Envelope

is EU GDPR compliant

Through our subscription to Naq, we met all requirements defined within the EU General Data Protection Legislation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

This page details exactly what we have done to achieve this compliance. If we process your data and you wish to exercise your rights under the EU GDPR, please submit a Data Subject Request using the button below.

Submit Data Subject Request
Policies
  • All employees have read and signed all policies required under the EU GDPR
  • We have published all required policies (including the Privacy Policy)
  • We have the required procedures in place to enable Data Subjects to exercise their rights under the EU GDPR
Training
  • All employees have completed necessary training required under the EU GDPR
  • All employees have been trained on how to process personal data under the 7 principles of the EU GDPR
  • All employees have also been trained on the key aspects of cyber security
Cyber Security
  • We have implemented sufficient controls to ensure that personal data is protected in adherence to the EU GDPR
  • We have adequate processes in place in order to handle any security incidents which could affect the privacy of data subjects
  • We continue to review their security on an on-going basis to ensure personal data is protected against cyber attack

EU GDPR Control

How we are compliant

Conduct an information audit to determine what information you process and who has access to it.
We have carried out an information audit to determine which information it processes, how it processes this information, who has access to it and what security measures have been implemented to safeguard the confidentiality, integrity and availability of this data. This has been recorded in its processing registry (article 30 registry). Moreover, We have carried out a Data Protection Impact Assessment where it has considered the purposes of the processing, what kind of data they process, who has access to it within the organization, any third parties (and where they are located) that have access, what they are doing to protect the data (e.g. encryption), and when they plan to erase it.
Have a legal justification for your data processing activities.
We have determined what legal basis it relies on for processing different types of personal data and recorded this in its processing registry. Where we relies on consent, it has ensured it complies with the additional consent requirements as set out by the GDPR. Where we relies on legitimate interest, We have carried out a legitimate interest test, considering the necessity and proportionality of its data processing activities and balancing the rights and freedoms of the data subjects against the legitimate interests We have in data processing. Only when the results of the balancing test show that our legitimate interests take precedence over the rights and freedoms of the data subject in a particular case, this data is processed by us. 
Provide clear information about your data processing and legal justification in your privacy policy.
We have written and published an extensive privacy notice, which details the types of processing activities that we carry out, with regards to which data, who has access to it both internally and externally, and how this data is safeguarded. We make this privacy notice available through our website at all times and is available in a concise, transparent, intelligible and easily accessible form, using clear and plain language. 
Take data protection into account at all times, from the moment you begin developing a product to each time you process data.
We have implemented data protection by design and by default. We take data protection and privacy into account in the operational day-to-day as well as with any projects that we undertake. Data protection and privacy are integral parts of any planning process and all staff members are regularly trained on data protection and privacy issues. We have implemented appropriate technical and organizational measures to protect data and ensure its confidentiality, integrity and availability. The security measures we implement are chosen on the basis of an extensive risk assessment. We have ensured that we adhere to the data processing principles outlined in article 5 of the GDPR by considering these in our Data Protection Impact Assessment. We carry out regular data deletion exercises in line with our internal data retention policy as well as on the basis of any legal obligation. 
Encrypt, pseudonymize, or anonymize personal data wherever possible.
We recognise that encryption is one of the best measures to ensure data protection and has therefore opted to use cloud-applications for its daily operations as well as data storage where encryption is enforced by default. This includes encryption at rest as well as in transit. 
Create an internal security policy for your team members, and build awareness about data protection.
We have formulated an information security policy which has been made available to all of our employees using our compliance-management platform Naq. Moreover, our employees have been required to accept the terms within this information security policy by signing the document within Naq. Our information security policy includes guidance about email security, passwords, two-factor authentication, device encryption, and VPNs. All personnel and contractors who have access to personal data have received training on security and GDPR requirements. This training is repeated throughout the year. 
Have a process in place to notify the authorities and your data subjects in the event of a data breach.
We have formulated a Data Breach Notification Policy using our compliance-management platform Naq. This policy details exactly the steps any team member must take to ascertain whether the data subjects or data protection authorities must be notified, in which timeframe and in which manner. Moreover, we track all security incidents within the Naq platform, where we manage these incidents to determine if a data breach has occurred as a result of a security incident.
Designate someone responsible for ensuring GDPR compliance across your organisation
Within our compliance-management platform, Naq, we record all responsible individuals within the company. These individuals track our complete compliance posture from the Naq platform to ensure our obligations as data controllers and processors are met. We have appointed an internal Privacy Officer, whose details can be found in our privacy policy, available on our website.
Sign a data processing agreement with any third parties that process data on your behalf
Any third parties that process data on our behalf are recorded within the Naq platform and within our data processing registry. Moreover, the Naq platform records details of public Data Processing Agreements (if a third-party publishes a Data Processing Agreement publicly). If no such Data Processing Agreement exists, the Naq platform generates a Data Processing Agreement and sends this to the third-party processor which is then signed by us and a responsible individual within the third-party. The Naq platform also sends out security questionnaires to ensure that all suppliers are conforming to the requirements laid out in the GDPR.
Appoint a representative within one of the EU member states if your organisation is outside of the EEA
We are registered in the EEA.
Make it easy for customers, employees and other data subjects to carry out their rights under the GDPR (Access, rectification, erasure, restriction, objection, portability)
By filling out the form at the top of this page, customers, employees and other data subjects can carry out their rights under the GDPR. All such requests are managed within the Naq platform to ensure we meet all requirements laid out in the GDPR. We will ensure that you receive a reply to your request within 30 days of receipt.