AgileCase and the GDPR
On the 25th May 2018 the European Union will begin enforcing its General Data Protection Regulation (GDPR). It impacts how businesses collect and process data from European individuals. As a European based business who values the rights of its users and customers and their personal data regardless of their location we’re happy to comply with these rules across all our systems and processes.
This page gives an overview of the roles described by the GDPR, the responsibilities of each party and the efforts we’re putting in place to support our obligations.
AgileCase as the Data Processor
While using our services you may upload data to AgileCase. Due to the nature of our products and services, your data may contain information from or about your clients.
These are your data subjects, and you are considered the data controller for this personal data. Our
Terms and Conditions refer to this data as Client Data.
Using AgileCase services to process your Client Data means that you have engaged AgileCase as a data processor to carry out certain data processing activities on your behalf. Article 28 of the GDPR states that the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of Article 28). Our
Terms and Conditions and
Privacy Policy also serve as your data processing contract with AgileCase. They set out the instructions you are giving to AgileCase in regards to processing personal data you control and establishing the rights and responsibilities of both parties. AgileCase will only process your Client Data based on your instructions as the data controller.
Data Transfers
When data is transferred outside of the European Economic Area (EEA) by data processors, the GDPR sets strict requirements for moving data outside of the scope if its protection.
The vast majority of AgileCase's infrastructure is EU based. Where we do engage with sub-processors we do so in a considered fashion considering the legalities of the transfer at each step.
We keep an up-to-date list of sub-processors
here. This ensures we are fully transparent about our transfers and the processors we use. We explain the data we transfer and for what purpose. We only engage with sub-processors who have either certified under the EU-US Privacy Shield framework or signed the EU Commission’s standard contractual clauses for data transfers with us.
If you have any questions on these points you can
contact us.
AgileCase as the Data Controller
AgileCase acts as the data controller for the personal data we collect about you, the user of our web app and website, the purchaser of our services.
Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations.
Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
What do you mean by ‘legitimate interests’?
- Improving our services in a way is useful to you.
- Ensuring your data and AgileCase's systems are reliable, safe and secure.
- Responsible marketing of our products, services and their features.
As the controller for your personal data, AgileCase is committed to the respect of your rights under the GDPR. If you have any questions, please contact our
Data Protection Officer.
What is AgileCase doing for the GDPR
AgileCase respects the privacy of its customers and their clients. To that end, we have implemented and continue to improve both technical and organizational measures in line with the GDPR to ensure the appropriate processing of personal data.
Internal processes, security and data transfers
We have reviewed our internal processes and operations to make sure we map and audit the data travelling through our systems. We have implementing functionality within all our main customer facing systems to cope with the principles of Privacy by Design. Any access to Client Data is only done through the permission of our customers and is always limited and specifically in scope to the contract between AgileCase and its customers have engaged in.
Our internal procedures and logs make sure that we meet the GDPR accountability requirements.
We onboard new third-party services rarely, but when we do we have a strict internal process for evaluating these suppliers on their security and privacy considerations. We keep the number of sub-processors to a minimum, where possible using our own technology and infrastructure for processing.
Ability to action subject access requests
Data subjects’ ownership of their personal data is at the heart of the GDPR. We already allow data subjects to request deletions, modifications, or data transfers via our
Support channels. This means that our Support Team along with the Engineers that assist them in their work are well-prepared to help you in any matters involving your personal data.
Documentation
Our
Terms and Conditions and
Privacy Policy are updated regularly to make sure we build upon the good work we’ve always done in this area. As these documents set out the basis of our relationship with you, it is of paramount importance for us to openly and clearly explain your rights in these documents.
Training and awareness
Training and awareness about GDPR, the handling of and processing of Personal Data have been communicated throughout the whole AgileCase Business. Each Employee has awareness of the issues and our policies surrounding the compliance with GDPR and other Privacy related issues. We have built this training into our recruitment process and training requirements and have scheduled refresher checks regularly.
We believe the above approach in adhering to the GDPR is firmly in line with the ethos of its purpose and what it aims to achieve.