Learn more about our approach to data protection and how we are working within the GDPR framework
The General Data Protection Regulation (GDPR) is a new European Union (EU) privacy law that came into effect on 25th May 2018. It replaces the 1995 EU Data Protection Directive (DPD). Its objective is to improve the protection of the personal data of EU citizens and ensure that organizations who collect, store and process Personally Identifiable Information (PII) – such as email addresses or phone numbers – operate in a well defined framework. PII are any data that used alone or with other data can be used to identify a person. The full text of the GDPR can be found here. If you have any question on how this affects the data held by Cronofy contact us.
The GDPR exists to ensure that businesses like Cronofy have a legal basis to process Personal Data. The recommended action to do so is simply to ask users for their consent. This consent must be specific and verifiable. Which means that a written record of consent must be kept and tied to specific users. It also means that this consent can be withdrawn at any time and businesses then have to delete the PII from their records. Consent also has to be unambiguous and clearly explain what the user is agreeing to. This means that, for example, pre-checked consent boxes on forms aren't accepted.
This new EU regulation also clearly defines the rights of the data subjects, the persons whose data is held by businesses. EU citizens have the right to ask for information on how their data is processed, used and stored. They can also request their data to be handled in a specific fashion. For example they might not want it hosted outside of the EU. Whatever the reasons they have the right to request their data to be corrected, amended or even deleted. They also have the right to access that data and check what personal data is hosted by the company they use. This means that the data processors need to be clear on how they process data – including the different third party services they might be using – and be ready to support user requests in a timely manner.
Our approach to Data Protection
As a business dealing with sensitive calendar data on behalf of our users protecting this data is paramount. Our data protection team – which includes senior representatives of our Security, Architecture and Technical team – is constantly reviewing our processes in order to ensure that all user data is protected and encrypted.
We have data centers in both the US and Europe so our clients – no matter where they are – can choose the location that works best for them and their users. We apply GDPR standards to all our data, not just EU data.
Collecting user consent
The data we host isn’t limited to calendar data. We also use data for Marketing purposes. This can range from basic product updates to recurring newsletters.
When clients and prospects entrust us with their Personally Identifiable Information we ensure that they are clear on how we will be using their data – such as their email address – going forward.
All our forms include a clear and verifiable consent action and we are also gathering consent from all our existing contacts going forward.
Our team is here to help
To prepare for GDPR, we adjusted our processes where necessary. We also ensure that any third-party providers that we deal with are in compliance with the GDPR.
If you don’t yet have a contract in place with us that includes the necessary Data Processing Agreement (DPA) please don’t hesitate to email us at firstname.lastname@example.org or if you have any question about our approach to the GDPR.
Clients around the world entrust their data to Iron Mountain. Ensuring that their information – as well as our employees’ calendar data – was secure was a critical part of our work with Cronofy. Thanks to their Enterprise Connect feature we were also able to onboard all of our inside sales teams in one go.
Inside Sales Team Manager - Iron Mountain