xbesh Built with xBesh
GDPR Compliance

Xbesh has consistently upheld its users' rights to data privacy and protection. Throughout the years, we have demonstrated our unwavering commitment to this principle by surpassing industry standards. There is no necessity for us to gather and process users' personal information beyond what is essential for the proper functioning of our products, and this policy remains steadfast. Xbesh nurtures a culture that prioritizes privacy, and GDPR serves as an occasion for us to fortify this commitment even more.

What is GDPR?

GDPR is a comprehensive privacy and data protection law applicable across the European Union, governing the protection of data belonging to EU residents. This regulation establishes guidelines for companies on how they handle and safeguard the personal data of individuals in the EU, providing residents with increased control over their own data.

The GDPR holds relevance for any internationally operating entity, extending beyond businesses solely based in the European Union and encompassing customers globally. The significance of our customers' data is paramount, regardless of their geographical location. Hence, we have instituted GDPR controls as the foundational standard governing all our global operations. The GDPR came into effect on May 25, 2018.

What is personal data?

Personal data is any information that is connected to a person and can identify them. GDPR protects a wide range of information that, either on its own or when combined with other details, can reveal a person's identity. It's not just about names or email addresses; it includes things like financial details, political opinions, genetic and biometric data, IP addresses, where you live, and even personal characteristics like sexual orientation and ethnicity."

How prepared is Xbesh for GDPR?

We have taken comprehensive measures to align with this recent regulation.

  • We've conducted extensive internal discussions, ensuring that our team is well-versed with GDPR guidelines. Our employees have undergone training to handle data responsibly, recognizing the significance of information security and the stringent GDPR standards.

  • We've meticulously evaluated each Xbesh product against GDPR requirements, implementing new features to empower you with greater control over your data and simplify the process of achieving GDPR compliance.

  • We have established an Information Asset Register (IAR), encompassing details of Xbesh's roles, including those of data controller and processor. The register provides comprehensive insights into the various categories of personal data processed by our organization, specifying which department accesses specific data and for what purpose. It encompasses all our processes and procedures.

  • We've conducted assessments of our sub-processors (third-party service providers, partners) and optimized the contract process to ensure their compliance with current security and privacy standards.

  • We've appointed internal privacy champions for each Xbesh team and designated a Data Protection Officer (DPO) to oversee privacy-related matters.

  • Our application teams have adopted the privacy by design concept, offering you increased control over the data stored in our systems. These provisions may vary depending on a product's characteristics and domain. We consistently strive to introduce further enhancements, which will be phased in over time.

  • We have revised our Data Processing Addendum (based on Model Contractual Clauses) to align with GDPR's data processing requirements.

  • If you are the organization administrator and wish to execute a DPA with us, please email [email protected] to request a copy of the Data Processing Addendum, specifying the Data Center where you've registered your Xbesh account.

  • We have conducted Data Protection Impact Assessments (DPIA). Based on the findings, we have implemented appropriate controls on data processing and management.

  • We conducted comprehensive internal assessments of Xbesh's products, processes, operations, and management. The findings derived from these audits were duly communicated to our teams, who diligently devised and implemented resolutions for the identified issues.

  • Drawing from Data Protection Impact Assessments (DPIAs) and internal audits, we fortified our data security methodologies and protocols. This involved the encryption of data at rest, conducted in alignment with the sensitivity levels and potential risk factors associated with the information. Moreover, we engineered proprietary tools in-house to enhance governance and expedite data discovery processes.

  • To ensure the utmost accuracy and relevance of our databases, a meticulous cleansing initiative was undertaken. This process rigorously adhered to our Terms of Service, encompassing the removal of obsolete, terminated, and inactive accounts.

  • As per our internal Privacy Incident Response policy, in the event of a breach, Xbesh will adhere to stringent notification procedures. Notification to customers regarding any breach occurrence will be executed promptly within 72 hours subsequent to Xbesh's awareness of the incident. In cases of general incidents, users will be informed through our public channels including blogs, forums, and social media platforms. However, for incidents affecting individual users or specific organizations, the concerned parties will be duly notified via email, utilizing their primary email addresses.

  • Concurrently, Xbesh has diligently revised its Privacy Policy to seamlessly integrate the requisites mandated by pertinent privacy laws. This revision has been structured upon a comprehensive analysis of our data inventory, data flows, and the practices governing data handling.

What is GDPR?

The General Data Protection Regulation (GDPR) enacted by the EU marks a significant shift in data protection and privacy regulations. Recognizing the substantial advancements in technology over recent decades, the EU identified the need to modernize privacy laws. Consequently, in 2016, regulatory authorities within the EU made the decision to revamp the existing Data Protection Directive to better align with contemporary circumstances. This updated law establishes a robust framework of rules governing the handling and processing of personal data belonging to residents within the EU.

