Company

AppDirect GDPR Compliance FAQs

Last Edited: May 2018

IMPORTANT NOTICE: This document is for general information purposes only and is not intended to convey or constitute legal advice. It is not legally binding on AppDirect and you should obtain independent legal advice from a qualified attorney on these matters.

What are EU data protection laws?

Data protection laws are a set of laws that govern the way that businesses collect, use, and share personal data about individuals. Among other things, they require businesses to process individuals' personal data fairly and lawfully, to allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and to have in place appropriate security protections in order to protect the personal data that they process.

In the European Union, these laws are principally set out in an EU law called the Data Protection Directive (Directive 95/46/EC), which every EU Member State has implemented within its own national legal regime. However, next month, the EU will introduce a new data protection law called the General Data Protection Regulation (GDPR). The GDPR is a major overhaul of the current law under the Directive, and AppDirect, like many organizations, is taking steps to ensure that it is GDPR-ready by the time the new law enters into force on May 25, 2018.

Who we are?

AppDirect provides the only end-to-end cloud commerce platform for succeeding in the digital economy. The AppDirect ecosystem connects channels, developers, and customers through its platform to simplify the digital supply chain by enabling the onboarding and sale of products with third-party services, for any channel, on any device, with support. Powering millions of cloud subscriptions worldwide, AppDirect helps organizations, including Jaguar Land Rover, Comcast, ADP, and Deutsche Telekom, connect their customers to the solutions they need to reach their full potential in the digital economy. You can find out more about us and our products here.

What "personal data" does AppDirect process?

The GDPR applies to businesses that collect and process "personal data." The GDPR defines personal data as: "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." This is a broad definition, and includes data that is obviously personal (such as an individual's name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual's IP address).

Inevitably, in the course of providing our services, we will process personal data about people using the AppDirect platform (e.g., your employees as well as the end users of your customers). For example, when a user registers with your AppDirect-powered Marketplace, we will collect certain basic contact information. We may also automatically collect certain online digital information when our customers or end users interact with the services, such as IP addresses, cookies data, and online navigation data. Read our Privacy Policy to find out more.

How does the GDPR affect AppDirect?

AppDirect is typically a processor of the personal data it collects when providing its services to end users. For example, AppDirect will be a processor of the specific end users' personal data and information that its customers may choose to collect or that end users may upload on the Marketplace. This means AppDirect will, in addition to complying with its customers' processing instructions, need to comply with the new legal obligations that apply directly to processors under the GDPR.

What is AppDirect doing internally to comply with the GDPR?

AppDirect has embarked on a compliance project with support from external advisors to become GDPR-ready by the time the GDPR enters into force on May 25, 2018. Specific measures AppDirect is undertaking include:

  • Undertaking a data mapping exercise for the purpose of creating the necessary data processing records required by Article 30 of the GDPR;

  • Reviewing and addressing what, if any, product-level changes need to be made to ensure AppDirect can better support its customers’ GDPR compliance;

  • Reviewing and updating its standard customer terms to incorporate the mandatory data processor terms required by Article 28 of the GDPR;

  • Reviewing and, where necessary, updating any arrangements it has with third-party processors and sub-processors to ensure that all such processors and sub-processor arrangements comply with the GDPR; and

  • Reviewing and updating its privacy policy for GDPR compliance, including to incorporate the mandatory disclosures required by Article 13 of the GDPR.

AppDirect is committed to implementing its GDPR readiness program and understands the importance of a successful transition to GDPR for its customers.

Why have we implemented a Data Processing Agreement (“AppDirect DPA”)?

AppDirect is committed to GDPR compliance and to helping our customers comply with the GDPR when they use our Services. We have therefore prepared an AppDirect data processing agreement to incorporate the mandatory data processor terms as required by Article 28 of the GDPR (DPA).

Am I required to sign the AppDirect DPA?

Yes, if you are located in the EU or have any reasons to believe that AppDirect may process personal data originating from the EU on your behalf, you should sign the AppDirect DPA.

Customers can request signature of the AppDirect DPA by writing to gdpr@appdirect.com.

Do I need to notify anyone that I am signing the AppDirect DPA?

If you have made commitments to any data subjects (like your employees) whose data you control or process, as applicable, you should consider reviewing any contracts in place with those persons, and any publicly facing privacy statement or similar notices, in order to ensure that you are accurately representing the nature of the commitments that you have in place with your processors, such as AppDirect.

Does AppDirect transfer data internationally?

Yes. AppDirect is headquartered in the United States, though it has offices in Canada, Australia, India, Argentina, and in the EU and its Marketplaces might be used by customers or end users located in the EU. Therefore, AppDirect may in some cases process personal data that originates from the European Economic Area (EEA) on its servers and facilities in the United States.

The GDPR replicates the Data Protection Directive restrictions on transferring data outside the EEA and prohibits the export of personal data outside of the EEA to non-EEA recipients unless one of a limited number of legal solutions is in place. To this end, AppDirect has executed an intra-group data transfer agreement incorporating the Standard Contractual Clauses and signs Standard Contractual Clauses (also sometimes called "Model Clauses") with its EU customers or with its customers who have users and employees located within the EEA. These are standard form data export terms that have been pre-approved by the European Commission, and by signing them AppDirect commits to protect personal data it receives from its EU customers or end users to EU data protection standards. The Standard Contractual Clauses form part of the AppDirect DPA.

What security measures does AppDirect apply to personal data?

AppDirect uses appropriate technical and organizational security measures to protect customer and subscriber personal data. AppDirect is regularly audited against PCI, ISO 27001, and SOC 2 Type 2 standards by independent third-party auditors. AppDirect is also continually reviewing its safety measures for enhancements, including as part of its GDPR compliance program.

Can customers audit AppDirect's security measures?

AppDirect facilitates customer audits in a number of ways, as described in the DPA:

  • First, and on written request, AppDirect will provide its customers with a summary copy of its current audit report so that its customers can verify AppDirect's compliance with the audit.

  • Second, and also on written request, AppDirect will, no more than once a year, provide written responses (on a confidential basis) to all reasonable requests for information made by customers, including responses to information security and audit questionnaires, regarding AppDirect's compliance with security requirements and data protection laws.

AppDirect cannot accommodate on-premises audits by customers. However, AppDirect has a robust information security management system to ensure the security of personal data and conducts audits that provide assurances that AppDirect's controls are properly and securely managed.

Where can I get more information?

You can read more about GDPR at the AppDirect blog. If you have any questions or require assistance, please contact gdpr@appdirect.com.

How do I submit requests to AppDirect?

Requests are submitted by the marketplace owner to AppDirect Support. Simply submit a request to support@appdirect.com requesting the GDPR action. Please include the following information in the email request:

  • Subject Line:
    • General Information Request (What data fields in general does AppDirect or the Channel store for Data Subjects?)
    • Specific Information Request (What data is stored in the fields for a specific Data Subject?)
    • Data Deletion Request (Delete or obfuscate the data for a specific Data Subject)
  • Body of email:
    • The full name of the Data Subject
    • The email address of the Data Subject
    • The marketplace URL of the Data Subject

Requests must include the information listed above and come from a marketplace owner to be considered a valid request to initiate processing. Incomplete requests or with invalid data may result in delays. AppDirect Support will confirm receipt of the request and start processing valid requests.