Data Protection Compliance
Data protection legislation sets out rules and standards for the use and handling of personal data about living identifiable individuals (i.e., “data subjects”, “consumer”, etc.) by organizations and companies. The laws apply to all sectors, both public and private. It applies to all electronic records as well as many paper records.
Since 25 May 2018, the EU General Data Protection Regulation (“GDPR”) came into effect and set out a worldwide standard for processing personal data.
We, Wizer Feedback Ltd. (‘getWizer’ or “Company” or “we“) are committed to ensuring that our services comply with the various data protection regulations such as, not limited to, the GDPR, the California Consumer Privacy Act of 2018 (“CCPA”), which is in effect as of January 2020., etc.
For this purpose, we have designated an internal team, which is accompanied by our CEO, CTO, and legal consultants, to ensure all required actions are taken in order to achieve compliance with various data protection regulations. We further pay close attention to regulatory guidance around data protection regulation compliance and making changes to our product features and contracts when they’re needed.
What does getWizer do to comply with Data Protection Regulations?
In short, we have:
- Appointed a Data Protection Officer (“DPO”)
- Continuously review our security measures to ensure any personal data we collect and process on our systems is adequately protected.
- Provide our customers with Data Processing Agreements and update our contracts with third-party vendors to ensure they are GDPR/CCPA compliant.
- Maintain a formal process providing individuals a way to fulfill their requests concerning the personal data processed by us or on behalf of our customers
- We have implemented a RoPa (report of data processing) to ensure we maintain accurate records of our processing activities, both as a processor/service provider and controller of personal data.
Learn More About our Compliance with Data Protection Regulations:
Privacy by Design
We ensured that there is an applicable lawful basis for any and all processing of personal data as a controller and limited the use and transfer of personal data to strictly necessary purposes.
Technological Organizational and Security standards
The Company has completed an in-depth audit and data mapping process and implemented internal technical and organizational measures to safeguard against unauthorized access to personal data and protect us in case of a security incident.
Here’s a summary of some of the important and specific technical and organizational measures we have implemented:
Access controls: getWizer restricts third-party access to its internal tooling and infrastructure. Our Legal team evaluates all requests for access and ensures that the request is appropriate for the work to be performed and that the third-party follow all security and privacy provisions outlined in their contract, including our employees as further detailed below. Once approved, we only grant access through controlled accounts to clearly -defined portions of the system.
Vendor Agreements: We take all steps necessary to ensure that our agreements with our third-party international vendors (including sub-processors) contain appropriate commitments from such third parties regarding compliance with applicable laws and security standards.
Our full security and privacy programs are further outlined on our security page.
We have trained our employees and service providers to better understand the importance when handling personal data. We have annual employee training and display an online employee security policy so that at all times the employees’ have the tools to manage the data and access the data in a secure and compliant manner. We also have signed all employees on needed data protection provisions within the employment agreement. Last, employees that have access to personal data are solely designated, trusted employees that go through adequate screening to gain our trust.
In accordance with data protection regulations, individuals may exercise various rights such as: the right to access personal data, request the erasure of personal data, restrict sharing and selling of data, all as detailed in our User Right Policy.
In order to exercise any of the above rights please contact our DPO at: email@example.com or fill in our form at this link.
We have implemented a process, in the event of a security incident, cyber-attack, or data breach and will provide the data controllers, customer, the regulators, and even the end-users with an immediacy of notification to the extent required under applicable law.
European Data Transfer
On July 16, 2020, Europe’s highest court (“CJEU”) invalidated the EU-US Privacy Shield. Additionally, on September 8, 2020, the Swiss Data Protection Authority announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S.
We ensure any data transfer is done in a secure manner, in compliance with the latest EDPB recommendations concerning data transfer as well as contractually sign a Data Processing Agreement (available here) which incorporate the Standard Contractual Clauses which remain a valid data export mechanism and which automatically apply in accordance our Data Processing Agreement.
getWizer’s headquarters are based in Israel, currently, Israel has obtained the adequacy level of protection by the EU, and thus, the data transfer is safe. However, we have offices in the US and our servers are also located in the US, this means data we process may be transferred to, stored, or processed in the United States. In addition, we leverage third-party vendors who process personal data on our behalf, and their servers may be located outside of the EU/UK. We take steps to ensure that our vendors offer appropriate safeguards to protect the personal data they process on our behalf and contractually obligate them to process such data in compliance with applicable data protection laws.
Over the coming months, we anticipate that EU data protection regulators will issue additional guidance on the CJEU decision, including what the supplementary measures could consist of for those transferring data in reliance on the SCCs. In addition, the current form of the SCC was written before the GDPR went into effect and will be updated at some point in time. We will continue to keep a close eye on forthcoming guidance to stay up to date and assess whether we need to make any changes to our existing practices.
DISCLAIMER: THIS WEBSITE PAGE IS NEITHER A MAGNUM OPUS ON DATA PRIVACY NOR LEGAL ADVICE FOR YOUR COMPANY TO USE IN COMPLYING WITH DATA PRIVACY REGULATIONS. INSTEAD, IT PROVIDES BACKGROUND INFORMATION TO HELP YOU BETTER UNDERSTAND HOW WE, AT GETWIZER, HAVE ADDRESSED SOME IMPORTANT LEGAL POINTS.