And Gdpr

| 21-04-2021
[RAND-1-100] Comments



With the exception of our Payroll and our employee time-tracking (TSheets) services, Intuit acts as an independent controller of the personal information placed in our products and services.

  1. Gdpr And Cookies
  2. Gdpr Overview
  3. Gdpr Compliance Deadline
  4. General Data Protection Regulations
  5. Ad Gdpr

The General Data Protection Regulation (GDPR) is a new European privacy law which became enforceable on May 25, 2018. List of EU GDPR authorities by nation. Below is the contact information for the EU GDPR authorities. You can reach out to the contacts at your preferred authority to learn more about GDPR and stay compliant in all of your data collection efforts.

Our GDPR checklist can help you secure your organization, protect your customers’ data, and avoid costly fines for non-compliance. To understand the GDPR checklist, it is also useful to know some of the terminology and the basic structure of the law. You can find this information on our What is GDPR? GDPR is an EU-wide privacy and data protection law that regulates how EU residents' data is protected by companies and enhances the control the EU residents have, over their personal data. The GDPR is relevant to any globally operating company and not just the EU-based businesses and EU residents.

Gdpr And Cookies

The GDPR distinguishes between the roles of a 'controller' and a 'processor' – each having different compliance roles and responsibilities. The GDPR defines a controller as an entity that determines the 'purposes and means' of the data processing – or, in layman's terms, 'how and why' data is processed. A processor, on the other hand, is defined as the entity that 'processes personal data on behalf of the controller'.

At Intuit, our mission is to 'Power Prosperity Around the World' by focusing the power of many, to drive the prosperity of one. This means that we use the data from each customer to derive insights, benefits and improve the services for all of our customers. To do this, we rely on technologies – like machine learning algorithms – that help us develop new products and services to meet our customers' needs.

One example is our business expense classification tools – by analyzing how customers often classify certain expenses (as business or personal) we can make suggestions that to make your classification more efficient.

These technologies necessarily collect, process and store customer data in ways and for purposes that we determine, and to provide these features and improvements to you, we must necessarily process this data as a controller. Acknowledging our status as a controller simply reflects the factual reality of our data processing practices. As a controller, we have more, not fewer, obligations under the GDPR – so you can rest assured we'll process it in accordance with our Data Stewardship Principles and take the protection of your data very seriously.

If you are currently using our payroll or TSheets services in the EU, we will be offering new data processing terms to satisfy your compliance obligations with regard to our processing of the personal data that we process on your behalf. Please look for an update to our terms in the near future.

Zoho has always honored its users’ rights to data privacy and protection. Over the years, we’ve demonstrated our commitment to this by consistently exceeding industry standards. We have no need to collect and process users’ personal information beyond what is required for the functioning of our products, and this will never change. We have a privacy-conscious culture here and GDPR is an opportunity for us to strengthen this even further.

What is GDPR?

And

GDPR is an EU-wide privacy and data protection law that regulates how EU residents' data is protected by companies and enhances the control the EU residents have, over their personal data.

The GDPR is relevant to any globally operating company and not just the EU-based businesses and EU residents. Our customers’ data is important irrespective of where they are located, which is why we have implemented GDPR controls as our baseline standard for all our operations worldwide. GDPR has taken effect from 25th May 2018.

What is personal data?

Any data that relates to an identifiable or identified individual. GDPR covers a broad spectrum of information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data extends beyond a person’s name or email address. Some examples include financial information, political opinions, genetic data, biometric data, IP addresses, physical address, sexual orientation, and ethnicity.

How prepared is Zoho for GDPR?

We have acted on many fronts to adhere to this new regulation.

  • We have raised awareness across the organization through frequent discussions in our internal channels, and trained employees to handle data appropriately. They now understand the importance of information security and the high standards set by GDPR.
  • We have assessed all Zoho products, individually, against the requirements of the GDPR and have implemented new features that will give you more control over your data and ease your burden of achieving GDPR compliance.

  • Take a look at what some our products have done to be GDPR-ready.

    Zoho CampaignsZoho CRMZoho Forms
    Zoho MailZoho SalesIQZoho Cliq
    Zoho PageSenseZoho SocialZoho Projects
    Zoho WriterZoho DeskZoho Assist
    Zoho RecruitZoho PeopleZoho Creator
    Zoho AnalyticsZoho FlowZoho Vault
    Zoho Finance PlusZoho ConnectZoho Survey
    Zoho SignOrchestlyZoho Bookings
    Zoho BackstageZoho Sites
  • We have constituted an Information Asset Register(IAR), which includes information on all the roles Zoho assumes, such as a data controller and processor. It details on various categories of personal data processed by our organization and which department is getting access to which data and for what purpose. It has a comprehensive coverage of all our processes and procedures.
  • We have assessed our sub-processors (third party service providers, partners) and streamlined the contract process with them to ensure that they have addressed the pressing needs of the current security and privacy world.
  • We have appointed internal privacy champions for all our teams. We have also appointed a Data Protection Officer (DPO).
  • Our application teams have embraced the concept of privacy by design and have provided you more control over the data you store in our systems. These provisions may vary based on a product’s characteristics and domain. We constantly endeavour to provide you with more enhancements, which shall be rolled out in phases.
  • We have amended our Data Processing Addendum (based on Model Contractual Clauses) to be compliant with the data processing requirements of GDPR.

