Updated: April 22, 2021
AllClients is GDPR compliant
GDPR is the General Data Protection Regulation of the European Union (EU).
The GDPR compliance statement for CRM systems provides new regulations for the protection of the personal data of residents within the European Economic Area (EEA). It took effect on May 25, 2018.
The GDPR replaces the EU’s 1995 Data Protection Directive that required EU member states to enact their own data protection laws with certain minimum standards. The result was a patchwork of different standards and rules across the EU.
GDPR data protection creates a single legal framework for the entire EEA for handling personal data. It is directly applicable and enforceable in all EEA countries (ie; requires no further legislation).
To whom does the GDPR apply?
The GDPR applies to Data Processors and Data Controllers whether or not they have any “establishment” within the EEA.
A Data Processor is someone who, directly or through third parties, collects, records, organizes, stores, uses, discloses, or disseminates personal data of EEA residents. A Data Controller is a Data Processor who also, directly or indirectly, whether alone or jointly with others, determines the purposes and means of the processing of such personal data.
In simple terms, “personal data” is data that, alone or in combination with other information, identifies, or is likely to identify, a living person and includes, phone number, home address, email address, job title, employment history, education and training, and financial details. The GDPR compliance statement has special rules about processing “sensitive” personal data (including ethnicity, politics, religion, health, bio-metrics).
Where does AllClients fit in terms of GDPR?
AllClients’ customers upload personal data of EEA residents into databases that are managed by AllClients, this makes AllClients a Data Processor for GDPR purposes.
However, AllClients has no say in what data is collected, how it is collected, or how it is shared or used. Since our customers are determining the purpose and means of processing of the data, our customers are Data Controllers for GDPR purposes. AllClients is merely processing the data on their behalf as a Data Processor.
The GDPR imposes additional obligations on Data Processors and Data Controllers who have an “establishment within the EEA. AllClients does not have an “establishment” in the EEA for GDPR purposes. AllClients does not determine whether or not our customers have an “establishment” within the EEA (whether physically or by virtue of the activities undertaken within the EEA) and therefore whether these additional obligations will apply. We recommend that our customers seek their own advice in this area.
All data within the AllClients Systems is being hosted by RackSpace and some of their servers are physically located outside of the EEA… Is this OK under GDPR?
Under the GDPR (and other applicable laws), personal data may only be transferred outside of the EEA when an adequate level of protection for that data is in place. By utilizing AllClients’ services, customers who collect personal data of EEA residents will be exporting that data out of the EEA to AllClients.
AllClients uses RackSpace (RackSpace.com) exclusively for all server and cloud service functions. Under the GDPR, Rackspace is a sub-processor for AllClients.
AllClients and Rackspace have entered into a Data Processing Agreement that incorporates all required GDPR provisions (including the Standard Contractual Clauses) which allows both AllClients and RackSpace to import and process the relevant data exported by AllClients customers.
Because the relationship between AllClients and our customers is GDPR compliant, does that automatically make AllClients’ customers compliant as well?
No. Data Controllers handling personal data of EEA residents are required to have terms and conditions that ensure that such persons have the requisite rights, protections and remedies, and give the necessary consents, as required by the GDPR.
AllClients customers are solely responsible for compliance with the GDPR and should consult with their own legal counsel as to how GDPR may or may not affect their business.
Please note: GDPR system compliance, for our customers (the Data Controllers) is ultimately the responsibility of our customers, not AllClients.
Please contact Jeff@AllClients.com if you have any questions regarding AllClients and GDPR.