Legal Framework

Introduction

Our platform has been designed and developed with General Data Protection Regulation “GDPR” compliance in mind.This is why we worked closely with our external team of lawyers and consultants to develop the legal framework below. Our work is based on guidelines from ENISA and EDPB (European Data Protection Board) combined with Privacy by Design and Default principles. That means that we incorporate data protection as an integral part of our platform so that it ensures the highest personal data protection from the start.

Privacy Impact Assessment (PIA)

At the core of our legal framework, we have conducted a standardized privacy risk assessment to ensure our entire tech-stack and data flow is designed and operate according to international standards. Analyzing and evaluating threats and vulnerabilities in our data (security context and risk assessment) are crucial for identifying ways cyber criminals and employees might compromise personal data. This ties into our Privacy By Design approach that has dictated what data we store, process, who has access to it and the appropriate security level.

Data Processing Agreement (DPA)

GDPR compliance requires data controllers to sign a Data Processing Agreement with any parties that act as data processors on their behalf. This is why all our stakeholders are obligated to sign our standardized Data Processing Agreement in order to access the platform. All our DPAs are subject to annual reviews to ensure the appropriate technical and organizational measures are used to protect the security of our client’s data.

Transfer Impact Assessment (TIA)

Since our software is running on Microsoft Azure(hosted in the EU) using EU Standard Contractual Clauses(SCC) we need to conduct ongoing TIAs in order to comply with GDPR regulations. The purpose of this Transfer Impact Assessment is to assess and document the legality of our ongoing or planned transfers of personal data to third party countries. The transfers must take place in accordance with the relevant rules in the Data Protection Regulation and the European Court of Justice Schrems II ruling. In our case the TIA is audited annually and our data is encrypted by a 3rd party vendor as a supplementary transfer tool initiative.

Consent Forms and Model Contracts

Our team of lawyers also developed custom made Consent Forms and Model Contracts in order to secure valid documentation from all types of participants. This includes specific employee-forms to handle internal staff sign-offs where a normal Consent Form is not valid. The forms are also available in 5 different languages to accommodate participants across most regions.

Please reach out if your legal team needs access to any of the documentation mentioned above.