GDPR

General Data Protection Regulation

General Data Protection Regulation

General Data Protection Regulation (GDPR) is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents. It is the most comprehensive EU data privacy law in decades and became effective on May 25, 2018.

Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.

GDPR is intended to offer protections for you or any identifiable natural person (the “Data Subject”) regarding your information (your “Personal Data”, “data”). You, as a Data Subject, have broad rights.

YOUR RIGHTS UNDER GDPR

Consent

Under GDPR, you opt in to have an organization (the “Data Controller”) collect your Personal Data.

Special Categories of Data

Unless specifically authorized, GDPR prohibits processing of certain special categories of data such as race, ethnicity, political and religious beliefs, sexual orientation, genetic, and biometric data. AptivIO does not acquire or process any data belonging to these categories.

Right of Access

If you consented to a Data Controller processing your Personal Data, you may then request the following:

  • A copy of your Personal Data undergoing processing
  • Purpose of processing
  • Categories of data processed (e.g., name, address, online browsing behavior)
  • Any third-party recipients of your Personal Data, both backward or forward looking, especially recipients in third-party countries (i.e. countries outside of the EU)
  • Any third-party sources of your Personal Data (i.e. not collected from the Data Subject directly, for instance by purchasing said data from another source that previously collected the data directly)
  • How long such Personal Data would be stored, or if that is not determinable, how the length of this period would be determined
  • Data rectification
  • Data erasure
  • Restriction of data processing
  • Objection to data processing

Right to Rectification

You, as a Data Subject, have the right to have any errors or inaccuracies of Personal Data corrected. The Data Controller will implement requests without undue delay.

Right of Erasure

You, as a Data Subject, have the right to have your Personal Data erased or forgotten. The Data Controller will remove your Personal Data and confirm deletion via a notification to you. Data Controllers are also required to maintain these transactions.

Right to Data Portability

You, as a Data Subject, have the right to have your Personal Data exported and provided to you in complete form.

Breach Notification

In the event of a data breach and your Personal Data is compromised, your Data Controller is required to notify you within 72 hours.

OUR COMMITMENT TO PROTECTING YOUR PERSONAL DATA

We are committed to partnering with customers and users to ensure that we are fully compliant with the requirements of GDPR. We recognize your rights under GDPR, and will ensure that these rights are honored and your Personal Data is protected.

Measures to achieve this include:

  • A new Data Processing Addendum depending on our relationship with you and the country in which you are domiciled
  • Additional investments in our security infrastructure
  • Appointment of a Data Security Officer
  • Support and maintenance of our Privacy Shield self-certification
  • New clarity on procedures for consent, data portability and privacy preference enquiries

We will continue to monitor the guidance around GDPR compliance from privacy-related regulatory agencies and services, and adjust our plans accordingly if that guidance changes.

International Data Transfers: Privacy Shield and Contractual Terms

In the event of a data breach and your Personal Data is compromised, your Data Controller is required to notify you within 72 hours.

To comply with EU data protection laws around international data transfer mechanisms, we self-certify under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to establish a way for companies to comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.

In addition, we offer European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the EU.

DATA CONTROLLER VERSUS DATA PROCESSOR

Your Personal Data may enter our processing scope in multiple ways. We are either a Data Controller or a Data Processor under the GDPR. The way in which your Personal Data is obtained, who has control over that data, and who has the responsibility for protecting and administering your rights, determines whether we are a Data Controller or a Data Processor. This section describes our role as both a Data Controller and Data Processor, and explains how you can interact with us in either role.

Role of a Data Controller

When you interact with AptivIO via our marketing and sales development outreach programs as a website visitor, webinar participant, or asset downloads, we act as the primary Data Controller from a GDPR perspective. In these cases, we are responsible for obtaining your consent and providing means for exercising your data rights.

Personal Data

  • Personal Data you submit during registration, such as your name, email, phone number, and address.

