Commitment to GDPR

Last modified: 23 April 2020

We are committed to providing our solutions to our customers in compliance with applicable laws and regulations in general and data privacy laws such as the EU General Data Protection Regulation (GDPR) in particular. We seek to partner with our customers and their users to help them understand how we achieve data privacy compliance as processor and how the RequirementONE platform enables our customers to achieve data privacy compliance as controller.

GDPR and what it means for you

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.

Since going live on the 25th May 2018, GDPR has a direct effect in all EU member states without any need for local implementing legislation and has overridden existing national privacy laws.

Besides strengthening and standardizing user data privacy across the EU nations, GDPR requires new or additional obligations on all organisations that handle EU citizens’ personal data, regardless of where the organisations themselves are located.
Whenever GDPR applies to our customers they are deemed to be the controller of the personal data included on the RequirementONE platform and RequirementONE is deemed the processor. As such, both RequirementONE and our customers have to comply with their respective obligations under GDPR. One side of these obligations relates to the controller-processor relationship, while the other side relates to the controller obligations vis-à-vis the data subject, typically the user of the RequirementONE platform (i.e. employees, contractors and partners of our customers).

We expect our customers and their users to comply with all applicable laws and regulation in connection with the use of the RequirementONE Platform, in particular making sure, that our customers have all rights and consents necessary to allow RequirementONE to use and process such data.

As a service provider, RequirementONE is committed to supporting our customers in their compliance activities, including as outlined in GDPR Chapter III (Rights of the data subject), most notably the rights of access and rectification (Art. 15 + 16 GDPR), right to erasure or ‘right to be forgotten’ (Art. 17 GDPR), right to data portability (Art. 20 GDPR), and right not to be subject to automated decision-making, including profiling (Art. 22 GDPR).

Our role under the GDPR

As a cloud-based compliance solutions provider, RequirementONE is processing data on behalf of its customers using its platform; therefore, RequirementONE is seen as a data processor under the GDPR. In light of existing data privacy laws and data security measures generally expected from a global cloud service provider such as RequirementONE, we have already implemented an information security program consisting of policies and procedures to help ensure that RequirementONE is acting in accordance with current and new compliance requirements when providing our services.

RequirementONE’s Data Protection Officer

The GDPR will require some organisations to designate a Data Protection Officer (DPO). Organizations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is known as sensitive personal data on a large scale. At RequirementONE, we have appointed the CEO, Martin Pedersen, to this role.

Accountability in in all processing activities

The RequirementONE compliance program is already comprehensive and based on globally accepted standards. RequirementONE has implemented an information security program consisting of policies and procedures that define how system information is entered, managed, and protected. RequirementONE’s current information security program is further specified in our Subscription Agreement as well as our Data Processing Agreement (DPA). In particular, RequirementONE’s commits to monitor, analyse and respond to security incidents in a timely manner in accordance with RequirementONE’s standard operating procedure, which sets forth the steps that RequirementONE employees must take in response to a threat or security incident. RequirementONE continues to invest in a growing global security capability.

Cross-border data flows

GDPR permits personal data transfers outside of the EU subject to compliance with defined conditions, including conditions for onward transfer. When a customer contracts with RequirementONE, we can enter into a Data Processing Agreement (DPA) with applicable customers. In the DPA, we agree with our customers on the terms for the compliant processing of customer personal data, including the description of our security and data privacy policy and the EU standard contractual clauses.

Data subjects exercising their rights

Within the RequirementONE Platform, our customers use the personal data of their users to interact with each other in order to better manage their data. These acting individuals are the data subjects and our customers - acting as data controllers - need to be able to answer certain legitimate requests under the GDPR.

As such, our customers will look to RequirementONE as service provider and data processor to offer functionalities within the RequirementONE Platform that enable our customers to achieve compliance. Our internal product design processes are focused on the user and their positive and productive experience on the RequirementONE Platform. In light of GDPR, RequirementONE periodically reviews its platform features in order to validate that the RequirementONE platform provides the required functionalities to its customers.

Staying current

Ensuring the privacy and security of our customer’s data is an ongoing commitment for RequirementONE. We will continue to update this document to reflect any GDPR-related developments.