GDPR Statement

FAQ

GDPR is a European privacy law enacted on May 25th, 2018. It has four basic requirements

Transparency

Whenever you ask for someone’s personal information, you must disclose how the information will be used.

Legitimate reason for using personal information

The best reason for using someone’s personal data is with their consent. Without their consent, you may still have a legitimate reason (such as a legitimate interest), but it may be harder to prove as legitimate.

New rights afforded to data subjects

People have the right to know what data you store about them, to obtain a copy of it from you, to withdraw consent to your use of their data, or to have it deleted.

Protection of personal data

You should protect personal data at all times. It is recommended that you encrypt sensitive data about a person whenever possible. Sharing it with third parties is prohibited without consent.

Failing to abide by GDPR can result in fines of up to $20MM or 4% of annual revenue.

In the few decades after the internet was commercialized, technology has transformed how we live and work. We ask Google personal questions, read Fox or CNN, send private messages through Facebook, and buy private personal effects on Amazon – these actions say a lot about us. And all of this data is stored, mined, and sometimes traded, with consumers having little control over the process.

Increasingly frequently, that data is being lost or misused. The Equifax data breach demonstrates that even the largest companies holding the most sensitive data can lack the basic safeguards necessary to protect us. Meanwhile, social networks and search engines mine and monetize us through our data in ways we don’t know. These are real and growing problems that GDPR aims to address.

GDPR applies to you if you meet any of the following conditions:

  • You have customers in the EU
  • You provide services to (paid or free) to EU citizens
  • You market to EU citizens
  • You monitor the activities of EU citizens

If you are outside the EU and run an exclusively local business, you don’t have to worry about GDPR. A flower shop in rural Ohio is unlikely to face the burden of complying, even if someone from the EU stops by your website and is captured by your analytics software.

It’s not your company’s size, but if EU residents could be seen as part of your target market, that determines your need to comply with GDPR. That means a small SEO company that accepts business internationally is still bound by GDPR.

You can read the exact legal text here.

Our practices, policies, and products fully adhere with GDPR

  • You will only receive communications that you consent to receiving, and can opt out at any time.
  • Our privacy policy and terms of service are visible, clear and comprehensive about what data we collect, its uses, and your rights to control it. You can grant or rescind consent to these policies and terms.
  • You can ask us for a data processing agreement (DPA) that states how we process your data. Email us at [email protected], or find it on the billing page.
  • We only share data with third parties with your direct consent, or if you agree to terms or policies that include those third parties. All our third party data processors comply with GDPR. We never have or will sell your data to third parties or use it for advertising.
  • To our knowledge, our users’ data has never been compromised. To ensure your data’s protection, we only store data we have consent to store, unless it’s required to provide you with service, or where we have a legitimate interest.
  • We encrypt sensitive personal data whenever needed to keep your privacy safe, and when can be done without compromising an aforementioned purpose.
  • You can ask us to see, correct or erase your data, stop us from processing it, or request a copy by emailing us at [email protected].
  • We have appointed a Data Protection Officer that you can contact by emailing [email protected].
  • We’re arranging similar GDPR-ready data processing agreements with our Vendors.
  • Persistent disk-level encryption
  • Automate the request, collection, and use of consents from leads and contacts
  • Encrypt lead and contact fields at rest
  • Audit user access and modification of encrypted data
  • Double opt-in mechanisms for email marketing

Please note: some of the above features require a specific tier of Vtiger, or subscription to Vtiger’s Privacy Guard.

When you use Vtiger CRM, you can trust that your data are safe, and that you always have the tools necessary to comply with GDPR. However, the tools must be used the right way. To that end, we recommend learning about GDPR, then updating your policies, practices, and procedures to comply with GDPR.

To start down that path, it’s helpful to read the full GDPR text (Without endorsing this source – it’s available here). Then find third party sources to learn best practices. Lastly, create a data protection team and make whatever changes necessary for ensure compliance.