GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It enforces laws based on a set of principles that businesses which handle personal data of EU citizens should follow.

These fundamental principles state that personal data should be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• accurate and, where necessary, kept up to date
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

How is Groove preparing for GDPR?

Groove takes data privacy and security of our customers very seriously. We're commited to ensuring highest standards of data security - our compliance, data protection, and information security team is working to ensure all our services are ready for GDPR. We are reviewing our data processing activities, and assessing and prioritizing any changes that need to be made in advance of the GDPR. We intend to be GDPR compliant by the GDPR effective date, which is May 25th, 2018.

Groove operates both as a controller and a processor, which means we are and will be implementing changes in both of these areas. Below you will find an outline of topics we are currently working on.

Breach Notification

We have security incident management policies and procedures in place which we are expanding to ensure they meet GDPR standards in terms of notification of appropriate regulatory institutions.

Right to be Forgotten

In line with GDPR's enforcement of the Right to being Forgotten, we're introducing internal procedures which will streamline this process. We will be also expanding our product features to automate these procedures.

Data Portability

We are investigating the scope of changes required to fulfill this requirement. Our customers enjoy full data portability using our API, which allows them to easily access their data in a portable way as well import data from other systems.

Consent

We will be introducing changes to the signup process and the Privacy Policy in order to align ourselves with GDPR's principle of fairness and transparency.

Security

We are reviewing our existing security procedures to see if they need to be amended to fulfill GDPR requirements. We are commited to ensuring the best security for our customers, which means choosing the best hosting providers and data storage solutions, including those having ISO 27001 and PCI Level 1 certifications. We ensure encryption of communication not only between you and our servers but also internally between parts of our application.

Cross-Border Data Transfer

We are looking into expanding our Privacy Policy with a Data Privacy Agreement for our EU customers which would include EU Model Clauses. We are working towards a certification under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.