Last Updated: 15 October 2022
Smallize and the GDPR
On the 25th May 2018, the European Union began enforcing its General Data Protection Regulation (GDPR). It impacts how businesses collect and process data from European individuals. While Smallize is an Australian business with no European entity, it values the rights of its users and customers and their personal data regardless of their location. As such, we’re working hard to comply with these rules across all our systems and processes.
This page gives an overview of the roles described by the GDPR, the responsibilities of each party, and the efforts we’re putting in place to support these recommendations.
Smallize as the data processor
While using our services, you may upload files for processing via our Cloud platforms, and you may also send our Support Team files for debug or support purposes. Due to the nature of our products and services, your files may contain information from or about your clients. While covered by the confidentiality clauses, the upcoming updates to our Terms of Use and Privacy Policy further cement these rights.
These are your data subjects, and you are considered the data controller for this personal data. Our Terms of Use and Privacy Policy refer to this data as Client Data.
Using Smallize services to process your Client Data means that you have engaged Smallize as a data processor to carry out certain data processing activities on your behalf. Article 28 of the GDPR states that the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of Article 28). Our Terms of Use and Privacy Policy also serve as your data processing contract with Smallize. They set out the instructions you are giving to Smallize in regards to processing personal data you control and establishing the rights and responsibilities of both parties. Smallize will only process your Client Data based on your instructions as the data controller.
Data Transfers
When data is transferred outside of the European Economic Area (EEA) by data processors, the GDPR sets strict requirements for moving data outside of the scope of its protection.
As Smallize is an Australian business with no European entity, the data controller makes the sole decision to transfer data to Smallize, which is based in Australia outside of the EEA, with its technical infrastructure based in the US. Where we do engage with sub-processors, we do so in a considered fashion considering the legalities of the transfer at each step.
We’ll keep an up-to-date list of sub-processors in our Terms of Use. This ensures we are fully transparent about our transfers and the processors we use. We’ll explain the data we transfer and for what purpose. We only engage with sub-processors who have either certified under the EU-US Privacy Shield framework or signed the EU Commission’s standard contractual clauses for data transfers with us.
If you have any questions on these points, you can contact us at privacy@smallize.cloud.
Smallize as the data controller
Smallize acts as the data controller for the personal data we collect about you, the user of our web apps and website, and the purchaser of our products or services.
Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations.
Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
What do you mean by ‘legitimate interests’?
- Improving our products and services in a way that is useful to you.
- Ensuring your data and Smallize’s systems are reliable, safe, and secure.
- Responsible marketing of our products, services, and their features.
- The ability to service the contract we are entering into with you, our customer. As the controller for your personal data, Smallize is committed to respecting your rights under the GDPR. If you have any questions, please contact our Data Protection Officer at dpo@smallize.cloud.
What is Smallize doing for the GDPR
Smallize respects the privacy of its customers and their clients. To that end, we have implemented and continue to improve both technical and organizational measures in line with the GDPR to ensure the appropriate processing of personal data.Internal processes, security, and data transfers
We have reviewed our internal processes and operations to make sure we map and audit the data traveling through our systems. We are implementing functionality within all our main customer-facing systems to cope with the principles of Privacy by Design. Any access to Client Data is only done through the permission of our customers and is always limited and specifically in scope to the contract between Smallize and its customers.
Our internal procedures and logs make sure that we meet the GDPR accountability requirements.
We onboard new third-party services rarely, but when we do, we have an internal process for evaluating these suppliers on their security and privacy considerations. We keep the number of sub-processors to a minimum, where possible using our own technology and infrastructure for processing.
Ability to action subject access requests
Data subjects’ ownership of their personal data is at the heart of the GDPR. We are working on a plan to respond to data subject requests to delete, modify, or transfer their data. This means that our Customer Support Specialists, along with the Engineers that assist them in their work, are well-prepared to help you in any matters involving your personal data.Documentation
Our Terms of Use and Privacy Policy are updated regularly to make sure we build upon the good work we’ve always done in this area. As these documents set out the basis of our relationship with you, it is of paramount importance for us to openly and clearly explain your rights in these documents.Training and awareness
Training and awareness about GDPR, and the handling and processing of personal data, have been communicated throughout the whole Smallize business. Each Smallize team member has awareness of the issues and our policies surrounding compliance with GDPR and other privacy-related issues. We have built this training into our new team member training requirements and have scheduled refresher checks regularly.
We believe the above approach in adhering to the GDPR is firmly in line with the ethos of its purpose and what it aims to achieve.