Future Partners and GDPR
25 May 2018 marks the start of enforcement of the European Union’s General Data Protection Regulation. This new piece of legislation has had a great impact on anyone whose business involves handling personal data about EU residents or within the EU. Personal data is not core to Thinking Wrong, and we minimize the amount of personal data in our system—but that which we do store, we take great efforts to protect.
This page provides an overview of the data-related roles and responsibilities when you’ve chosen the Think Wrong Lab (the Lab) as your problem-solving platform and will explain our efforts to live up to the values and requirements of the GDPR.
The Think Wrong Lab/Future Partners as the data processor
Using the Lab to manage your users means that you have engaged Future Partners, LLC as a data processor to carry out certain processing activities on your behalf.
One topic that often comes up with customers is data transfers outside of the EEA.
The GDPR establishes strict requirements for moving data outside of its scope of protection. This is only natural - otherwise it would be impossible for the law to fulfill its purpose.
Data from the Lab is, at present, stored in the USA, but we are required to comply with all the principles and the GDPR Act as a whole, as such it is our job to ensure that we transfer the data lawfully.
We will keep an up-to-date list of sub-processors in our Terms of Service to be fully transparent about these transfers. This list will also explain what data is involved and how we have ensured that the data is adequately protected even after it leaves the EEA.
Hopefully, this helps you to better navigate the EU’s data protection requirements. If you have any questions with regard to the above, you’re welcome to reach out to us at firstname.lastname@example.org and we’ll do our best to explain things further.
Future Partners as the data controller
Additionally, Future acts as the data controller for the personal data we collect about you, the user of our website and services.
First and foremost, we process data that is necessary for us to perform our contract with you [GDPR Article 6(1)(b)].
Secondly, we process data to meet our obligations under the law [GDPR Article 6(1)(c)] — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.
Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
What are these ‘legitimate interests’ we talk about?
- Improving the app to help you reach new levels of productivity.
- Making sure that your data and the Lab’s systems are safe and secure.
- Responsible marketing of our product and its features.
As the controller for your personal data, Future Partners is committed to respect all your rights under the GDPR. If you have any questions or feedback, please reach out by email at email@example.com.
What Future Partners is doing for the GDPR
As a company with customers in Europe, Future Partners understands the implications that the EU General Data Protection Regulation has for businesses. We appreciate the privacy needs of users of the Lab as well as their customers and, as such, have implemented — and will continue to improve — technical and organizational measures in line with the GDPR to safeguard the personal data processed by Future Partners through the Lab.
Internal processes, security, and data transfers
A large part of GDPR compliance is making sure that there are procedures in place that ensure that data processes are mapped and auditable. We have added elements to our application development cycle to build features in accordance with the principles of Privacy by Design. Any access to the Client Data that we process on your behalf is strictly limited. Our internal procedures and logs make sure that we meet the GDPR accountability requirements in this regard.
We have established a process adopting tools that makes sure that these third parties meet the high expectations that Future Partners and its customers have when it comes to privacy and security. We have plans (no planned release date) to enable data to be stored in AWS regions in Europe to improve performance and provide additional assurance that your data enjoys the level of protection envisioned by the GDPR. Currently all data is stored in the U.S.A.
Readiness to comply with subject access requests
Data subjects’ ownership of their personal data is at the heart of the GDPR. We have created a self-service interface to respond to data subject requests to delete, modify, or transfer their data. In addition to the self-service interface, our Engineers can assist them in their work and are well-prepared to help you in any matters involving your personal data.