Consent

  • When you interact with web forms and similar registration pages at our website (or partners that we collaborate with), we will request explicit consent prior to you submitting your Personal Data.
  • When we contact you and you provide information to us, and you consent to us for using the information we obtained from you.
  • When your colleague from your organization volunteers your Personal Data to us via email, or other information channels. We will follow up to obtain consent using the email provided to us, or we will indicate in our email communication that we do not yet have consent but request that you provide us consent to continue our use of your personal data.

We ensure that any data we procure from third-party services is obtained by that third party after obtaining your consent.

If you had previously provided consent to collect your Personal Data, you may choose to withdraw that consent at a later point. Please send an email request to GDPR@aptiv.io and we will implement the request, and provide a confirmation of your consent withdrawal via a reply email to your email address. The acknowledgement email will also provide you consequences of withdrawing your consent.

Onward Transfers

We do not sell Personal Data to any other third-party organization. We do not transfer rights to Personal Data to any party or use the data other than for the original purpose it was obtained. Any transfer to a third party is solely intended for the processing of data and AptivIO has secured agreements with downstream Data Processors to protect Personal Data and enforce GDPR data rights for you.

Data Access

As part of GDPR you have the right to request your Personal Data be made available to you. We will provide:

  • All Personal Data that we have on record
  • How and when we obtained the data
  • Our use of your data
  • Whether any data was transferred to any other third party

To request this data, please contact GDPR@aptiv.io and we will respond within 30 days of your request.

Data Erasure, Accuracy, and Portability

You may submit a request via GDPR@aptiv.io to delete all data about you. We will comply with this request, but will use your email to send a confirmation notice that we performed the requested action.

You may submit a request via GDPR@aptiv.io to update Personal Data that we have about you. We will perform this, and will use your email to send a confirmation notice that we performed the requested action.

You may submit a request via GDPR@aptiv.io to obtain an export of all your data for data portability. We will provide this information via a CSV or JSON file. Such a report will include meta-data such as when particular data was added, any updates to the data. This will include an audit trail of the data.

Data Breach Notification

We will notify you by email if your Personal Data was compromised via a breach within 72 hours. This includes any breach that was caused by a Data Processor that we have authorized to process your data.

Filing a Complaint

In the event that you are not satisfied with our resolution of your requests, you have the right to file a complaint. Please submit a request via GDPR@aptiv.io to file a complaint. You also have a right to file a similar complaint with a supervisory authority for the jurisdiction you are in and seek appropriate remediation.

Role of a Data Processor

To request your Personal Data, please send a request to GDPR@aptiv.io. For data processed by us, we will forward your request to your employer or the organization to which you provided the data (the Data Controller), who will then initiate a request to provide that information. Since our role is only that of a Data Processor, we will not be able to provide your Personal Data directly.

Consent

When we process and display your Personal Data, that data was acquired from your employer or our customer that you interact with. If it is Personal Data that you submitted to your employer, you provided consent to your employer to use that data for their business purposes. If it is Personal Data that our customer obtained in the process of conducting business with you or your employer, they rely on your consent to use the data for business purposes. To withdraw an earlier consent that you provided, contact your employer or the organization to which you provided the original Personal Data. We will not be able to alter your consent, as we are the Data Processor.

Data Breach Notification

In the event of a data breach, AptivIO, as a Data Processor, is required to notify your employer/organization that there was a data breach. Your organization will then notify you regarding the breach, its impact, and potential remedies. We will not notify you directly.

Data Erasure, Accuracy, and Portability

To request an export or erasure or update of Personal Data held by AptivIO, please send a request to GDPR@aptiv.io. We will forward your request to your employer/organization, who will then initiate a request us to complete the request. Since our role is only that of a Data Processor, we will not be able to perform these actions directly.

LIST OF SUB-PROCESSORS

AptivIO as a Data Processor has engaged the services of the following sub- processors. Some or all of your Personal Data may be transferred to them. All such transfers are governed by Master Service Agreements that establish the scope of processing as well as legal basis for such processing. We require sub-processors to perform the specified processing only for the purposes of delivering the services that are part of the agreement. To learn more about the GDPR initiatives of our sub-processors, please visit the web pages listed here.