How we help you comply: GDPR
With data protection at the core of our software and services, and compliance programmes, we are perfectly placed to help you to ensure the security and confidentiality of the personal data you control.
What is the GDPR?
The General Data Protection Regulation (GDPR) is the first major overhaul of European privacy regulation since the Data Protection Directive (Directive 95/46/EC).
The GDPR sets the benchmark for privacy compliance and sets out a number of principles and requirements that must be met when personal data is processed, many of which are now being reflected in privacy movements in other jurisdictions around the globe.
Personal data is any information which are related to an identified, or identifiable, natural person (an individual that the legislation then refers to as a data subject).
Are other data laws relevant?
Yes. EU member states have the right to make certain local laws relating to specific ways that the GDPR is implemented in their territory. Adherence to these is also key to overall compliance.
Why is it important to us?
We have obligations both in respect of the data that we control and process as a Controller, and in respect of the activities we carry out on behalf of our customers and users. We are mindful of our obligations to the companies and people using our services where we act as either a Processor or sub-Processor under the GDPR.
Why is it important to you?
If you use our services to process personal data of UK or EU citizens then this activity will be subject to the requirements of the GDPR. You will need to make sure that you comply with your obligations as either a Controller or Processor (depending on the role that you are undertaking) and we can help you meet these.
Compliance tools
With data protection at the core of our software and services, and compliance programmes, we are perfectly placed to help you to ensure the security and confidentiality of the personal data you control. Encryption is a key aspect of our service delivery and our software and services can provide you with tools to ensure that only those who you want to access your Content (and any personal data in it) can do so.
Software and services focussed on compliance
Our software and services are firmly focussed on ensuring regulatory compliance – not just with the GDPR, but with other privacy regulations around the globe. You can find out more information on each of these using the links above or the Products and Solutions tabs at the top of the page.
Protect your Content
Our communication and file sharing services provide security and encryption to protect your Content and help to ensure that it remains confidential and secure.
User controls and access permissions
Our software and services can provide you with tools to ensure that only those who you want to access your Content can do so. These editable and auditable permission controls provide key regulatory compliance when sharing secure information and personal data with colleagues and third parties, and ensure that you remain in control of your Content.
Taking steps to prevent breaches before they happen
Through our Prevent tool we also provide tools that guide user behaviour to help prevent incidents before they arise.
Secure hosting
Where you subscribe to a service that we host on your behalf, we use market leading providers to ensure that your Content (and any personal data in it) remains safe and secure. You can find our more information here and here.
Transparency and information
We provide a wide range of information and resources on our Legal and Compliance hubs to enable you to conduct your own risk assessments on us to ensure that you are able to meet your own obligations under the GDPR.
Some of these may be subject to controls to ensure the confidentiality of any information that we provide to you, so please bear with us if we ask you to sign up to user terms or non-disclosure obligations prior to giving you access.
Egress’ DPA
What is a DPA?
DPA is an easy way to refer to a Data Processing Addendum or Agreement. These often provide contractual clauses that are specific to meeting certain regulatory requirements that may not be common in each jurisdiction in which a vendor operates.
Our DPA ensure that:
- our relationship meets the requirements of the GDPR (including Article 28).
- we detail how individual rights under the GDPR are met.
- you are able to use our services to lawfully transfer personal data to us outside of the EEA through use of either the Standard Contractual Clauses or our Data Privacy Framework certification.
Where can you find our DPA?
You can find it via the link on our Legal Hub at here. Please note that this link starts a Docusign process, but do not worry – simply entering your name and email address provides secure access to our document but you will not sign it unless you complete the process.
Does our DPA take GDPR into account?
Yes. Our DPA expands on the obligations placed on us under our standard Master Subscription Agreement to ensure that our contractual relationship contains clauses that meet the requirements of the GDPR (including Article 28).
Does our DPA deal with expiry of the Brexit Transition Period?
Yes. Our DPA contains the EU Standard Contractual Clauses which help to protect transfers of personal data from the EU to third-countries. On expiry of the Brexit Transition Period the UK may be a third-country and so we have included the SCCs in such a way as to deal with transfers to the UK where necessary.
What if you do not sign our DPA?
Our standard Master Subscription Agreement applies across all the jurisdictions that we operate in. As a result, the requirements of the GDPR may not always be relevant to a customer and so we chose to detail these clauses in a separate document – our DPA. As a result, if you do not execute it we recommend that you obtain separate legal advice to assess the impact or risks on you and your own compliance efforts.
International transfers
What is an “international transfer” of personal data under the GDPR?
An international transfer is a transfer of personal data outside of the European Economic Area (EEA). These types of transfers are restricted and regulated to ensure that the rights of individual data subjects are protected.
How can we help you comply?
Our DPA ensures that you are able to use our services to lawfully transfer personal data to us outside of the EEA through use of either the Standard Contractual Clauses or our Data Privacy Framework certification.
What are the EU Standard Contractual clauses?
These are sometimes also referred to as the “Model Clauses” and are a set of approved contractual terms that parties can sign that ensure that individual data subjects’ rights are protected when their personal data is transferred outside of the EEA. These are contained in our DPA.
Currently these are approved by the European Commission, however post-Brexit it is possible that the UK may develop and approve its own clauses for the transfers of personal data outside of the UK.
Does our DPA deal with expiry of the Brexit Transition Period?
Yes. Our DPA contains the EU Standard Contractual Clauses which help to protect transfers of personal data from the EU to third-countries. On expiry of the Brexit Transition Period the UK may be a third-country and so we have included the SCCs in such a way as to deal with transfers to the UK where necessary.
Data Privacy Framework Program
We participate in the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and have self-certified to the U.S. Department of Commerce our adherence to the Principles for all personal information received from countries in the European Economic Area, Switzerland, and the United Kingdom in reliance on the DPF. To learn more about the DPF, visit the website at Program Overview (dataprivacyframework.gov).
View our certification on the Data Privacy Framework website.
Disclosure requests
How we respond to a data subject request
Under the GDPR, individual data subjects may have the right to make certain requests of organisations involved in processing their personal data.
If we receive a data subject request in respect of personal data in the Content we process on behalf of you, we will notify you and in our role as a Processor or sub-Processor confirm to the individual that their request relates to you. We will attempt to re-direct the individual making the request to make their request to you directly (and may provide your basic contact information to enable them to do this this).
How we respond to a disclosure request from law enforcement
From time to time, we may receive requests or orders from a governmental body (e.g. a court order, law enforcement demand or other local equivalent) relating to Content that we process on behalf of you.
If we receive one of these we will attempt to re-direct the requestor to seek disclosure directly from you (and may provide your basic contact information to enable them to do this this). If, despite our best efforts, we are compelled to disclose the Content then, provided we are allowed to do so, we will provide notice to you so that you may seek a protective order or other remedy.
You can find more information on our approach here.
Relevant resources
You can find out more details on our compliance with the GDPR and national member state data protection legislation at these links:
Subscription agreements
- Master subscription agreement (view previous versions)
- Online subscription terms
- Free user subscription terms
Additional service terms
Policies
- Acceptable use policy
- Data retention policy
- End of support policy
- Sub-processors
- Third-party disclosure requests
- Customer complaint policy