GDPR Notice
Last Updated: 16 May 2018
Sheetize and the GDPR
On the 25th May 2018 the European Union began enforcing its General Data Protection Regulation (GDPR). It impacts how businesses collect and process data from European individuals. While Sheetize is an Australian Business with no European entity, it values the rights of its users’ and customers and their personal data regardless of their location. As such we’re working hard to comply with these rules across all our systems and processes.
This page gives an overview of the roles described by the GDPR, the responsibilities of each party and the efforts we’re putting in place to support these recommendations.
Sheetize as the data processor
While using our services you may upload files for processing via our Cloud API platforms, you may also send our Support Team files for debug or support purposes. Due to the nature of our products and services, your files may contain information from or about your clients. While covered by the confidentiality clauses in our EULA, the upcoming updates to our Terms of Use and Privacy Policy further cement these rights.
These are your data subjects, and you are considered the data controller for this personal data. Our Terms of Use and Privacy Policy refer to this data as Client Data.
Using Sheetize services to process your Client Data means that you have engaged Sheetize as a data processor to carry out certain data processing activities on your behalf. Article 28 of the GDPR states that the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of Article 28). Our Terms of Use and Privacy Policy also serve as your data processing contract with Sheetize. They set out the instructions you are giving to Sheetize in regards to processing personal data you control and establishing the rights and responsibilities of both parties. Sheetize will only process your Client Data based on your instructions as the data controller.
Data Transfers
When data is transferred outside of the European Economic Area (EEA) by data processors, the GDPR sets strict requirements for moving data outside of the scope if its protection.
As Sheetize is an Australian business with no European entity, the data controller makes the sole decision to transfer data to Sheetize which is based in Australia outside of the EEA, with its technical infrastructure based in the US. Where we do engage with sub-processors we do so in a considered fashion considering the legalities of the transfer at each step.
We’ll keep an up-to-date list of sub-processors in our Terms of Use. This ensures we are fully transparent about our transfers and the processors we use. We’ll explain the data we transfer and for what purpose. We only engage with sub-processors who have either certified under the EU-US Privacy Shield framework or signed the EU Commission’s standard contractual clauses for data transfers with us.
If you have any questions on these points you can contact us at privacy@sheetize.app.
Sheetize as the data controller
Sheetize acts as the data controller for the personal data we collect about you, the user of our web apps and website, the purchaser of our products or services.
Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations.
Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
What do you mean by ‘legitimate interests’?
- Improving our products and services in a way is useful to you.
- Ensuring your data and Sheetize’s systems are reliable, safe and secure.
- Responsible marketing of our products, services and their features.
- The ability to service the contract we are entering into with you, our customer.
As the controller for your personal data, Sheetize is committed to the respect of your rights under the GDPR. If you have any questions, please contact our Data Protection Officer on dpo@sheetize.app
What is Sheetize doing for the GDPR
Sheetize respects the privacy of its customers and their clients. To that end, we have implemented and continue to improve both technical and organizational measures in line with the GDPR to ensure the appropriate processing of personal data.
Internal processes, security and data transfers
We have reviewed our internal processes and operations to make sure we map and audit the data travelling through our systems. We are implementing functionality within all our main customer facing systems to cope with the principles of Privacy by Design. Any access to Client Data is only done through the permission of our customers and is always limited and specifically in scope to the contract between Sheetize and its customers have engaged in.
Our internal procedures and logs make sure that we meet the GDPR accountability requirements.
We onboard new third-party services rarely, but when we do we have an internal process for evaluating these suppliers on their security and privacy considerations. We keep the number of sub-processors to a minimum, where possible using our own technology and infrastructure for processing.
Ability to action subject access requests
Data subjects’ ownership of their personal data is at the heart of the GDPR. We are working on a plan to respond to data subject requests to delete, modify, or transfer their data. This means that our Customer Support Specialists along with the Engineers that assist them in their work are well-prepared to help you in any matters involving your personal data.
Documentation
Our Terms of Use and Privacy Policy are updated regularly to make sure we build upon the good work we’ve always done in this area. As these documents set out the basis of our relationship with you, it is of paramount importance for us to openly and clearly explain your rights in these documents.
Training and awareness
Training and awareness about GDPR, the handling of and processing of Personal Data have been communicated throughout the whole Sheetize Business. Each Sheetize Team Member has awareness of the issues and our policies surrounding the compliance with GDPR and other Privacy related issues. We have built this training into our new team member training requirements and have scheduled refresher checks regularly.
We believe the above approach in adhering to the GDPR is firmly in line with the ethos of its purpose and what it aims to achieve.
