Passed in 2016, the new General Data Protection Regulation (GDPR) is the most significant legislative change in European data protection laws since the EU Data Protection Directive (Directive 95/46/EC), introduced in 1995. The GDPR, which becomes enforceable on May 25, 2018, seeks to strengthen the security and protection of personal data in the EU and serve as a single piece of legislation for all of the EU. It will replace the EU Data Protection Directive as well as all the local laws relating to it.
We at Know Your Team support the privacy rights of our customers and our users and we comply with GDPR.
Who Does GDPR apply to?
The GDPR applies to all organizations operating in the EU or processing personal data in the UE or processing "personal data" of EU residents. It defines personal data as any information relating to an identified or identified natural person. “Data subjects” are the individual persons whose data we receive and process.
Know Your Team's Role in GDPR Compliance
It is important to note that Know Your Team is acting both as a Data Controller and as a Data Processor within the realm of GDPR compliance:
As a Data Controller, Know Your Team is responsible for implementing appropriate safeguards to ensure compliant processing of personal data provided to us by our customers and by individual consumers. This data is provided to us when customers and individual consumers interact directly with our services like knowyourteam.com and thewatercooler.com.
As a Data Processor, Know Your Team is responsible for safeguarding the personal data of our customers' users as they share information using our service knowyourteam.com.
We keep your information for the time necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and your choices, after which time we may delete and/or aggregate it. We may also retain and use this information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Through this policy, we have provided specific retention periods for certain types of information.
Data retention: Location of site and data
Our products and other web properties are operated in the United States. If you are located in the European Union, UK, or elsewhere outside of the United States, please be aware that any information you provide to us will be transferred to and stored in the United States. By using our websites or Services and/or providing us with your personal information, you consent to this transfer.
Data retention: When transferring personal data from the EU
The European Data Protection Board (EDPB) has issued guidance that personal data transferred out of the EU must be treated with the same level of protection that is granted under EU privacy law. UK law provides similar safeguards for UK user data that is transferred out of the UK. Accordingly, Know Your Team has adopted a data processing addendum with Standard Contractual Clauses to help ensure this protection. Know Your Team's DPA is available at DPA.
There are also a few ad hoc cases where EU personal data may be transferred to the U.S. in connection with Know Your Team operations, for instance, if an EU user signs up for our newsletter or participates in one of our surveys. Such transfers are only occasional and data is transferred under the Article 49(1)(b) derogation under GDPR and the UK version of GDPR.
Policy, Terms of Services and DPA
We constantly review all the data we collect, where the data is collected and processed, and the reasons for why we collect it, as well as which Know Your Team employees have access to it. This is also known as a data map and we have it ready to share upon request.
We audit all vendors to ensure they are adhering to GDPR as well as signing all appropriate DPAs. You can see more about our sub-processors further down in this document.
Your rights as a EEA person
Under the GDPR, as an European Economic Area (EEA) person, you have the following rights:
The right to be informed
The right to object
We strive to only collect data that is important for us to serve you well or to improve the product. Nonetheless, you have the right to object to the use of your personal data and make a case that our organization lacks compelling and legitimate grounds for processing your data to perform our business function. (Section 4 Article 21)
The right of access
You have the right to ask if we are processing your data, how we are processing your data, where we are processing your data, and the reasons for the processing.(Section 2 Article 15). To request your personal data map to see the categories of recipients who may see your data, you can click on this link.
The right to rectification
You can correct or complete any your personal information we have by visiting your respective profile page on knowyourteam.com or thewatercooler.com. If you have questions on how to do that please contact us. (Section 2 Article 16)
The right to be Forgotten (also known as Data Erasure)
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. (Section 2 Article 17)
To request we delete all data about you (the data subject) please click on this link. If you are a user under a customer's organization, we reserve the right to inform the customer before we proceed with the erasure. If you are the owner of the organization and you want to keep the organization's account active, we need to appoint a new organization owner before we proceed with the erasure.
After we initiate the erasure process this operation cannot be undone and deleting all your data can take up to 30 days due to our backups policy. In the event we can not delete your data due to legal or similar restrictions, we will tell you and explain the reason(s).
The right to restrict processing
We share some personal data with certain vendors for analytics purpose to help us improve the product or solve bugs but we do not sell your personal or other data in any circumstances. (Section 2 Article 18)
You have the right to request that we to stop processing your personal data if you believe it is not accurate, or if processing is not compliant, or that retention is no longer needed. To file a request to restrict the data we process please click on this link.
The right to data portability
You have the right to receive the personal data concerning you (Section 2 Article 20). Upon request, we can generate a series of CSV files with all your data, so you can transmit that data to another controller
To request we export all the data we have associated to your account, click on this link. This process can take up to 30 days and our support team will keep you informed of the progress via email.
Under the GDPR, a breach notification is mandatory if a data breach is likely to result in a risk to the rights and freedoms of individuals. If this scenario occurs, you will be notified in your email within 72 hours of first we have become aware of the breach
Privacy by design
Know Your Team takes a holistic approach to security and privacy. All sensitive and personal information we keep is encrypted and we never sell user data.
Know Your Team uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to provide you with our services. These are also known as processors an sub-processors under GDPR. We only use partners that comply with GDPR and we have a Data Processing Agreement with every one of them.
To see our list of current vendors and changes we've made over time you can check this link
Questions about GDPR?
Please get in touch and we’ll be happy to answer any questions!