Processor vs. Data Controller
If you are a Smartwaiver customer that collects data from EU subjects, under the GDPR, you are considered a data controller. The controller is a person or organization that determines the purpose of processing personal data. You therefore have the responsibility to ensure that you are fulfilling your obligations under the new GDPR regulations which includes maintaining the lawful processing of personal data of your customers.
A Controller’s General Obligations:
As a controller, you and your organization are required to process data in accordance with GDPR, including (but not limited to):
Each of your EU customers has the following rights:
Under GDPR, Smartwaiver acts as a data processor of the personal data received by Smartwaiver customers. The processor is the person or organization that processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have mutually agreed upon. This means that Smartwaiver has an obligation to support its customers to ensure the processing of their customer data is secure and to ensure that the tools to accommodate the individual’s rights listed above are provided.
A Data Processor’s General Obligations:
As a Smartwaiver customer, you have chosen us to be the processor of your customer’s personal data - a responsibility we take very seriously. As your processor, we will do our best to assist with YOUR obligations as a controller.
Does GDPR require that EU personal data stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Smartwaiver’s security of your customer’s data is our top priority. We’re proud to have self-certified under the Privacy Shield Framework which helps our customers legalize transfers of EU and Swiss personal data outside of the U.S.
Where is Smartwaiver customer data stored?
Smartwaiver customer data is stored on servers located in the United States.
Is all data subject to a right to be deleted upon request?
The right to have personal data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if retaining personal data is required to comply with a legal obligation, such as with contracts (waivers) or financial transactions. Deleting this data may put the business in unnecessary legal liability. We recommend that you get in touch with your legal adviser regarding which data and documents you are legally obligated to remove.
How does Smartwaiver handle requests to delete personal data?
Should there be a request from an EU subject to delete/edit customer information, that request would first need to be directed to the data controller (the business using Smartwaiver). The data controller (the business using Smartwaiver), should send a request noting the document ID(‘s) of the waiver(s) that need to be forgotten. This request should be sent to firstname.lastname@example.org. Once received Smartwaiver will process the request.
Why can’t I process a “right to be forgotten” request in the Waiver Console?
Due to the sensitive and legal liability nature of most documents on the Smartwaiver system, we take the protection of your documents very seriously. Accidental deletion can have serious consequences that requires an extra level of protection to guard against this from happening. Because of this, we require these types of requests be processed directly by our support staff.
Since Smartwaiver is in compliance with GDPR, does that mean my business will automatically comply with the GDPR?
No. As a business regulated under the GDPR rules, you will need to evaluate your own obligations (such as opt-in and cookie consent standards). There are multiple resources online that outline what these obligations might be, but it’s always best to consult with your attorney on these matters.