2Sync is GDPR ready

Yes! 2Sync Web Solutions Pvt. Ltd. is now GDPR ready. We comply to all the regulations put forward by the European Union (EU).


What Is GDPR & why does it concern you?

The European Union (EU) has introduced a landmark regulation called the General Data Protection Regulation (GDPR in short) which will come into effect from 25th May 2018 onwards.

The main goal of GDPR is to give EU residents some drastic improvements to their privacy rights & better control over their personal data, and to protect them from privacy breaches and leaks. So in simple terms, GDPR has been introduced to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses. When GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).

Every organisation that handles, markets or tracks the personal data of EU residents is concerned, even if they are not based in Europe. In the case of software companies which typically sell their products globally, this means that this new regulation will apply to everyone, no matter where they are based.

There are strong penalties in place for non-compliance: up to €20m or 4% of global annual turnover, whichever is higher. (yikes!)

So, making sure we were compliant, and in turn that the personal data of the customers buying your products was treated correctly & fairly, whilst continuing to provide a great customer experience is an important trait for us at 2Sync.

Individual Rights (Learn more)

The right to be informed
Customers are required to agree to our Terms of Service in order to register an account and complete checkout. A user account cannot be created, and an order cannot be placed, without the user checking a box to confirm their agreement to our Terms of Service. (Learn more)

The right of access/right to rectification
We provide a self-service client portal that gives our customers access to login and view their personal information (profile data). This same client portal also provides our customers with access to update their personal information including name, email address, postal address and phone number as well as any custom fields we have defined. (Learn more)

The right to erasure (also known as the ‘right to be forgotten’)
If we receive a request for erasure, we can perform a deletion of the customer record from the client area using the Delete Client functionality. Using this feature removes all data relating to a given customer including, but not limited to, personal information in the user’s profile, service and invoice history, activity log entries, support ticket and email history. (Learn more)

The right to data portability
Data portability means the right to receive personal data in a machine-readable format and to request for such data to be transferred directly from one controller to another. This right only applies where the processing is based on consent or for the performance of contract; and; when processing is carried out by automated means. There is no right to charge fees for this service. (Learn more)

Lawful basis for processing (Learn more)

Contract
In most cases, users register an account in our client area instance as part of the process of submitting an order for services. In doing so, often end users (that means you) are entering a contract with us to provide services. (Learn more)

Consent
The obligation to obtain the Data Subject’s consent to collecting and processing their data under the GDPR is very onerous and will be strictly enforced. Consent cannot now be a pre-ticked box, deemed automatic on registering for an online shop (for example) or inferred from silence or inactivity. (Learn more)

Consent must be given freely, be informed, be specific and be made by a clear affirmative action.

We have introduced more flexibility and control over how our users opt into marketing emails such as those sent by the mass mail system which can be used for newsletters and similar products (although we rarely send any ;))

We are collecting consent for the purpose of marketing, a positive opt-in is separate from other terms and conditions. Our customers can also withdraw their consent via their profile settings page or by opening a ticket and letting us know that they no longer wish to have any emails/marketing activities to reach them.

A new consent log that records each time the consent setting is changed. For each change, we will record the date/time of that change, who it was initiated by and the IP address of the user. This new log can be accessed via the Profile tab with the admin clients profile summary. (the below image is just an example)

If incase, you feel we missed out on something, feel free to contact us.

References:
- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
- https://blog.whmcs.com/133437/how-whmcs-can-help-with-gdpr-compliance