FAQs: GDPR and Onspring
The European Union General Data Protection Regulation (GDPR) was enacted on April 27, 2016, and went into effect May 25, 2018. The GDPR impacts organizations that are:
- Based in the EU and control or process personal data for EU/EEA individuals (i.e., “data subjects”)
- Based outside the EU but control or process personal data for EU/EEA individuals
Onspring is based in the United States. However, our clients include organizations that are either based in the EU/EEA or have users who reside in the EU/EEA. For these organizations, we are providing these FAQs to help you better understand how the GDPR impacts Onspring and you.
Is Onspring a “data owner” or “data processor” under the GDPR?
Onspring is a data processor, as defined by the GDPR. As stated in our Master License Agreement (MLA), we do not own customer data. Clients are responsible for the nature, accuracy, quality and legality of their own data. They are also responsible for using commercially reasonable efforts to prevent unauthorized access to the data they store in Onspring.
Who has access to my Onspring instance and the data stored there?
Only the client’s authorized users have access to their Onspring instance and the data stored there. Onspring employees cannot access a client’s instance without the client’s express written consent, and only for the purposes of providing services or assisting the client in addressing technical difficulties. Onspring provides a complete audit log of user access, which clients may access at any time.
Does Onspring share my data with any third parties?
As stated in our MLA, Onspring cannot disclose customer data to any third party except as compelled by law or as expressly permitted in writing by the client.
How does Onspring protect my data?
Onspring maintains commercially appropriate administrative, physical and technical safeguards for protecting the security, confidentiality and integrity of customer data. We are happy to provide clients with additional details upon request or to facilitate a discussion with our security team to address any questions.
Can I delete data (if required) from my Onspring instance?
Clients that need to delete data from Onspring, in accordance with the GDPR, may do so. Data deleted from the system is permanently deleted and cannot be recovered. Therefore, extreme care should be taken in the deletion of data. Onspring provides technical safeguards to help prevent accidental data deletion, but responsibility for data deletion rests with the client.
What about the contact forms on the Onspring website (onspring.com)?
When visitors submit a form on the Onspring website to request a demonstration, request pricing, access educational resources or submit a general inquiry, that data is stored in our GDPR-compliant Customer Relationship Management (CRM) system. We do not share or sell this contact data, and we use commercially reasonable efforts to prevent unauthorized access to this data. Upon request from a “data subject,” we will delete personally identifiable information from our system.