What is the GDPR?
The General Data Protection Regulation (GDPR) is the privacy legislation that entered into force in May 25, 2018 and replaced the EU Data Protection Directive (Directive 95/46/EC) within the European Union. The GDPR regulates the collection, use, transfer, and sharing of personal data with the key purpose of protecting it.
What constitutes personal data?
Personal data includes any information or data relating to an identified or identifiable natural person, a “Data Subject,” who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Who does the GDPR affect?
The GDPR affects companies processing the personal data of individuals residing in the European Union, regardless of a company’s location. It applies not only to organizations located within the EU, but also to organizations located outside of the EU if they offer goods or services to or monitor the behavior of EU residents and/or citizens.
How does the GDPR affect businesses?
The GDPR requires organizations to be transparent on how personal data is collected, used, and stored. This requires transparency from organizations on what personal data is collected, purposes for which it is collected, and who it is shared with. It also requires companies to enable individuals whose personal data is being processed to exercise their rights in relation to their data. The GDPR also requires companies to ensure appropriate protections when EU personal data is transferred outside the EU (including transfers to the US).
What Data Subject rights does GDPR regulate?
A Data Subject has the following rights under GDPR:
- Access: They have the right to obtain confirmation from the organization that has collected their data as to whether their personal data is being processed, where, and for what purpose.
They can request more information about the personal data an organization hold about them. They can request a copy of the personal data.
- Rectification: If they believe that any personal data an organization is holding about them is incorrect or incomplete, they can request that the organization correct or supplement the data.
- Objection: They can let the organization know that they object to the collection or use of their personal data for certain purposes.
- Erasure: They can request that the organization erase some or all of their personal data from the organization’s systems.
- Restriction of Processing: They can ask the organization to restrict further processing of their personal data.
- Portability: They can ask for a copy of their personal data in a machine-readable format. They can also request that the organization transmit the data to someone else where it’s technically possible.
- Withdrawal of Consent: If they have consented to an organization’s use of personal data for a specific purpose, they have the right to change their mind at any time. Any such decision will not affect any processing that has already occurred nor will it affect processing of their personal information conducted in reliance of lawful processing grounds other than consent.
- Right to File a Complaint: They have the right to lodge a complaint about an organization’s practices with respect to their personal data with the supervisory authority of an EU Member State.
You can find further information on your rights and the relevant requirements on the EU Commission’s website at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens.
Why is it so important for businesses to be compliant?
The GDPR is a regulation that requires businesses to protect the personal data and privacy of EU persons and for transactions that occur within EU member states. And non-compliance could cost companies up to €20 million or 4% of their global annual turnover, whichever is greater.
RingCentral and the GDPR
How does RingCentral ensure data security?
RingCentral currently adheres to SOC2 security audit and HITRUST Certification to safeguard the confidentiality, resilience, integrity, and availability of personal data. These audits and certification further ensure data security.
Does RingCentral offer a Data Processing Addendum?
Yes, RingCentral offers customers a robust Data Processing Agreement (“DPA”), governing the relationship between the customer and RingCentral. Our DPA contains strong privacy commitments and confirms our compliance with the GDPR.
Where can I learn more on how RingCentral processes personal data for customers and/or prospects?
RingCentral maintains a Privacy Notice on our website that outlines how we collect and use personal data, how we share the personal data of customers, end users and leads.
Recent Court of Justice of the EU’S Ruling in Case C-311/18 and how RingCentral is handling International Transfers of EU Personal Data
RingCentral recognizes the importance of protecting personal data. The below information should provide clarity on what the recent Court of Justice of the European Union (“CJEU”) decision means, what to expect from RingCentral, and how RingCentral shall ensure that international transfers of personal data are adequately protected, and in accordance with EU Data Protection Laws. RingCentral has been, and will continue to be, committed to complying with applicable data protection law.
What is the EU-US Privacy Shield Framework?
The EU-US Privacy Shield Framework was developed and agreed to by the European Commission and the US Department of Commerce in 2016. It provided US organizations certified under the program with an approved mechanism to transfer personal data from the EU under the GDPR. More information about the program may be found at the U.S. Department of Commerce’s website at: https://www.privacyshield.gov/welcome.
What happened to the EU-US Privacy Shield Framework?
On July 16, 2020 the CJEU confirmed the validity of the European Standard Contractual Clauses (SCCs, also known as Model Clauses) as a legal mechanism for the transfer of EU personal data, but invalidated the EU-US Privacy Shield framework.
The SCCs are standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to. The SCCs include contractual obligations, aimed at protecting personal data leaving the European Economic Area (EEA) and the UK in compliance with EU Data Protection Laws.
In its decision, the CJEU determined that organizations relying on the SCCs should conduct diligence to help ensure that all parties are in compliance with their respective obligations under EU data protection law, including assessing whether any recipient country’s laws are compatible with EU citizens’ fundamental human right to privacy and data protection.
What does this mean for my company using RingCentral products and services?
RingCentral does not rely anymore on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of personal data in light of the judgment of the Court of Justice of the EU in Case C-311/18.
For all transfers of personal data from the EU, the UK, and Switzerland, RingCentral has taken (i) appropriate safeguards, including adherence to the SCCs for the transfer of personal data outside the EU to RingCentral, its Affiliates and any Sub-processors and (ii) further contractual and organizational measures, including encryption of Customer and End User Personal Data when stored at-rest within RingCentral’s Data Centers to ensure that personal data will remain protected in accordance with our Privacy Notice and any applicable laws.
RingCentral has been, and will continue to be, committed to complying with applicable data protection law.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.