    If you are the organization administrator and would like to sign a DPA with us, we’ve made it available to be signed electronically in a few easy steps.

    • If you've signed up in our US datacenter, click here to view the DPA. To initiate the signing process, click here.
    • If you've signed up in our EU datacenter, click here to view the DPA. To initiate the signing process, click here.

      Note: Make sure that you have logged into your Zoho account before clicking on the link. You can also drop an email to legal@zohocorp.com to request a copy of the Data Processing Addendum.

  • We conducted Data Protection Impact Assessments (DPIA). Based on the results, we have put in place appropriate controls on data processing and management.
  • We conducted internal audits of our products, processes, operations, and management. The findings were communicated to our teams, who have worked out the solutions to the identified problems.
  • Based on the DPIAs and internal audits, we have improved our data security methods and processes. This includes encrypting data at rest, based on the level of sensitivity and likelihood of risks. We have developed in-house tools for better governance and discovery of data.
  • We have cleaned up our databases to ensure that we have only the latest and most accurate information. This cleanup process includes removing terminated and dormant accounts as per our Terms of Service.
  • When needed, breach notifications will be done according to our internal Privacy Incident Response policy. Customers will be notified of a breach within 72 hours after Zoho becomes aware of it. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address).
  • We have revised our Privacy Policy to incorporate the requirements of the applicable privacy laws based on our data inventory, data flows, and data handling practices.

Join the live forum-based Q & A session and get answers to your questions on Zoho's updated Privacy Policy in keeping with GDPR. Ask now!

FAQs:

1. What is GDPR?

  • The EU's General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents' personal data.

2. Who does it apply to?

  • GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.

3. Where does the GDPR apply?

  • This law doesn't have territorial boundaries. It doesn't matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.

4. What are the penalties for non-compliance?

  • A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).

5. Who are the key stakeholders?

  • Data subject- A natural person residing in the EU who is the subject of the data
  • Data controller- Determines the purpose and means of processing the data
  • Data processor- Processes data on the instructions of the controller
  • Supervisory authorities- Public authorities who monitor the application of the regulation

6. What is personal data or Personally Identifiable Information (PII)?

  • Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).

7. What are the key changes from the previous regulations?

  • New & enhanced rights for data subjects- This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
  • Explicit consent : Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
  • Right to access : At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
  • Right to be forgotten : The data subject can request the controller to remove their personal information from the controller's systems.
  • Obligations of the processors - GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.
  • Data Protection Officer - Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
  • Privacy Impact Assessments (PIA) - Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
  • Breach notification - Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
  • Data portability : The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.

8. What are the lawful bases the data controller can use to process customer data?

  • The data controller can choose from six data processing bases. These are:
  • Contract - This applies when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request (e.g. sending a quote or invoice).
  • Legal Obligation - This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).
  • Vital Interests - This applies to urgent matters of life and death, especially with regards to health data.
  • Public Task - This applies to activities of public authorities.
  • Legitimate Interests - Legitimate interests can include commercial interests, such as direct marketing, individual interests, or broader societal benefits. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.
  • Consent - Consent is also a lawful basis to process data. Consent of the data subject means 'any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.'

9. What is LIA?

Gdpr Overview

  • LIA stands for Legitimate Interests Assessment. It specifies the reason an organization wants to process a customer's personal data. The organization must also conduct an LIA to show that the processing is necessary.
  • The assessment of whether a legitimate interest exists.
  • The establishment of the necessity for processing.
  • The performance of the balancing test.

10. Does the GDPR require EU personal data to stay in the EU?

Gdpr Compliance Deadline

  • No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Our data processing addendum, which references the European Commission’s model clauses, will continue to help our customers facilitate transfers of EU personal data outside of the EU.

11. Where can I find additional resources on GDPR?

General Data Protection Regulations

  • Here are some links you can refer to for additional reading on the GDPR:
  • Find your supervisory authority - http://gdprandyou.ie/resources
  • EU Data Protection Supervisor - https://edps.europa.eu
  • Website of EU GDPR - https://gdpr.eu/
  • Rules for businesses and organizations - https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
  • Your organization's guide to GDPR - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
  • Note:Zoho Corporation is not responsible for the content in these pages and does not endorse these links.

Ad Gdpr

Resources:

Please feel free to ask questions and share concerns with us at privacy@zohocorp.com.

Choose Privacy. Choose Zoho.

Disclaimer: The information presented herein should not be taken as legal advice. We recommend that you seek legal advise on what you need to do to comply with the requirements of GDPR.