GDPR + Quick Base: What You Need to Know

Quick Base News
May 31, 2018
|
4 Min Read

What is the EU GDPR?

The General Data Protection Regulation, in place since May 25, 2018, regulates the protection of personal data across the EU member states. The GDPR replaces the previous European Data Protection Directive of 1995.   The GDPR applies to organizations both inside and outside the European Union that are processing the personal data of residents and citizens of the European Union (“EU”). 

What is the scope of personal data protected by the GDPR?

GDPR is focused on the protection of the personal data of individuals in the European Union. Under the GDPR, Personal Data is defined broadly in Article 4 (1) as follows: 

“[A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” 

Examples would be: name, personalized e-mail address, mail address, phone number, IP addresses (or a combination of these things which when put together can identify an individual). 

Does the GDPR require EU personal data stay in the EU?

No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. 

How does GDPR apply to Quick Base?

The GDPR has different requirements depending upon whether an organization is a “controller” or a “processor” of the applicable personal data.  Quick Base processes the personal data of persons in the European Union, both as a “controller” and a “processor”.     

For our marketing, customer relationship management, human resources, finance and other related systems, Quick Base is a controller for the personal data that it collects.   

As operator of the Quick Base platform, Quick Base is a processor for personal data for which our business customers are the controller. Customers may collect the personal information of EU individuals, through their Quick Base apps or 3rd party systems, which Quick Base will then process through the Quick Base platform. 

What steps has Quick Base taken to be compliant with the requirements of GDPR?

In many ways, Quick Base’s preexisting practices and policies enabled us to align with the requirements of GDPR without major changes. While Quick Base utilizes sub-processors for certain activities like log management, email delivery and data center hosting, Quick Base does not and has never shared customer app data with any 3rd party. Quick Base is committed to transparency with regards to our control environment and privacy practices. Quick Base commits to informing our customers of any suspected or any data breaches expeditiously (our internal SLA is 24 hours). We have additionally taken the following actions: 

  • We have built and maintain accurate data inventory of our 3rd party vendors (sub-processors in GDPR parlance) we share data with and published our sub-processor list on our web site.   
  • We have named a Data Privacy Officer  
  • We have created GDPR-aligned Sub-processor Data Processing Agreement 
  • We have created GDPR-aligned Customer Data Processing Agreement 
  • We created and documented a right to be forgotten process 
  • We incorporated privacy by design criteria into our Architecture Review Board  
  • We became Privacy Shield certified in 2017 and updated our Privacy Policy to meet GDPR requirements. 

What steps should customers take to be compliant with the requirements of GDPR?

As noted, customers are the controller for data they collect, store and process in Quick Base apps.   There are 99 articles in the GDPR setting out the rights of individuals and obligations placed on controllers covered by the regulation. These requirements necessitate organizations process personal data lawfully and transparently, to limit the processing to only that which is necessary, and to provide data subject rights in regards to their personal information.        

Customers may solidify their rights and legalize transfers of EU personal data from the EU to Quick Base by executing Quick Base’s Data Processing Agreement, which includes the European Commission’s standard contractual model clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). 

Summary

Quick Base views GDPR as an opportunity to deepen our commitment to privacy and data protection best practices. Similar to existing legal requirements, compliance with the GDPR requires a partnership between Quick Base and our customers in their use of our platform 

In addition to ensuring our own compliance with the provision of GDPR under our responsibilities as a controller, Quick Base’s updated Data Processing Addendum, available upon request, contains additional provisions to assist customers with their compliance with the GDPR. 

As we move forward, we will continue to align with best practices with regard to GDPR and data protection.  GDPR is another important part of our robust security program incorporating industry standards and frameworks designed to protect customers’ data as described on our Security and Compliance page.

Additional Resources

Quick Base’s Privacy Policy

Quick Base’s certification with EU-US Privacy Shield

GDPR – text in multiple languages

Recomended Posts