GDPR, or the General Data Protection Regulation, became effective on May 25, 2018. Simply put, EU citizens now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed of. GDPR clarifies how the EU personal data laws apply even beyond the borders of the EU. For more detailed information, visit the European Commission website.
Any organization that works with EU citizens’ personal data in any manner (irrespective of location) has obligations to protect the data under GDPR.
There are many positive business outcomes of compliance with GDPR including efficient data management, streamlined processes, transparency, security, better internal controls, risk reduction, long-term cost reduction, and updated technology.
Penalties for non-compliance can be steep with fines up to 4% of revenue or €20 million, class action lawsuits, disruption to your business, brand damage and more.
|Contractual protection for using SmartVault as a Service Provider|
Data controllers have a responsibility to ensure that their contracts with suppliers are adequate under the GDPR. The Supplemental Terms for Data Processing for the SmartVault Service, which are incorporated in the SmartVault Terms of Service by reference and by default, help ensure that all of our customers have the required level of contractual protection for their use of the SmartVault service under the GDPR.
Like many SaaS providers, we use Amazon Web Services, a top tier third-party data hosting provider with servers located in the U.S. to host the SmartVault service.
Under the GDPR, the personal information of EU residents can only be transferred outside the EU in compliance with the conditions for transfer as set out in Chapter V (Articles 44-50) of the text. As detailed on this page of the European Commission website, the EU-U.S. Privacy Shield Framework has been formally afforded appropriate adequacy for data transfer to the US by the Commission in respect to GDPR.
SmartVault is certified under the EU-U.S. Privacy Shield Framework as detailed in our listing on the Privacy Shield website.
|SmartVault Response to the European Court of Justice Ruling on July 16, 2020|
The Court of Justice of the European Union (CJEU) on July 16, 2020 handed down its decision in the Schrems II case (Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems.)
SmartVault is evaluating the impact of the judgement from the European Court of Justice in the Schrems II case which involves the examination of data transfers from the EU. The ruling potentially impacts thousands of businesses, particularly cloud services, who operate globally. SmartVault utilizes the protection of both the Standard Contractual Clauses (SCC) and the Privacy Shield for the lawful transfer of personal data where necessary. And although the ruling invalidates the use of Privacy Shield for the transfer of data, the SCC’s remain valid. You can continue using SmartVault with the confidence that your data is in safe hands.
We are maintaining a watching brief for any new and improved mechanisms that become available to manage compliance with Chapter 5 of the GDPR for International Data Transfers, and are poised to use any improved mechanisms when they become available. Customers of SmartVault can be reassured that we take compliance with all data protection regulation very seriously and will remain fully compliant with the GDPR.
Questions can be sent directly to our Security and Compliance Officer at firstname.lastname@example.org.
SmartVault provides industry standard security measures such as encryption, multi-factor authentication, access controls, and auditing to support compliance with GDPR rules.
|Where GDPR requires:||SmartVault offers solutions:|
Right to be Forgotten
Enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
|Your files stored in SmartVault are easily searchable, and based on the user’s permission level in SmartVault, can be deleted.|
Right of Access
Individuals will have the right to obtain access to their personal data, so that they are aware of and can verify the lawfulness of the processing. Information must be provided within 30 days of request, free of charge.
|When you use SmartVault as your single repository for all documents in your business, you can quickly respond to requests for data access. Instead of combing through network drives, memory sticks, local PCs, emails, paper files, etc., easily and quickly provide access to secure vaults that contain client information upon request.|
Right to Data Portability
Individuals can move, copy or transfer personal data easily and securely from one IT environment to another.
SmartVault does not bear ownership of our customers’ documents. Based on user permissions, entire folders as well as individual documents can be removed from the SmartVault platform.
Data Integrity & Secure Transmission of Data
Data must be confidentially and securely processed by your data system. Only authorized individuals should have access to the data consented to.
All interactions with SmartVault occur over an encrypted channel. We employ SSL to protect your documents, passwords, and interactions with SmartVault from eavesdropping. SmartVault encrypts your documents and all information stored in our databases at rest. The data is encrypted using AES-256. More details can be found in our Security Overview.
Use the principle of least privilege when setting up users in your SmartVault account. User permissions allow you to select which vaults and folders each employee and client has access to.
Full Document & Workflow Audit
Fully document how data is processed and transferred and for what reasons you have to do so. Document who has access to the data at each stage of processing and transfer.
SmartVault is designed to allow access to documents via authenticated logins. In other words, documents stored in SmartVault are only accessible if you log into the service or share the documents with another individual that must log into the service.
SmartVault employs an Activity Log that you can use to review: