Introduction to GDPR

The General Data Protection Regulation 2016/679 (GDPR) replaces the existing data protection regimes in place throughout the European Union (EU), including the UK. It introduces a number of new obligations and requirements on controllers and processors. Compliance with the new regulations will be of even greater importance following the enforcement date of 25th May 2018, because the GDPR substantially increases the fines that can be imposed by the relevant regulatory bodies in the event of a breach – now up to a maximum of € 20 million or 4% of annual global turnover, whichever is the higher.

GDPR Application

Personal Data of EU citizen in one or the other way could be collected when using Acquire while we create databases of contacts, their information, and business dealings with them. “Data Subjects” are classified as an individual hence, not all customers will be data subjects. Businesses or government organizations are also our customers to which GDPR does not apply to.

Acquire’s Compliance to GDPR

We are actively engaged in developing policy and procedures to comply with the principles of data protection enumerated in EU GDPR. Our best effort is to protect personal data in accordance with the principles mentioned below and comply with the Data Protection Standards.

1. Lawful, fair and transparent

There is transparent, lawful and fair process for Personal data collection and its use at Acquire.

2. Limited for its purpose

We collect data for specified, explicit and legitimate purposes and not further processed in manner that is incompatible with those purposes.

3. Data Minimization

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. Accurate

Any data we hold is accurate and kept up to date.

5. Retention

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

6. Secure

Personal data is securely processed, thus providing protection against unauthorized or unlawful processing, accidental loss, destruction or damage by using appropriate technical and organizational measures.

GDPR Obligations and Compliance

Acquire is committed to security, privacy and transparency of customer’s data and compliance to data protection requirements with respect to General Data Protection Regulation(“GDPR”). We assure our customers’ that Acquire has updated the features and functionality of their product and services to comply with the GDPR obligations. Here are some features that can support GDPR Compliance.

GDPR Obligations	Compliance by Acquire
Accountability and Transparency	Acquire’s Privacy Policy and Supporting Policies ensures transparent communications with the data subjects specifying notice to inform its customers. Acquire also offers Data Processing Agreement for cross-border transfers of personal data from the EU.
Rights to Access and Rectify	Acquire offers their client to access their profiles to amend inaccuracies or rectify any errors.
Right to be Forgotten	Acquires’ customers can delete or erase their profile if the processing is not justified. Customers must make a request through email to Acquire to process for deletion.
Right to Restrict Processing	The processing of personal data of the customers is limited for specified purpose related to the Acquire products and Services by documenting and implementing internal mechanisms.
Right to Data Portability	Provide data subjects with the right to transfer their personal data between data controllers.
Right to Object Processing	Acquire has documented and implemented internal mechanisms to stop processing upon specific data subject requests, for direct marketing purpose upon request, for any other statistical or scientific purposes.

Exceptions

Acquire doesn’t process any data subject requests until and unless for the following reasons

• The personal data is no longer needed in relation to the purposes for which it was collected or otherwise processed.

• The data subject withdraws consent, and there are no other legal reasons for processing.

• The data subject objects to processing, and there are no overriding legitimate grounds for processing.

• The personal data has been unlawfully processed.

• The personal data has to be erased for compliance with a legal obligation.

• The personal data has been collected in relation to the offer of information society services to a minor under 16 years old.

Detailed guidelines for Data Subject Access Requests are described in Data Subject Access Request Policy and Procedure document.

Frequently Asked Questions

1. What is Personal Data?

Any data relating to an identified or identifiable natural person (‘Data Subject’) such as name, address, email address, phone number, educational background, financial details, educational details, nationality etc.

2. Who are Data Controllers, Data Processor, and Data Subjects?

• Data Controller: Controls purpose and means of processing. Direct responsibility to data subject and data protection authority.

• Data Processor: Acts on instructions of Data Controller. Direct responsibility to data subject and data protection authority.

• Data Subject: Persons in the EU

3. Who is Data Protection Officer (DPO)? Do you have any dedicated DPO?

The DPO is responsible for informing employees of their compliance obligations as well as conducting awareness trainings, monitoring, and audits required under GDPR. Yes, we have dedicated DPO. For any queries related to GDPR compliance contact to our DPO at ashka@acquire.io.

4. Do you have processes in place for Data Breach?

Yes, we have Data Breach Procedures in place that enables us to react immediately and thus notifying the affected parties within 72 hours of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

5. What are the advantages of using cloud or Software-as-a-Service (SaaS) for GDPR compliance?

Foremost advantage of using cloud services or SaaS is that the provider is already operating on a secure model for data management. This provides a safe environment to manage and process our data, and also accommodate efforts required to keep pace with changing policies.

6. For how long do you store customer data?

We store customers’ data for the time of using our services or until they request to delete their data.

7. How do you handle Data subject’s rights?

Data Subjects have a right to have Access and Delete their personal data. We at Acquire immediately take action on request for Access or Deletion of their data by verifying the identity of anyone making a subject access request.

8. Where is your customer data physically stored?

Data of our customers are stored in datacenters hosted by Microsoft Azure.

9. Does GDPR require EU data to stay in the EU?

No, it doesn’t place any restrictions on transfer of personal data outside the EU and thus it is not required EU personal data to stay in EU. Data transfers to and fro from EU can be legitimized in various ways which includes EU-US Privacy Shield, Model or Contractual clauses etc.

10. How Privacy and “Privacy by Design” are handled by Acquire?

Our Privacy Policy describes how we handle and protect customer information. We have internal Compliance team who monitors GDPR and other compliance initiatives to stay updated with regulatory requirements.
We have procedures in place for Privacy Impact Assessments which enables us to design a Business process handling personal data and its protection. The GDPR is making privacy by design a major provision and, as a consequence, the inclusion of data protection as a key design element becomes an integral objective of any system design, at the very onset.

If you want more advice and help, get in touch with our DPO at ashka@acquire.io today or have a look at our GDPR Whitepaper for more information.

Additional Resources

Data Protection Policy

Acquire Terms & Conditions