Who does it apply to?

The GDPR is applicable to any entity that handles the personal information of individuals residing in the EU. It brings forth fresh responsibilities for those managing data, specifying distinct obligations for data processors and underscoring the accountability of data controllers.

Where does the GDPR apply?

The reach of this legislation isn't confined by geographical borders. Irrespective of your organization's location, if you handle the personal information of individuals within the EU, you fall within the scope and authority of this law.

What are the penalties for non-compliance?

Violation of the GDPR can result in penalties of up to 4% of your company's worldwide annual revenue or €20 million, whichever amount is higher.

Who are the key stakeholders?

Data Subject: An individual living in the EU whose data is being handled or processed.

Data Controller: The entity that decides why and how data is processed.

Data Processor: The entity that processes data as directed by the controller.

Supervisory Authorities: Public bodies responsible for overseeing and enforcing compliance with the regulation.

What is personal data or Personally Identifiable Information (PII)?

Any data that pertains to a specific person or can be used to identify that individual is considered personal information. Identifiers are divided into two categories: direct identifiers, such as name, email, and phone number, and indirect identifiers, such as date of birth and gender, which, although not directly identifying, can be used in combination to identify an individual.

What are the key changes from the previous regulations?
  • New & enhanced rights for data subjects This legislation grants individuals increased control over their personal information. Some of the highlighted rights in this regulation include

  • Explicit consent refers to the requirement that individuals must be clearly informed about how their personal data will be used by organizations. Additionally, entities must ensure that individuals can easily retract or withdraw their consent, just as easily as they provided it initially.

  • The right to access means that individuals have the privilege to request information from the controller regarding the personal data held or maintained about them at any given moment.

  • The right to be forgotten allows individuals to ask the controller to erase or delete their personal information from the controller's systems upon request.

  • Obligations of the processors The GDPR has increased the obligations and legal responsibilities for data processors. They are required to showcase their adherence to GDPR regulations and strictly follow the directives provided by the data controller.

  • Data Protection Officer Organizations might be required to designate an internal employee or an external entity to manage GDPR adherence, ensure overall privacy compliance, and supervise data protection practices.

  • Privacy Impact Assessments (PIA) Businesses are obligated to perform assessments on the potential privacy impacts arising from significant data processing activities. These evaluations aim to reduce associated risks and establish measures to alleviate them.

  • Breach notification Upon discovering a breach, controllers are required to inform relevant parties, such as the supervisory authority and, when relevant, the individuals affected by the breach, within a 72-hour timeframe.

  • Data portability The entity in charge (controller) should offer individuals their personal data in a format that can be easily read by machines. Additionally, if feasible, the controller should enable the transfer of this data to another controller upon request.

What are the lawful bases the data controller can use to process customer data?

The data controller has six options available when determining the legal grounds for processing data.

The Contract basis is used when processing a customer's personal data is necessary to meet your obligations or to carry out actions requested by the customer, such as sending quotations or invoices.

Legal Obligation refers to the basis for processing data when there's a requirement to adhere to a legal mandate under relevant laws. This could involve providing information in response to legitimate requests, such as those stemming from an authority's investigation.

Vital Interests is applicable in critical situations related to matters of life and death, particularly concerning health data.

Public Task is relevant to actions carried out by public authorities as part of their official duties or responsibilities.

Legitimate Interests refer to valid reasons for processing personal data, which could involve commercial interests like direct marketing, an individual's interests, or wider societal advantages. The controller is required to record and maintain documentation regarding decisions made based on legitimate interests through a Legitimate Interests Assessment.

Consent as a lawful basis for data processing refers to the voluntary, clear, specific, and informed agreement given by the data subject. It involves an explicit indication or affirmative action demonstrating the individual's approval for the processing of their personal data.

What is LIA?
  • LIA stands for Legitimate Interests Assessment. It outlines why an organization intends to process a customer's personal data. The organization must perform an LIA to demonstrate the essentiality of the processing.

  • The evaluation to determine if a valid reason or justification exists.

  • Determining and confirming the essentiality of carrying out the data processing.

  • Conducting an assessment to weigh and evaluate different factors or interests involved.

Does the GDPR require EU personal data to stay in the EU?

The GDPR does not mandate that European Union (EU) personal data must exclusively remain within the EU borders. It also doesn't impose additional limitations on the transfer of personal data outside the EU. Our data processing addendum, referencing the European Commission's model clauses, remains instrumental in aiding our customers to smoothly manage the transfer of EU personal data outside the EU.