GDPR Compliance

Privacy by Design requires that the highest degree of data protection is ensured, that personal data is protected by the application itself, by implementing automatic means and best practice. We document the purposes for which personal data is processed  and communicate them publicly on our website so that data subjects can access the information before processing. Within our SaaS applications, personal information is processed fairly, lawfully and limited to the published specified purposes. We implement only fields to collect personal information that is necessary. Usage and disclosure of personal data is limited by the rights management system. We implement statutory and contractual retention periods into our applications to make sure personal data is retained only to fulfill its intended purpose, except where otherwise required by law. All registration and consent forms require the data subjects to consent to processing and inform them about the data subjects’ rights, link to the privacy policy and the transparency document.

Willing & Able enforces system default rules that are GDPR compliant. Based on the location of data subjects, our subscribers may choose to change such default rules, such as the activation or deactivation of functionalities. We employ members of the legal profession to make sure, that the rights and freedoms of individuals are protected and that measures to achieve this goal are built into all our SaaS applications, by default. We discuss all measures and the complete systems before their publication with our Data Protection Officer, lawyers and legal counsels.

According to Art. 5(1)(a) GDPR controllers and processor shall process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means that all information stated in Art. 13 and 14 GDPR need to be provided to the data subject. Transparency information can be provided electronically, for instance, by means of a publicly available website (cf. Recital 58 Sentence 2 GDPR). Willing & Able published all obligatory information in its Transparency Document in multiple languages. Data Subjects using our systems are always fully informed.

According to Art. 32 GDPR controllers and processor shall consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons when implementing appropriate technical and organizational measures to ensure an appropriate level of security. Within our applications data is stored securely, user information and passwords are encrypted and cannot be corrupted or tampered with. We published our technical and organizational measures on our Website so that you may, at any time, assess and evaluate their effectiveness.

GDPR grants data subjects certain rights (Art. 15-22 GDPR). In all our applications, every individual has a great deal of control over their personal data. Individuals are encouraged to exercise their rights, for example, ask for access, rectification or erasure. They can also adjust or delete their data permanently, if this does not infringe upon the rights and freedoms of others.

Controllers that are using third parties to process personal data on their behalf shall conclude a processor contract with the third party. Such a contract needs to fulfill the requirement of Art. 28(3) GDPR. Willing & Able implemented these legal requirements completely within the ‘SaaS Subscription and Data Processing Agreement’ that you conclude with us when subscribing to one of our products. Therefore, you fulfill your legal obligation automatically by  accepting this agreement.

Processing of personal data is lawful only if and to the extent that a ground mentioned in Art. 6 GDPR applies. The lawfulness of processing and the purpose of processing  personal data is documented in our processing activity records. Some processing activities are based on the consent given by the data subject (Art. 6(1)(a) GDPR), others are based on other grounds, e.g. a legitimate interest of the controller or a third party (Art. 6(1)(f) GDPR). In case of legitimate interest, we conduct the obligatory Legitimate Interest Assessments.

Companies that process personal data are obliged to designate a Data Protection Officer if their core activities are carried out by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (Art. 37(1)(b) GDPR). Some of our SaaS applications may fall into this definition. Therefore, we designated an experienced Data Protection Officer that serves, as well as our Art. 27 Representative. The contact details of our Data Protection Officer / Representative in the European Union are: dpo@willing-able.com

Willing & Able documents the processing activities that are conducted within our SaaS applications in accordance with Art. 30(1) GDPR. To make your documentation life easier, you can create personalized processing activity records for all Willing & Able products with  AbleToRecords.

We automatically conclude the mandatory processor contract with you (see ‘SaaS Subscription and Data Processing Agreement’). As a result, we are obliged to keep a category record for every system you subscribe to. This obligation results from Art. 30(2) GDPR and is fulfilled by our systems automatically.

We build and use new technologies and therefore are under the legal obligation to carry out a Data Protection Impact Assessment for every solution. The DPIA’s for all Willing & Able applications can be reviewed in the free trial of AbleToRecords.

Some of the processing activities in our product are based on legitimate interests. Therefore, we and you are obliged to carry out Legitimate Interests Assessments for such processing activities. Feel free to use AbleToRecords to re-use our pre-drafted LIAs.