Insider and the GDPR

 

At Insider, we take privacy seriously. With the European Union’s General Data Protection Regulation (GDPR) in effect from May 25, 2018, we have taken several technical and organizational measures to comply with the regulation.

What is GDPR?

The General Data Protection Regulation is a codification of privacy and data protection regulations whose aim is to provide a more consistent guidance on privacy and data protection and respect to personal data of European Union citizens. In sum, it has replaced the previous EU privacy directive, which was outdated, while also introducing some interesting changes to privacy and data protection regimen. GDPR applies to any company handling personal data of EU subjects, even if the company is headquartered outside of EU.

Our commitment

Insider has a Security, Privacy and Compliance committee with data protection specialists, legal consultants and security experts that prepared our company and our products for GDPR and continue to constantly reassess our standards. The team also includes executive members, such as our co-founders, who are fully committed to improving transparency and trust to obtain acceptance and agreement from our entire company.

What has Insider done to comply with GDPR?

The below table details our action across the organization to comply with this new regulation

GDPR Reference Summary Actions taken by Insider for Compliance
Data Protection Principles (Article 5) Lawfulness, Fairness and Transparency As a data processor, Insider commits to follow transparent processing activities. To show our processing activities, we published our product privacy policy for general applications. We are also providing all the necessary information about processing activities to our partners when requested.
Purpose limitation We have the Data Processing Agreement with our Partners to define the purpose of processing activities. With the DPA, the duties and responsibilities of the parties are defined. We make sure that as a data controller, our partners collect the specified, explicit and legitimate consent from their End Users. If the purpose of the data collection is changed, our Partners need to inform about the change and we also change the DPA according to new purpose of processing.  
Data minimisation Unless the partners define other purposes, Insider products only collect users’ behavioral data to provide best personalized user experience. Based on our partners need, we process the data which is defined and collected by the partner. Our product by default collects only behavioral data in an anonymous way.
Accuracy Any data pushed by our partners that relates to user data can be easily rectified using our API endpoints to either merge or override data.  
Storage limitations Our platform does not store any user data unnecessarily, unless indicated by our partners. All our data retention and storage policies are clearly defined and available to our partners..
Integrity and confidentiality Our platform employs all required technical and organizational measures including pseudonymization of data to ensure its security and confidentiality
Consent (Article 7) Conditions for consent

  1. Unbundled
  2. Active opt-in
  3. Granular
  4. Named
  5. Easy to withdraw
  6. Documented
  7. No imbalance in the relationship
According to the Article 7 of GDPR, freely given, clear consent will be collected by the data controller. In the relationship between Insider and our partners, Insider is the data processor and our partners are the data controller according to the roles defined under GDPR. Based on these roles, Insider is not responsible for collecting the consent from end users to process the data. To help our partners to be compliant,, we are committed to enabling our partners to collect data responsibly as a controller. For our product features where the controller can collect User’s personal data, we have provided the ability to add consent checkboxes that are active and explicit.
Data Subject Rights (Article 15 – 23) Expanded Individual’s’ Rights:

  1. access their information;
  2. have inaccuracies corrected;
  3. have information erased;
  4. prevent direct marketing;
  5. prevent automated decision making and profiling;
  6. data portability.
Insider will cooperate with any requests from controllers to access, erase or rectify data of end users through trained personnel servicing these requests. Additionally our platform also provides multiple API endpoints to delete data or update data to keep user data accurate.
Security of Processing (Article 32) Confidentiality, integrity, availability, resilience of processing systems and services To ensure that the entire company and its employees are aware about GDPR, we have taken continuous training and process measures. We have quarterly training programs to ensure employees are enabled to comply with GDPR. In addition to this we also have new employee onboarding to include GDPR awareness and policy coverage. Amongst several policy documents, Employee Security Rules is one such document to enforce our commitment towards data processing regulations
Data Breach (Article 33 – 34) Responding to Data breaches and incidents We fully commit to continuing to notify our customers and partners of any data incidents in line with our current terms of service and privacy agreements. We will keep investing in threat detection and avoidance technologies, and our round-the-clock incident management program to help you respond to security or privacy events. We prepared a detailed Incident Response Plan and built a Security Team to comply with Article 33-34.
Data Protection Officer (Article 37-39) Appointment of DPO Our DPO is available to answer any questions regarding data processing and how we’re compliant with core tenets of GDPR  such as “consent” and “product compliance”. You can reach Haktan Ellez anytime via haktan@useinsider.com or through the number +90 554 763 00 33.
Codes of conduct and Certifications (Article 40 – 43) Certifications Insider constantly identifies and plans to implement relevant certifications. Currently we are pursuing ISO 27001- Information Security Management System.
Cross border data transfer (Article 44-50) Data storage All the data we collect is stored in an EU-based center, the Amazon Web Services (AWS), in Dublin, Ireland. This data storage center is available to all customers who wish to have their data stored within the territorial scope of the GDPR, and not only our EU customer base.
Data Processing and Transfer Our technical systems are 100% compliant with the GDPR and cloud base AWS servers of Insider is in the EU.  To regulate cloud server system, Standard contractual clauses of EU Commission is added to our example Data Processing Addendum.