TextUs’s Commitment to the General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
TextUs complies with applicable GDPR regulations as a data processor. Working in conjunction with our customers, we will support them to meet their GDPR obligations.
Where Do We Stand?
We are committed to fulfill EU data protection requirements applicable to us as a data processor. These efforts have been critical in our ongoing preparations for the GDPR:
Data Processing: Our ability to fulfill our commitments as a data processor to our customers, the data controllers, is a part of our compliance with GDPR where data controllers are using a third-party like us to process personal data. Because of this requirement, TextUs has worked extensively with local EU counsel to provide that our Master Subscription Agreement and related agreements contain appropriate provisions for personal data we store, and balance the risks and responsibilities between data controllers and data processors.
Customer Audits: TextUs will make available to our customers all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 (Processors) and allow for and contribute to audits, including inspections, conducted by our customer or another auditor mandated by our customer pursuant to the law.
TextUs actively evaluates that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards. Our procedures span our organization, teams and functions that provide service or support to the clients on our platform. The key components of our control environment include:
- Corporate Governance: how we provide oversight of our business and people
- Change Management: how we make sure changes are tracked and properly reviewed
- Access Control and Management: who has access to our platform operations and how this access is managed
- Data Redundancy and Backup: how data is kept safe and stored in the event of adversity
- Software Architecture and Development: oversight of the development effort around our platform
International data transfers: TextUs, Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. TextUs, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield programs, and to view our certification, please visit https://www.privacyshield.gov/. TextUs, Inc. is committed to subjecting all personal data it receives from data exporters in any European Union (EU), Switzerland or European Economic Areas (EEA) member state, under the Privacy Shield Framework, to its applicable Privacy Shield Principles. To learn more about the Privacy Shield Framework and the Privacy Shield Principles, please visit the U.S. Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov.
Data portability: The GDPR includes certain requirements on data controllers for the portability of personal data. The data our customers store in TextUs is theirs. We provide for portability and are continually working to enhance the robustness of our data export capabilities.
Where Do You Stand?
As a current or future client of TextUs, now is a great time for you to begin preparing for the GDPR as a data controller. Consider these tips:
Get to know GDPR: Familiarise yourself with the provisions of this regulation, particularly how it may differ from your current data protection obligations and consider the relationships you have with both your clients and candidates. Also, note the variance of local provisions which may be superseded by these regulations. Be aware that these requirements may require new solutions that meet the stringent requirements ahead.
Audit your data and processes for data capture: Consider creating an updated and precise inventory of personal information that you control. Review your current controls and processes to ensure that they're adequate, and build a plan to address any gaps. Here are some steps you can take today:
- Review your field maps
- Review your process documentation
- Ensure you have a lawful basis for processing the data
Depending on your usage of TextUs, you may find that you have some data maintenance to conduct to be compliant with GDPR.
Stay informed: Stay abreast of updated regulatory guidance as it becomes available and consider consulting a legal expert to obtain guidance applicable to you.
At TextUs, we strive to deliver an incredible customer experience, earning the trust of hundreds of thousands of users globally. We will continue to make additional required operational changes resulting from the new legislation, and will keep our clients, partners and regulatory authorities informed throughout this process.
Copyright TextUs, Inc. 2020. This document is effective April 2020 and is for informational purposes only and not to be relied on for any reason. It is subject to change or removal without notice.