The European Union’s General Data Protection Regulation (GDPR) is effective on May 25, 2018. GDPR is a set of new data privacy laws across Europe that are designed to protect EU citizens’ and residents’ data privacy and reshape the way organizations approach data privacy. Slayte’s customers are headquartered around the globe and include EU-centered associations and organizations. As a result, Slayte is planning a set of features to assist our customers meet GDPR compliance requirements.
Data privacy is a priority for Slayte. We have always strived to meet the highest privacy standards in the industry and are pleased to continue our steadfast commitment to our customers’ data security as we work to comply with GDPR guidelines.
For the purposes of GDPR, with regard to the Processing of personal data, Slayte’s customer is the Data Controller, which is the organization that determines the purposes and ways personal data is processed. Slayte, as a SaaS (Software-as-a-Service) provider, is the Data Processor, which is the organization that processes personal data on behalf of the Data Controller.
What do you need to know?What is it?
The GDPR is an EU regulation that includes rules that boost data protection and security for European Union citizens and residents. Experts believe the GDPR will have a huge impact on how data is collected, processed, used and shared.Does GDPR only apply to Europe or associations headquartered in Europe?
No. It also affects the export of data outside the EU and of course it affects any organization that deals with EU citizen or resident data — a vast number of trade and membership organizations interact with European members. What data does GDPR cover?
The definition of personal data is broad and may cover, but not be limited to, professional, public life and private life activities and includes everything from names, postal addresses, images, electronic messaging addresses to IP addresses, posts on social networks, medical information and more.
Slayte's GDPR Roadmap
Regardless of whether the EU considers an organization to be a Data Controller (an organization that determines the purposes and means of the processing of personal data – i.e. an association) or a Data Processor (an organization that processes personal data on behalf of the controller – i.e. a service provider like Slayte), Slayte’s objective is to address the overall points summarized below:Consent
Consent needs to be explicit for usage of the data. This applies to Data Controllers and Data Processors.Right to Access Data
Organizations must provide EU citizens/residents the ability to obtain from the Data Controller confirmation regarding whether or not their personal data is being processed, where and for what purpose. Upon request, Data Controllers must provide a copy of the personal data, free of charge, in an electronic format to any EU citizen/resident who requests his/her own data. All collected data must be reviewable and editable.Right to be Forgotten/Erasure
Erasure becomes a universal right. Sometimes known under its previous, expanded iteration as “the right to be forgotten”, this allows individuals to request personal data related to them be deleted. Specifically, any EU citizen/resident has the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Erasure must be across all back-ups and data stores. In addition, 3rd party processors of the same data must be notified of any erasure action.Data Portability
The right for an EU citizen/resident to receive the personal data concerning them, which they have previously provided in a “commonly used and machine-readable format” and have the right to transmit that data to another Data Controller. Individual’s have the right to instantly download their data in a computer readable format or any other form of readable material.
Slayte’s Role as a Data Processor
Slayte will follow instructions received from our customer’s in their role as Data Controllers with respect to personal data, unless those instructions are (i) legally prohibited or (ii) require material changes to the Software. In addition, Slayte will reasonably support Customer or any Data Controller in addressing requests from Data Subjects or regulatory authorities regarding Slayte’s processing of personal data. If Slayte cannot comply with an instruction or if there is a Customer billable cost to comply with the instruction, Slayte will promptly notify the Customer.
To process personal data, Slayte (and its sub-processors) will only use personnel who are bound to observe data secrecy under the Data Protection Law. Slayte will use the appropriate technical and organizational measures to meet this objective. The current version of Slayte’s Written Information Security Policy can be found on the Slayte Customer Portal.
Slayte will promptly inform Customer if it becomes aware of any Security Breach, as documented in the terms of each customer’s Slayte Software Subscription & Services Agreement.
Any Slayte sub-processors will have the same obligations as Slayte does as a Data Processor (or sub-processor) with regard to their processing of personal data.
Information we hold
- Email address, first and last name (and title if provided in SSO as "Name") used to login (via registration or through SSO)
- Submissions (and drafts), including all field values supplied (including uploads/attachments)
At signup, each user will be prompted to consent to the Data Controller's policy, which has been customized by each client in the Admin Settings. We record the date/time when the consent was given, and for TOS/Privacy consent we restrict any access unless consent was given. The option to withdraw consent is entailed in the option to delete the user profile.
You may complain to the ICO if you think there is a problem with the way we are handling your data.
To access and to obtain a portable copy of your data
You may download a copye of the personal data you have provided through the controller in the settings. Any further subject access requests must be directed via email to email@example.com
To be informed
At registration/SSO we inform you about our and our clients policies.
To be forgotten (erasure) and to object
You may delete your profile entirely in the settings. This withdraws your consent from our policies.
Data BreachesData Breach Response Policy
Data ProtectionData Protection Policy