Acquire has operations in European Union since long, and thus we are committed to compliance, security, privacy and transparency. This approach ensures the customers that we at Acquire are improving our procedures to collect, process and encrypt sensitive personal data in accordance with the requirements, set out in the General Data Protection Regulation (“GDPR”), which is enforceable on 25th May 2018. Acquire Inc is here to help customers and end-users understand significance of the GDPR, its requirements and our adherence to comply by global standards.
Introduction to GDPR
Personal Data of EU citizen in one or the other way could be collected when using Acquire while we create databases of contacts, their information, and business dealings with them. “Data Subjects” are classified as an individual hence, not all customers will be data subjects. Businesses or government organizations are also our customers to which GDPR does not apply to.
Acquire’s Compliance to GDPR
We are actively engaged in developing policies and procedures to comply with the principles of data protection enumerated in EU GDPR. Our best effort is to protect personal data in accordance with the principles mentioned below and comply with the Data Protection Standards.
| 1. Lawful, fair and transparent | There is transparent, lawful and fair process for Personal data collection and its use at Acquire. |
| 2. Limited for its purpose | We collect data for specified, explicit and legitimate purposes and not further processed in manner that is incompatible with those purposes. |
| 3. Data Minimization | Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. |
| 4. Accurate | Any data we hold is accurate and kept up to date. |
| 5. Retention | Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. |
| 6. Secure | Personal data is securely processed, thus providing protection against unauthorized or unlawful processing, accidental loss, destruction or damage by using appropriate technical and organizational measures. |
GDPR Obligations Compliance by Acquire
| Access Control | Access to our production networks is controlled through multi-factor authentication over HTTPS encrypted protocol. Strict Firewall rules restrict access to vulnerable ports to ensure secure and limited access to production environment. We also utilize intrusion detection systems in our corporate network to identify potential security threats. |
| Login Security | Each user can log in with their unique username and password with specific authorization and permission level as controlled by account administrator. Password complexity is conformed to defined password standards and configuration. |
| Logical Access | Access to data, system utilities, and program source code libraries are controlled and restricted to those authorized users who have legitimate business need. Responsibilities and duties are well segregated to avoid repudiation and in-compatibility of responsibilities. |
| Datacenter | Acquire services are hosted in advanced data center operated by a recognized industry leader Amazon Web Services (AWS). Our vendor adheres to the highest industry standards of quality, security and reliability and continuously monitors the environment using automated compliance checks based on the AWS best practices and industry recognized standards. |
Exceptions
Acquire doesn’t process any data subject requests until and unless for the following reasons
- The personal data is no longer needed in relation to the purposes for which it was collected or otherwise processed.
- The data subject withdraws consent, and there are no other reasons for processing.
- The data subject objects to processing, and there are no overriding legitimate grounds for processing.
- The personal data has been unlawfully processed.
- The personal data has to be erased for compliance with a legal obligation.
- The personal data has been collected in relation to the offer of information society services to a minor under 16 years old.
Detailed guidelines for Data Subject Access Requests are described in Data Subject Access Request Policy and Procedure document.
Frequently Asked Questions
We have procedures in place for Privacy Impact Assessments which enables us to design a Business process handling personal data and its protection. The GDPR is making privacy by design a major provision and, as a consequence, the inclusion of data protection as a key design element becomes an integral objective of any system design, at the very onset.