The EU General Data Protection Regulation (GDPR) is a privacy and data protection regulation in the European Union effective from May 25, 2018.
Documill is committed to ensure the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection.
This GDPR Compliance Statement explains our approach to implementing our GDPR compliance program. It describes the implementation of our data protection roles, policies, procedures, controls and measures to ensure ongoing compliance with GDPR.
Our GDPR Principles
Documill takes the privacy and security of individuals and their personal information very seriously. Our principles for processing personal information are:
- We will process all personal information fairly and lawfully
- We will only process personal information for specified and lawful purposes
- Where practical, we will keep personal information up to date
- We will not keep personal information for longer than is necessary
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures
Our GDPR Practices
- Only process Personal Data as defined by the Data Protection Act 1998 (“the Act”) on instructions by the Controller* as defined in the Act
- Ensure any Personnel used by Documill to process Personal Data are subject to a duty of confidentiality or is under an appropriate statutory obligation of confidentiality
- Ensure all Personal Data is kept secure and take all measures required pursuant to Article 32 of the GDPR
- If Documill engages another processor for carrying out specific processing activities on behalf of the Controller, Documill shall ensure the same data protection obligations as set out in this Section shall be imposed on that processor by way of contract, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of GDPR
- Assist the Controller to comply with requests from individuals exercising their rights under Chapter III of the GDPR including, but not limited to access, rectification, erasure or objection to the processing of their Personal Data
- Assist the Controller with compliance of its obligations pursuant to Articles 32 – 36 inclusive of the GDPR including, but not limited to security and data breach obligations and notifying the Controller of any Personal Data breach
- Ensure that any data or Personal Data will not be held outside the EU
- Ensure that there are adequate processes, systems, antivirus or other protection applications in place to prevent any loss or corruption of data
- Documill shall indemnify the Controller and keep the Controller indemnified against all and any losses and damage (including reasonable legal costs) in relation to negligence, breach of contract and/or breach of statutory duty in relation to this Section
* GDPR defines ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Subjects Rights under GDPR
At Documill, an individual can request information about:
- What personal information we hold about an individual
- The categories of personal information we collect from an individual
- The purposes for collecting and processing personal information from an individual
- How long we plan to keep the personal information
- The process to have incomplete or inaccurate personal information corrected or completed
- Where applicable, the process for requesting erasure of the personal information or for restricting the processing of personal information in accordance with data protection laws, as well as to object to any direct marketing from us
- About any automated decision-making that we use
Our GDPR Compliance Plan
Here’s an overview of our steps that we take to ensure compliance with GDPR at Documill:
- We conduct a data mapping inventory and analysis of collected personal information in our systems and records
- We establish procedures and policies to restrict processing of personal information
- We update our procedures for data breaches and incident responses
- We review all processing activities to identify the legal basis for processing personal information and to ensure that each basis is appropriate for the activity it relates to
Contact us if you have GDPR related questions
If you have any questions about this GDPR Compliance Statement, or our privacy or security practices, please contact us: firstname.lastname@example.org.