Introduction
The information contained in this article and document is provided for informational purposes only and should not be construed as legal advice on any subject matter. The contents of this document are provided as is without any warranties of any kind, either express or implied. We make no representations or warranties, express or implied, regarding the accuracy, completeness, reliability, or suitability of the information contained herein. While we have made every attempt to ensure that the information contained is accurate and up-to-date, we are not responsible for any errors or omissions, or for the results obtained from the use of this information. This article and document are not intended to be a substitute for professional legal advice. We shall not be liable for any loss or damage of any kind, including but not limited to, direct, indirect, special, incidental, or consequential damages, arising out of or in connection with the use of or reliance on any information contained herein.
This article is intended to provide information to SpotMe customers about the personal data processing regulations which might be applicable to them in the course of using SpotMe's services and to outline the basic legal requirements SpotMe customers need to comply with.
In the course of performing services to its customers, SpotMe accesses, stores and transmits the information provided by its customers and the users of the app. Some of this information constitutes personal data, thus its processing is governed by various data privacy regulations.
Different jurisdictions have adopted separate acts and the applicability of these legal acts is conditioned upon several factors, such as the customer's country of establishment, the users’ country of origin, the place where the processing of personal data takes place.
Since both the customer and SpotMe participate in this processing, it is important that all parties are well informed about the privacy requirements which need to be observed and what are the responsibilities of each party with regard to the processing of personal data.
List of applicable legal requirements and jurisdictions with regards to data privacy
Below and in the attached spreadsheet we have identified the main laws that are applicable to data privacy, per jurisdiction. For each of these laws we answer the most important frequently asked questions.
Across these laws there is a consensus that:
- Personal data is defined as “any information relating to an identified or identifiable living individual”.
- Anonymized data and de-identified data is not considered personal data, while pseudonymous data can be considered as personal data.
- Personal data can only be retained for the shortest time possible, for no longer than is necessary for the purposes for which the personal data is processed.
Full list of legal requirements and jurisdictions
- GDPR - General Data Protection Regulation.
- UK DPA / UK GDPR The Data Protection Act (2018).
- CH nFADP New Federal Act on Data Protection.
- SG PDPA Personal Data Protection Act.
- CCPA California Consumer Privacy Act of 2018 and CPRA California Privacy Rights Act.
- VCDPA Virginia Consumer Data Protection Act.
- CPA Colorado Privacy Act.
- UCPA Utah Consumer Privacy Act.
- CTDPA The Connecticut Data Privacy Act.
- MHMDA My Health My Data Act.
- Law 25 / Bill 64 Act to modernise legislative provisions as regards the protection of personal information; Quebec Private Sector Act - Act Respecting the Protection of Personal Information in the Private Sector and PIPEDA Personal Information Protection and Electronic Documents Act.
- AU PA/APPs The Privacy Act 1988 and Australian Privacy Principles ('APPs').
- PIPL Personal Information Protection Law of the People's Republic of China.
→ Download the SpotMe privacy compliance and legal frameworks spreadsheet
Overview of SpotMe and customer compliance with data privacy legal requirements
Below you will find information on how SpotMe complies with all the laws described above, and recommendations for how SpotMe customers can also comply.
What is the legal basis for data processing? |
→ SpotMe compliance: The SpotMe platform is designed to comply with the legal grounds defined by its customers. It includes mechanisms to publish customer-specific privacy policies, terms, or obtain user consent as required by applicable laws. → Customer compliance: Customer shall ensure that personal data is processed on a valid legal ground. In some jurisdictions processing cannot take place without the user's consent. |
What are the rights of protected persons? |
→ SpotMe compliance: The SpotMe platform has the relevant features to ensure that the data subject rights are observed, including adding a privacy policy (SpotMe / customer template), providing the sufficient information to users, enabling users to exercise their rights (to request data deletion/data access/opt-out). See Data privacy rights for app users and App privacy policy. → Customer compliance: Customers shall ensure that the users' data privacy rights are explained to the users of the app and observed by those who will process the data. |
What to include in the privacy notice? |
→ SpotMe compliance: SpotMe provides customers with a sufficient template privacy policy which can be used for their workspaces. Customers can add their own privacy policy to the workspace. See App privacy policy and Managing legal documents. → Customer compliance: Customers ensure that sufficient information (as required by the applicable law) regarding processing of personal data is provided to users of the SpotMe platform on or before collecting the data. |
How is data protected? |
→ SpotMe compliance: Compliance with SOC2 type II & ISO 27001:2022 control. See the SpotMe information security page. → Customer compliance: Customers need to take appropriate measures. |
How to respond to a privacy right request from a protected person? |
→ SpotMe compliance: - acknowledging receipt and (unless otherwise explicitly required by customer) processing any data subject requests addressed to privacy@spotme.com not later than 7 days following receipt of the requests. - adopting a self-service mechanism through which customers can request deletion/download of their data directly in the app. → Customer compliance: Customer shall ensure that data subjects' requests are duly addressed within the specified legal term. |
How does data residency & international data transfers work? |
→ SpotMe compliance: SpotMe allows Customers to choose the location of the server where the personal data will be hosted. See Data residency at SpotMe. If personal data is shared with an organization located in a country that is not subject to an adequacy decision, all such transfers are covered by SCCs. In addition, SpotMe's US subsidiary SpotMe Inc., complies with the Data Privacy Framework. → Customer compliance: Customers shall ensure that the personal data collected through the SpotMe platform is stored and transferred to third parties outside the relevant jurisdiction in accordance with the applicable legal regulations. |
Comments
0 comments
Please sign in to leave a comment.