This article is intended primarily to help our European Union (EU) customers assess their compliance with EU data protection requirements. In addition to this article, we’ve prepared a GDPR FAQ to help you complete a risk analysis for yourself or your organization.
All Capsule data is stored with Amazon Web Services (AWS) in the United States. Any data stored outside of the EU has to be in a safe country or with a company that complies with the safeguards required by the GDPR legislation. You can read more about that here.
We have agreed a Data Processing Addendum with AWS that commits them to the Standard Contractual Clauses, defined by the European Commission. This ensures safe transfer of data to AWS in accordance with EU data protection laws. (Further information on Standard Contractual Clauses can be found in the UK Information Commissioner’s Office (ICO) guide.)
Capsule has a legal obligations to protect your customer’s Personally Identifiable Information. Please read through the Data Processing Agreement to understand our commitments and approach to protecting the data you store on your account.
Capsule has a number of sub-processors, for example, AWS. All of these sub-processors have agreements in place to ensure your customer data is protected as if we were taking care of it directly in the EU. A list of our sub-processors is maintained here.
Data that is transferred between you and Capsule is encrypted in transit using transport layer security (TLS). We work hard to support the highest possible cryptographic standards for encryption of data in transit and we disable support for any older standards that are no longer considered strong. All customer data is encrypted at rest.
The Data Commission Offices in the EU don’t require or offer a certificate we could apply for. Their requirements are that we meet the legislation, of which we are already compliant.
This article is particularly helpful in explaining. There are no bodies that have been empowered by the EU Commission Offices to audit and certify GDPR compliance. All that said, we can assure you Capsule offers the security required for you to be compliant, e.g. encryption and legal agreements, and Capsule has the functionality for ensuring you can act responsibly with your customer’s data.
We have been asked about ISO and SOC certification. These are not directly linked to or related to the GDPR. These are certifications that confirm security levels, ISO primarily in the EU and SOC primarily in the US. We have achieved our SOC 2 Type II accreditation which you can read about further in this article.
The requirements of EU Data Protection has been standardised under the General Data Protection Regulations (GDPR). It applies to anyone storing Personal Data about any EU resident.
The responsibility for complying with the Regulations rests with the data controller. As you are the data controller in respect of personal data you store on Capsule, it is your responsibility to ensure compliance with this law.
In order to make an assessment of whether Capsule allows you to meet the requirements, we recommend that you carry out a simple risk analysis. Answers to these common GDPR questions will help you complete a risk analysis for yourself or your organization. We do so with the firm belief that Capsule is well placed to protect the personal data that you entrust to us.
The GDPR requires all EU customer data to have a lawful basis for processing. Consent is one of the ways to ensure lawful processing. Others include your right to process a customer’s data because of legitimate interest. The UK Information Commissioner’s Office (ICO) has published draft guidance notes on the lawful basis for processing that will be helpful in learning more about what it entails and whether you need to seek pro-active consent. Click here for that guidance.
If you do need to record a customer’s pro-active consent, you can use Capsule’s custom fields feature, and add a checkbox field to record that consent has been given. This can be teamed with a date field to record when consent was given.
Another possible way of highlighting customers who have consented to you processing their data is by using a DataTag. DataTags allow you to capture additional information with a tag. For example, you might like to create a ‘Consent’ tag and record the date consent was given alongside the tag.
Right to be forgotten
Under the GDPR there is an emphasis on the right to be forgotten, enabling an individual to request that their data be deleted. If one of your customers asks you to delete their information you can use the Capsule ‘Trash Can’ function to do this.
A deleted contact remains in the trash can for 30 days after which the data is permanently removed from our live database. There is also an option that allows Super Administrators to purge individual contact records from the account immediately, overriding the 30 days in the trash can. For more information see this article.
Capsule does retain backups. As explained in our Customer Terms, we ensure any residual data is cleared within 50 days of the data being removed from the live systems. You can read about the current deletion and retention policy that is in place here. And also here.
Subject Access Request (SAR)
Subject Access Requests are something that have been a requirement under previous legislation but have become more prominent with the introduction of the GDPR. With this, an individual may request access to all of the data you have stored about them in Capsule.
When requested you can use the ‘Print Summary’ feature to prepare a sheet of the customer details, complete with all history and notes.
To do that:
Open up the contact who has requested their data
Next to the contact name, use the downward arrow to open up an actions menu
Select ‘Print Summary’
You can now use the print function in your browser to print the information, or generate a PDF for example