Last updated: May 2022
On May 25, 2018, the General Data Protection Regulation (“GDPR”) became fully applicable in the European Union (EU). PlainID have always taken privacy very seriously and the success of our customers in the GDPR era is very important to us, which is why we have put this document together to provide an overview of what PlainID Ltd. and its affiliates (“PlainID”) has done to get prepared for GDPR.
What is PlainID’ take on the GDPR? We welcome the positive changes the GDPR brings, such as the increased harmonization and the “Privacy by Design and Privacy by Default” approach. Our view is that the GDPR is not only an obligation but also an opportunity to build privacy-friendly products while further fostering customer trust.
Should I, as a PlainID customer, be concerned about the GDPR? Our recommendation is that all our customers assess carefully whether they are subject to the GDPR and, if so, to what extent. The consequences of breaching the GDPR are very serious. PlainID recommend that you consult with legal counsel regarding your obligations (if any) under the GDPR.
If I am a customer not based in the EU, should I still be concerned about the GDPR? Given the GDPR’s extraterritorial effect, our non-EU-based customers are also encouraged to assess whether the GDPR applies to them or not. The GDPR will not only apply to companies that process the personal data of European individuals and have a presence in the EU (e.g. offices or establishments) but also to companies that do not have any presence in the EU but offer goods or services to individuals in the EU and EEA and/or monitor the behavior of European individuals where their behavior takes place within the EU and the EEA.
As PlainID customer, where should I start my “GDPR journey”? If the GDPR applies to your company, we highly recommend conducting internal due diligence to map your specific data collection practices. This includes, among other matters, understanding what specific personal data (including sensitive personal data) of individuals protected by the GDPR your company is collecting (e.g., end-users, customers, employees, etc.), from whom is the data collected, where is it being stored, for what purposes is it being used, with who is it being disclosed, and whether the personal data is transferred outside of the European Union or European Economic Area. Then, if required, please ask for and sign our Data Processing Agreement (“DPA”).
What has PlainID done in order to comply?
This is a high-level summary of what we have done so far:
- GDPR Strategy
- We retained a leading outside counsel to help us understand the GDPR and prepare a GDPR compliance plan.
- We built an internal task force with members of different departments (security, sales, product development, and others) to implement the GDPR compliance plan internally.
- The top management has been personally involved in the supervision of its implementation.
- We defined top-level policies as needed – e.g., the Data Retention Policy, Data Breach Policy, etc.
- We regularly provide training and awareness among our employees about key GDPR requirements.
- Data Processing Agreement with Customers.We have prepared a DPA for customers who are subject to the GDPR and need a DPA. You should request our DPA by sending an email to firstname.lastname@example.org and then you should send it back to us after you sign it.
- Data transfers
- Hosting. AWS
- PlainID’ Staff.The majority of our staff sits in Israel, which was declared by the European Commission as a country that offers an adequate level of data protection (see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en).
- Other Service Providers. We only share personal data that is subject to the GDPR with vendors and partners who have announced that will comply with the GDPR and have undertaken to do so.
- Data Processing Agreement with Service Providers. We executed Data Processing Agreements in accordance with Article 28 of the GDPR with all of our service providers with access to personal data subject to the GDPR.
- Record Keeping. PlainID keep an updated file describing PlainID’s data-collection and data-processing practices. PlainID periodically review this file to make sure that it is always fully updated.
- Ongoing compliance.We are not approaching GDPR compliance as a one-time exercise. Therefore, we are committed to periodically reviewing our roadmap and ensuring ongoing compliance.
- Security. For more information about our security practices please see our Security and Compliance
Where can I learn more about GDPR? Additional information is available on the European Commission’s website here (https://ec.europa.eu/justice/data-protection/reform/index_en.htm).
I have more questions. Who should I contact? If you have any additional questions about the GDPR you and/or your consultant are welcome to contact us at email@example.com.
Disclaimer: The information in this document may not be construed as legal advice about the interpretation or application of any law, regulation, or regulatory guideline. Customers and prospective customers must seek their legal counsel to understand the applicability of any law on their processing of personal data.