GDPR Compliance

General Data Protection Regulation (GDPR) is the European law that regulates processing of personal data about natural persons that reside or are temporarily based in the European Union (EU) or the European Economic Area (EEA). GDPR is valid for all controllers, including international companies, that are processing information about EU data subjects.

This section outlines and highlights how our SaaS applications comply with GDPR.

Technology is growing exponentially fast and changes our lives day by day. The General Data Protection Regulation (GDPR) was established by the European lawmaker to regulate the processing of personal data in the age of internet and digitalization. The European Union felt it’s time to create a set of rules on how personal data and information should be used, processed and stored, having in mind solely the protection of the individuals such data relates to.

The focal point for the safety and security of personal data is due to its sensitive nature and potential misuse. This mainly refers to those, who deal with important data, such as lawyers that process confidential information about their clients or doctors with patient records. In the eyes of the law, the natural person behind personal data is the data owner and has the right that the holder of its data protects it.

  • Privacy by Design
  • Privacy by Default
  • Transparency
  • Security of Processing
  • Rights of the Data Subject
  • Processor Contract
  • Lawfulness of Processing
  • Data Protection Officer (DPO) and Art. 27(1) GDPR Representative

Privacy by Design

Privacy by Design requires that the highest degree of data protection is ensured, that personal data is protected by the application itself, by implementing automatic means and best practice. We document the purposes for which personal data is processed  and communicate them publicly on our website so that data subjects can access the information before processing.

Within our SaaS applications, personal information is processed fairly, lawfully and limited to the published specified purposes. We implement only fields to collect personal information that is necessary.

Usage and disclosure of personal data is limited by the rights management system. We implement statutory and contractual retention periods into our applications to make sure personal data is retained only to fulfill its intended purpose, except where otherwise required by law.

All registration and consent forms require the data subjects to consent to processing and inform them about the data subjects’ rights, link to the privacy policy and the transparency document.

  • Privacy by Design

    Privacy by Design requires that the highest degree of data protection is ensured, that personal data is protected by the application itself, by implementing automatic means and best practice. We document the purposes for which personal data is processed  and communicate them publicly on our website so that data subjects can access the information before processing. Within our SaaS applications, personal information is processed fairly, lawfully and limited to the published specified purposes. We implement only fields to collect personal information that is necessary. Usage and disclosure of personal data is limited by the rights management system. We implement statutory and contractual retention periods into our applications to make sure personal data is retained only to fulfill its intended purpose, except where otherwise required by law. All registration and consent forms require the data subjects to consent to processing and inform them about the data subjects’ rights, link to the privacy policy and the transparency document.

  • Privacy by Default

    Willing & Able enforces system default rules that are GDPR compliant. Based on the location of data subjects, our subscribers may choose to change such default rules, such as the activation or deactivation of functionalities. We employ members of the legal profession to make sure, that the rights and freedoms of individuals are protected and that measures to achieve this goal are built into all our SaaS applications, by default. We discuss all measures and the complete systems before their publication with our Data Protection Officer, lawyers and legal counsels.

  • Transparency

    According to Art. 5(1)(a) GDPR controllers and processor shall process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means that all information stated in Art. 13 and 14 GDPR need to be provided to the data subject. Transparency information can be provided electronically, for instance, by means of a publicly available website (cf. Recital 58 Sentence 2 GDPR). Willing & Able published all obligatory information in its Transparency Document in multiple languages. Data Subjects using our systems are always fully informed.

  • Security of Processing

    According to Art. 32 GDPR controllers and processor shall consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons when implementing appropriate technical and organizational measures to ensure an appropriate level of security. Within our applications data is stored securely, user information and passwords are encrypted and cannot be corrupted or tampered with. We published our technical and organizational measures on our Website so that you may, at any time, assess and evaluate their effectiveness.

  • Rights of the Data Subject

    GDPR grants data subjects certain rights (Art. 15-22 GDPR). In all our applications, every individual has a great deal of control over their personal data. Individuals are encouraged to exercise their rights, for example, ask for access, rectification or erasure. They can also adjust or delete their data permanently, if this does not infringe upon the rights and freedoms of others.

  • Processor Contract

    Controllers that are using third parties to process personal data on their behalf shall conclude a processor contract with the third party. Such a contract needs to fulfill the requirement of Art. 28(3) GDPR. Willing & Able implemented these legal requirements completely within the ‘SaaS Subscription and Data Processing Agreement’ that you conclude with us when subscribing to one of our products. Therefore, you fulfill your legal obligation automatically by  accepting this agreement.

  • Lawfulness of Processing

    Processing of personal data is lawful only if and to the extent that a ground mentioned in Art. 6 GDPR applies. The lawfulness of processing and the purpose of processing  personal data is documented in our processing activity records. Some processing activities are based on the consent given by the data subject (Art. 6(1)(a) GDPR), others are based on other grounds, e.g. a legitimate interest of the controller or a third party (Art. 6(1)(f) GDPR). In case of legitimate interest, we conduct the obligatory Legitimate Interest Assessments.

  • Data Protection Officer (DPO) and Art. 27(1) GDPR Representative

    Companies that process personal data are obliged to designate a Data Protection Officer if their core activities are carried out by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (Art. 37(1)(b) GDPR). Some of our SaaS applications may fall into this definition. Therefore, we designated an experienced Data Protection Officer that serves, as well as our Art. 27 Representative. The contact details of our Data Protection Officer / Representative in the European Union are: [email protected]

We Document Accordingly. All GDPR Documentation Requirements are Fulfilled.

  • Records of Processing Activities
  • Category Records
  • Data Protection Impact Assessments (DPIA)
  • Legitimate Interests Assessments (LIA)

Records of Processing Activities

Willing & Able documents the processing activities that are conducted within our SaaS applications in accordance with Art. 30(1) GDPR.

To make your documentation life easier, you can create personalized processing activity records for all Willing & Able products with  AbleToRecords.

  • Records of Processing Activities

    Willing & Able documents the processing activities that are conducted within our SaaS applications in accordance with Art. 30(1) GDPR. To make your documentation life easier, you can create personalized processing activity records for all Willing & Able products with  AbleToRecords.

  • Category Records

    We automatically conclude the mandatory processor contract with you (see ‘SaaS Subscription and Data Processing Agreement’). As a result, we are obliged to keep a category record for every system you subscribe to. This obligation results from Art. 30(2) GDPR and is fulfilled by our systems automatically.

  • Data Protection Impact Assessments (DPIA)

    We build and use new technologies and therefore are under the legal obligation to carry out a Data Protection Impact Assessment for every solution. The DPIA’s for all Willing & Able applications can be reviewed in the free trial of AbleToRecords.

  • Legitimate Interests Assessments (LIA)

    Some of the processing activities in our product are based on legitimate interests. Therefore, we and you are obliged to carry out Legitimate Interests Assessments for such processing activities. Feel free to use AbleToRecords to re-use our pre-drafted LIAs.

For our internal GDPR documentation we use our own SaaS solution: AbleToRecords.

It is not worth mentioning, but we know how a compliant GDPR documentation looks like. If you want to simplify your GDPR documentation, just subscribe to AbleToRecords.

download