Is CloudFiles GDPR Compliant?
This article talks about GDPR compliance with CloudFiles. Learn what GDPR compliance is, why it's important, what are your obligations and how you can deal with them using CloudFiles.
At CloudFiles, we are committed to best practices in data security & privacy. As part of maintaining these practices both in our product and internal processes, we have undergone intensive GDPR audits and are now fully GDPR compliant.
In order to be GDPR compliant with CloudFiles, you, as a customer, need to fulfil certain obligations as well. In this article we quickly talk about the what & why of the GDPR law, show you how we are GDPR compliant and also discuss what you can do to be fully compliant with us.
The GDPR is a European Union regulation that introduces certain obligations on internet firms with regard to the personal data they process in doing business. These obligations seek to assure individuals that their personal data are secure and that their rights in relation to that data will be respected.
GDPR classifies personal data as anything that you are collecting from your customers (such as email, location etc... in context of CloudFiles) when they view the documents uploaded by you. GDPR also classifies the entities that are collecting this data into 2 types - Controllers and Processors.
Data Controller - A data controller is a person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body).
While using CloudFiles to collect emails and other information from your users, you are acting as the data controller.
CloudFiles acts as the data controller only for the data we collect directly from you (such as your email & other details when you sign-up for the account).
Data Processor - A data processor is a person, company, or other body which processes personal data on the data controller's behalf.
When you collect data of your customers / prospects through CloudFiles, CloudFIles acts as a data processor on your behalf.
CloudFiles is the data controller for processing of Personal Data of its own users, but we act as a data processor for Personal Data that we process on behalf of our Users.
Data Processing Agreement
We have created a standard DPA that addresses all of the GDPR requirements. CloudFiles’ Data Processing Agreement (DPA) rely on the EU Standard Contractual Clauses (SCCs) as the transfer mechanism for Personal Data from the United Kingdom, EU and EEA to our US-East based AWS environment.
CloudFiles has signed Data Processing Agreements with our key vendors.
Record of data processing activities
CloudFiles documents all personal data that is stored and processed. Hence, CloudFiles maintains a record of all data processing activities involving personal data as per the legal requirement given under Article 30 of GDPR. Such records are updated regularly. CloudFiles is responsible for maintaining the Processing Records of the processing activities taking place.
Privacy by design and Privacy by default
CloudFiles acknowledges that privacy by design and privacy be default are important requirements as given under Article 25 of GDPR. To comply with the same, CloudFiles ensures that every action undertaken related to processing of personal data of data subjects is in consideration of data protection and privacy at every step; and that strictest privacy settings are applied to every product, without requiring any inputs at a later stage.
If you are collecting personal data from individual clients or contacts based in the EU, including in the course of using CloudFiles, then you may have certain obligations with respect to that data — as a ‘Data Controller' under the GDPR. In those circumstances, we recommend:
- Considering how you handle consent from those individual clients or contacts. CloudFiles can help you take explicit consent from the users before collecting their data
- Getting legal and other professional advice regarding your obligations.
- Where appropriate, agreeing to Data Processing Addenda with those software vendors that possess and otherwise process the personal data you're collecting. If you'd like to sign a Data Processing Addendum with CloudFiles, please contact [email protected]
You have certain rights if you are within the EU. These includes:
- Right to access. This right allows you to obtain a copy of your personal data, as well as other supplementary information.
- Right to restrict processing. You have the right to restrict the processing of your personal data in certain circumstances.
- Right to rectification. You have the right to have any incomplete or inaccurate information we hold about you corrected.
- Right to object to processing. The right to object allows you to stop or prevent us from processing your personal data. This right exists where we are relying on a legitimate interest as the legal basis for processing your Personal Data. You also have the right to object where we are processing your Personal data for direct marketing purposes.
- Right to erasure. You have the right to ask us to delete or remove Personal data when the personal data is no longer necessary for the purpose which you originally collected or processed.