Acquire has operations in European Union since long, and thus we are committed to compliance, security, privacy and transparency. This approach ensures the customers that we at Acquire are improving our procedures to collect, process and encrypt sensitive personal data in accordance with the requirements, set out in the General Data Protection Regulation (“GDPR”), which is enforceable on 25th May 2018. Acquire Inc is here to help customers and end-users understand significance of the GDPR, its requirements and our adherence to comply by global standards.
The General Data Protection Regulation 2016/679 (GDPR) replaces the existing data protection regimes in place throughout the European Union (EU), including the UK. It introduces a number of new obligations and requirements on controllers and processors. Compliance with the new regulations will be of even greater importance following the enforcement date of 25th May 2018, because the GDPR substantially increases the fines that can be imposed by the relevant regulatory bodies in the event of a breach – now up to a maximum of € 20 million or 4% of annual global turnover, whichever is the higher.
Personal Data of EU citizen in one or the other way could be collected when using Acquire while we create databases of contacts, their information, and business dealings with them. “Data Subjects” are classified as an individual hence, not all customers will be data subjects. Businesses or government organizations are also our customers to which GDPR does not apply to.
We are actively engaged in developing policy and procedures to comply with the principles of data protection enumerated in EU GDPR. Our best effort is to protect personal data in accordance with the principles mentioned below and comply with the Data Protection Standards.
There is transparent, lawful and fair process for Personal data collection and its use at Acquire.
We collect data for specified, explicit and legitimate purposes and not further processed in manner that is incompatible with those purposes.
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Any data we hold is accurate and kept up to date.
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Personal data is securely processed, thus providing protection against unauthorized or unlawful processing, accidental loss, destruction or damage by using appropriate technical and organizational measures.
Acquire is committed to security, privacy and transparency of customer’s data and compliance to data protection requirements with respect to General Data Protection Regulation(“GDPR”). We assure our customers’ that Acquire has updated the features and functionality of their product and services to comply with the GDPR obligations. Here are some features that can support GDPR Compliance.
|GDPR Obligations||Compliance by Acquire|
Acquire also offers Data Processing Agreement for cross-border transfers of personal data from the EU.
|Rights to Access and Rectify||Acquire offers their client to access their profiles to amend inaccuracies or rectify any errors.|
|Right to be Forgotten||Acquires’ customers can delete or erase their profile if the processing is not justified. Customers must make a request through email to Acquire to process for deletion.|
|Right to Restrict Processing||The processing of personal data of the customers is limited for specified purpose related to the Acquire products and Services by documenting and implementing internal mechanisms.|
|Right to Data Portability||Provide data subjects with the right to transfer their personal data between data controllers.|
|Right to Object Processing||Acquire has documented and implemented internal mechanisms to stop processing upon specific data subject requests, for direct marketing purpose upon request, for any other statistical or scientific purposes.|
Acquire doesn’t process any data subject requests until and unless for the following reasons
• The personal data is no longer needed in relation to the purposes for which it was collected or otherwise processed.
• The data subject withdraws consent, and there are no other legal reasons for processing.
• The data subject objects to processing, and there are no overriding legitimate grounds for processing.
• The personal data has been unlawfully processed.
• The personal data has to be erased for compliance with a legal obligation.
• The personal data has been collected in relation to the offer of information society services to a minor under 16 years old.
Detailed guidelines for Data Subject Access Requests are described in Data Subject Access Request Policy and Procedure document.
Any data relating to an identified or identifiable natural person (‘Data Subject’) such as name, address, email address, phone number, educational background, financial details, educational details, nationality etc.
• Data Controller: Controls purpose and means of processing. Direct responsibility to data subject and data protection authority.
• Data Processor: Acts on instructions of Data Controller. Direct responsibility to data subject and data protection authority.
• Data Subject: Persons in the EU
The DPO is responsible for informing employees of their compliance obligations as well as conducting awareness trainings, monitoring, and audits required under GDPR. Yes, we have dedicated DPO. For any queries related to GDPR compliance contact to our DPO at firstname.lastname@example.org.
Yes, we have Data Breach Procedures in place that enables us to react immediately and thus notifying the affected parties within 72 hours of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Foremost advantage of using cloud services or SaaS is that the provider is already operating on a secure model for data management. This provides a safe environment to manage and process our data, and also accommodate efforts required to keep pace with changing policies.
We store customers’ data for the time of using our services or until they request to delete their data.
Data Subjects have a right to have Access and Delete their personal data. We at Acquire immediately take action on request for Access or Deletion of their data by verifying the identity of anyone making a subject access request.
Data of our customers are stored in datacenters hosted by Microsoft Azure.
No, it doesn’t place any restrictions on transfer of personal data outside the EU and thus it is not required EU personal data to stay in EU. Data transfers to and fro from EU can be legitimized in various ways which includes EU-US Privacy Shield, Model or Contractual clauses etc.
We have procedures in place for Privacy Impact Assessments which enables us to design a Business process handling personal data and its protection. The GDPR is making privacy by design a major provision and, as a consequence, the inclusion of data protection as a key design element becomes an integral objective of any system design, at the very onset.