Base GDPR Compliance
In order to ensure that our service is compliant with the legal requirements set by the EU General Data Protection Regulation (GDPR), we have implemented certain changes in the way we handle personal data.
Since Base acts as both a data controller, (for instance, when handling our clients’ personal data – like email addresses, needed for registration to the service) and data processor, some of our obligations will extend only to data subjects whose personal data we are in direct control of.
While we always took the privacy and security of our clients’ data extremely seriously, some of our procedures will need to be modified if we are to meet all the conditions listed in the GDPR. This includes examining and when necessary, modifying our:
Data storage and access authorizations
We have performed an audit and mapped all the personal data we collect, assessed the way it is stored and updated, restricted its processing and prevented it from being accessed, copied, or manipulated by members of our staff without there being a record of the actions taken, ensuring full accountability.
Data access authorization levels are to be refined, amount of data collected, and a retention period to be brought down to the operational minimum (“privacy by default”), and employees that do have access to data are to be educated on what they can and cannot do with it.
We intend to retain documented data that explains how, when and why the data has been collected and to monitor that data in order to identify odd patterns or breaches.
If we are already handling your personal data, we will inform you once we are done implementing all the changes included in our GDPR compliance roadmap, at which point, you’ll be able to expect complete transparency regarding the data we collect and the way we are using it.
Before we send any data-collecting cookies, users will be informed on the type of cookies we intend to use, the purposes we need them for and the effects of declining or accepting them. Some cookies are used to inform us on how our site is being used, which ultimately translates into a smoother experience for our users, but still requires us to get your permission before sending them. However, there are those which are absolutely necessary for you to be able to use our service or view our website (for instance, CSRF protections cookies), and these cookies can be sent without us asking for explicit consent.
Before we send any other kind of cookies your way, we will clearly inform you which cookies we are using, what we need them for, and which of them you need to accept in order to use our site or services, as well as which cookies are optional.
We may update this policy from time to time owing to changes in legislation or other reasons. You will be informed about the activities we undertake where it affects your privacy rights.
Consent and privacy by design
Before we collect any kind of personal data, send data collecting cookies your way, or make major changes in the way we handle your data, we will ask for your permission. This will be reflected in the design of our website, including different forms and text input fields, as well as sections triggering automatic data retrieval and storage (“privacy by design”).
You will, in plain terms, be informed about what we exactly need from you, why we need it, and what the risks and benefits of allowing us to collect your data are. Site’s architecture will ensure that you can never give out your data inadvertently, without being fully aware of what you are consenting to and without being able to review and remove your consent.
Policies regarding the subject’s right to be informed and to access the data
While we never kept our visitors or clients in the dark when it comes to the data we are collecting, or the way we are using it, these changes are meant to set up an infrastructure allowing data subjects to easily get any kind of information they need.
Data subjects can, at any time, get information regarding:
- The exact amount and kind of data we have
- The way that data is stored
- Who has access to their data
- How long their data is to be kept
We are obliged to inform the data subjects:
- Before we collect any of their data
- If we change the way data is handled
- If there are any personal data breaches potentially compromising the privacy of their data (we need to inform without delay the subject directly in the cases where we are considered data controllers; or we need to inform the data controller in the cases where we are data processors)
- If we perform any kind of automated decision-making with your data, including but not limited to profiling
Data subjects have complete control over their data, including the right to:
- Access their data in its entirety
- Ask for the data to be supplemented, corrected or abridged
- Ask for their data to be transferred, either to them or to a third party provider of their choice, if the transfer is technically feasible
- Request we restrict or stop the processing of their data (“Right to restrict processing”, “Right to object”)
- Ask for their data to be deleted (“Right to be forgotten”)
Associated third parties GDPR compliance
In order to provide you with our services, Base relies on different third-party apps helping us communicate with our users, or perform other essential tasks (example: Intercom). While some of those third party services won’t have any kind of access to your data, others will, either as controllers or as processors. While we can’t assume full responsibility in the cases where they are treated as controllers, what we can do is to ensure that each of these services that need access to your data in order to perform their function is compliant with the GDPR and that we have your consent to grant them access.
Aware of the sensitivity of data we handle, we have always invested heavily in our security procedures, however, the specific requirements of the GDPR pertaining to data segmentation, and the imperative to keep close and detailed records regarding any interaction of our staff with the data; necessitate the revision of our security procedures.
In order for us to be able to inform you of data breaches, to establish culpability, or to prove that we have acted in accordance to the rules prescribed by the GDPR, we need to ensure that everything important that happens to your data is logged and available for later review, by us, you, or the regulating body.
In order to limit the damage potential of security breaches, data received from third-party data sources go through pseudonymization. This process allows us to work with a depersonalized version of the data set in question, while the encryption key, or different additional information needed to attribute data to specific data subjects, is kept separately.
Security of processing is our top priority and we have adopted a risk-based approach that involves regular testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the safety and privacy of your personal information.
Data received from a third party
Before acquiring a contact list or a database with contact details of individuals from another organization or transferring one such list to a third party organization, Base will make sure that we as well as the organization must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may be used for advertising purposes.