Last Updated: 16 May 2018
GroupDocs and the GDPR
On the 25th May 2018 the European Union will begin enforcing its General Data Protection Regulation (GDPR). It impacts how businesses collect and process data from European individuals. While GroupDocs is an Australian Business with no European entity, it values the rights of its users’ and customers and their personal data regardless of their location. As such we’re working hard to comply with these rules across all our systems and processes.
This page gives an overview of the roles described by the GDPR, the responsibilities of each party and the efforts we’re putting in place to support these recommendations.
GroupDocs as the data processor
When data is transferred outside of the European Economic Area (EEA) by data processors, the GDPR sets strict requirements for moving data outside of the scope if its protection.
As GroupDocs is an Australian business with no European entity, the data controller makes the sole decision to transfer data to GroupDocs which is based in Australia outside of the EEA, with its technical infrastructure based in the US. Where we do engage with sub-processors we do so in a considered fashion considering the legalities of the transfer at each step.
GroupDocs as the data controller
GroupDocs acts as the data controller for the personal data we collect about you, the user of our web apps and website, the purchaser of our products or services.
Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations.
Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
What do you mean by ‘legitimate interests’?
- Improving our products and services in a way is useful to you.
- Ensuring your data and GroupDocs’s systems are reliable, safe and secure.
- Responsible marketing of our products, services and their features.
- The ability to service the contract we are entering into with you, our customer.
What is GroupDocs doing for the GDPR
GroupDocs respects the privacy of its customers and their clients. To that end, we have implemented and continue to improve both technical and organizational measures in line with the GDPR to ensure the appropriate processing of personal data.
Internal processes, security and data transfers
We have reviewed our internal processes and operations to make sure we map and audit the data travelling through our systems. We are implementing functionality within all our main customer facing systems to cope with the principles of Privacy by Design. Any access to Client Data is only done through the permission of our customers and is always limited and specifically in scope to the contract between GroupDocs and its customers have engaged in.
Our internal procedures and logs make sure that we meet the GDPR accountability requirements.
We onboard new third-party services rarely, but when we do we have an internal process for evaluating these suppliers on their security and privacy considerations. We keep the number of sub-processors to a minimum, where possible using our own technology and infrastructure for processing.
Ability to action subject access requests
Data subjects’ ownership of their personal data is at the heart of the GDPR. We are working on a plan to respond to data subject requests to delete, modify, or transfer their data. This means that our Customer Support Specialists along with the Engineers that assist them in their work are well-prepared to help you in any matters involving your personal data.
Training and awareness
Training and awareness about GDPR, the handling of and processing of Personal Data have been communicated throughout the whole GroupDocs Business. Each GroupDocs Team Member has awareness of the issues and our policies surrounding the compliance with GDPR and other Privacy related issues. We have built this training into our new team member training requirements and have scheduled refresher checks regularly.
We believe the above approach in adhering to the GDPR is firmly in line with the ethos of its purpose and what it aims to achieve.