(including pursuant to GDPR requirements)
- Why are we writing this right now?
- GDPR preparation: we are aware of its territorial scope
- Our commitments as a controller
- Our commitments: we respect the individuals’ rights
- Our commitments: security measures
- Our commitments as a processor
- Our commitments: breach notification
- GDPR: staying tuned
Why are we writing this right now?
From 25 May 2018 on the protection of personal data will be regulated in a different way it used to across and even outside Europe. 25 May 2018 is the effective date for the EU General Data Protection Regulation (GDPR). As the most significant data privacy change in decades, the GDPR will strengthen the rights of the data subjects, regardless of where one’s data are processed.
In contrast to thousands of EU statutes and other documents, the GDPR is the only one that most organizations outside the EU knows. We are not an exception. Therefore, we want to ensure you that Crowdin Inc., its agents and contractors are committed to GDPR compliance and enforcement. Below, we want to share with you our understanding of our future cooperation. That is the mutually beneficial data protection cooperation built on trust and respect.
GDPR preparation: we are aware of its territorial scope
The GDPR has a unique feature that is its exterritorial application. If earlier EU data protection enforced through Directive 95/46/EC and the internal member states legislation was limited to the organizations residing within EU, now the GDPR will affect any other company in the world that processes personal data of EU data subjects under certain conditions. These conditions are either offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU.
Crowdin Inc. is incorporated in USA. Even in case the GDPR has no direct affect on Crowdin (because we believe that our platform website and way of presenting does not particularly target EU individuals in order to make them our clients and monitor them on a large scale) we understand that in modern world the compliance with the world trends of the personal data protection is a must. Our devotedness to your privacy makes us believe that we have nothing to be afraid of in face of the GDPR. But let put the general phrases and nice words aside. We do not want our words to be just mere assertions and prepared this agenda for Crowdin’s GDPR compliance.
Our commitments as a controller
Our commitments: we respect the individuals’ rights
The list of data subject’s rights remains almost the same, as it used to be, namely:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- the right not to be subject to automated decision-making including profiling.
Our commitments: security measures
Under the GDPR, all data controllers and data processors have to implement the principle called “Privacy by Design”. Accordingly, we include data protection from the onset of the designing of systems. In other words, we take technical and organizational measures to meet the GDPR. Besides others, we enforce the following:
Crowdin signs NDA with every employee and contractor.
Physical access control
Crowdin ensures that no unauthorized access to the facilities where data will be processed is possible. Crowdin uses facility security services and/or entrance control staff, alarm systems and video control systems in order to prevent any strangers not only from accessing personal data but also from lifting snacks from our kitchen.
Electronic access control
Crowdin takes measures in order that no unauthorized use of the data processing and data storage systems is possible: the use of secure passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media is a must.
Internal access control (permissions for user rights of access to and amendment of data)
Crowdin takes measures in order that that no unauthorized reading, copying, changes or deletions of data within the system, e.g. rights authorisation concept, need-based rights of access;
Crowdin arranges and provides training for its personnel and contractors regarding confidentiality, integrity and availability and resilience of processing systems and services within the GDPR compliance;
Crowdin ensures the isolated processing of data, which is collected for differing purposes.
Data transfer control
Crowdin takes measures in order that no unauthorized reading, copying, changes or deletions of data with electronic transfer or transport, transfer within the secured internet channels;
Data entry control
Crowdin ensures verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, e.g.: Logging control
Availability and resilience measures
Crowdin takes measures in order to prevent of accidental or willful destruction or loss of personal data. In order to do that Crowdin implements the backup strategy, Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning.
Procedures for regular testing, assessment and evaluation
Crowdin provides regular checks in order to identify of the personal data flows on the platform the data importer provides in respect of what and how information is stored, accessed, used and processed in any other manner.
Crowdin conducts periodical compliance checks with the requirements of this DPA as well as the requirements of the current data protection legislation.
Crowdin provides regular identification and record of the data processing risks in relation to the data importer’s contractual and legislative obligations; Crowdin takes measures to mitigate the risk after its identification.
Crowdin takes measures in order that no third-party processes data as per Article 28 GDPR without corresponding instructions from the data controller, e.g.: clear and unambiguous contractual arrangements, duty of pre-evaluation, supervisory follow-up checks.
For more information on the security measures please check Crowdin Security.
Our commitments as a processor
We provide our services not only to the individual clients but also to the companies that have a need in translation and localization of their software. In such cases Crowdin processes the personal data provided to the platform based on the services agreement between Crowdin and its corporate clients as well as based on the instructions of such clients on the data processing.
Taking into account the fact that Crowdin Inc. is incorporated in the USA and the USA is not on the list of the countries that provide the adequate level of protection of personal data, special legal basis or “safeguard mechanism” as the GDPR calls it for the transfer of personal data from the EU to the US based processor has to be applied. The most common safeguard mechanism for such cases is the execution of Standard Contractual Clauses (or model clauses) between the EU based controller of personal data (client) and the US processor (Crowdin).
It is a common practice throughout the world to use the Standard Clauses that were adopted by the European Commission before the GDPR was passed as there are no newer Standard Clauses adopted yet. These Standard Clauses are traditionally supplemented by the additional requirements set by GDPR. Altogether such documents form the Data Processing Agreements that guarantee the data is being processed by Crowdin upon the instructions of its clients and within the requirements of GDPR.
We prepared such Data Processing Agreement for the convenience of our clients.
Our commitments: breach notification
Under the GDPR, we will have to provide the breach notification in all EU member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.
GDPR: staying tuned
We keep monitoring the official updates from the EU side regarding the implementation of the GDPR, including but not limited to:
- the adoption of the Standard (model) clauses pursuant to GDPR referred to above;
- the adoption of new guidelines and clarifications particularly by Article 29 Data Protection Working Party concerning for example requirements concerning the appointment of Data Protection Officers, the definition of the large scale monitoring of data subjects, on consent, technical and organizational measures for the processing of data, consent and any other issues introduces by the GDPR that are rather vague to determine from its text.
Join us in monitoring any amendments and comments from the EU data protection authorities concerning the GDPR compliance. Please drop us a line if you have something to add, give an advice or recommendation or correct us. The more we understand, the more beneficial our endeavors to protect personal data properly will be.
Yours, Crowdin Team