Customer happiness is our highest priority at Tallie, and this extends beyond our products and into the protection of our customer's data. While we already maintain the strictest data protection and privacy policies for our customers, the GDPR requires additional processes to be implemented to maintain compliance. With the massive scope of changes required to comply with the General Data Protection Regulation, we know that many organizations may have questions about new obligations under the GDPR.
On this page, we'll explain our methods and plans to achieve GDPR compliance, both for ourselves and for our customers.
The EU General Data Protection Regulation (GDPR) is the most comprehensive EU data privacy law in decades and will go into effect on May 25, 2018. Besides strengthening and standardizing user data privacy across the EU nations, it will require additional obligations for all organizations that handle EU citizens' personal data, regardless of where the organizations themselves are located.
The new regulations are designed to better reflect the interconnected nature of our world regarding consumer's right to privacy, protection of personal data, and business usage of personal data across the European Union.
Keeping our customer's data secure is one of the many ways we keep our customers happy. The recent advances with GDPR and streamlining data protection requirements across Europe have provided an opportunity for us to make changes to how we handle and process our data. While our existing security and privacy programs provide our customers with the highest security standards, the added layer of GDPR compliance will give our customers increased peace of mind.
Additionally, the Tallie Legal and Privacy teams have carefully analyzed the GDPR and have taken the necessary steps to ensure we comply with the regulation including:
In addition to these specific objectives, we will continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies and will adjust our plans accordingly.
Certify, Inc. has partnered with TrustArc to assist in our compliance efforts. TrustArc (formerly TrustE) is considered the foremost GDPR compliance expert in the privacy industry. All TrustArc consultants are former Chief Privacy Officers, have completed the EU-US Privacy Shield Verifications, and many have worked personally with European Union officials and working groups on GDPR specifics since the reform was created.
With this trusted partner guiding our compliance process, we're on-track to obtain GDPR compliance before the May 25, 2018 deadline.
The EU General Data Protection Regulation (GDPR) is the most comprehensive EU data privacy law in decades and will go into effect on May 25, 2018. Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.
Yes. Certify, Inc. is undertaking GDPR compliance for its brands including Certify, Nexonia, Tallie and Certify Travel.
Yes. Efforts are in full swing, and we are in an excellent position for achieving compliance by the May 25th deadline. Some aspects of compliance are already complete, and customers may already be seeing portions of it come online now.
Here at Certify, Inc., we have partnered with TrustArc to assist in our compliance efforts. TrustArc (formerly TrustE) is considered by many to be the foremost GDPR compliance expert. All TrustArc consultants are former Chief Privacy Officers, and many have worked personally with European Union officials and working groups on GDPR specifics for some time now.
Certify, Inc. is offering customers and prospects a robust Data Processing Agreement (“DPA”), which governs the relationship between the customer (acting as a data controller) and Certify Inc. (acting as a data processor). The DPA facilitates our customers’ compliance with their obligations under EU data protection law. Our DPA is a key requirement for compliance with the GDPR. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Certify, Nexonia and Tallie, which are systems that are hosted outside of the European Union. Such data transfers require the foundation of one of three mechanisms: our Binding Corporate Rules, our Privacy Shield certification, or Standard Contractual Clauses.
The Certify, Nexonia and Tallie products provide our customers compliance with high security standards, such as strong encryption of data, auditing standards (PCI DSS, SOC 2, Privacy Shield), regular vulnerability scanning and penetration testing, and regular review of our security policies and procedures. In some ways GDPR overlaps with other standards, but is different in that there is currently no such thing as GDPR “certification.” GDPR “compliance” is the goal, and other security standards and certifications serve as excellent starting points for pursuing GDPR compliance.
We make security and compliance documents available to current customers and sales prospects through our own Mutual-NDA Security Documents Portal. The GPR Data Processing Agreement will become available as a contract addendum, and our current plan is to require all customers and prospects to agree to our DPA. We may also offer a simple waiver that customers with no EU nexus can sign instead of our DPA.
We offer a simple waiver that customers with no EU nexus can sign instead of our DPA. However, it should be noted that customers who sign such a waiver would be choosing to retain all responsibilities for compliance with GDPR. We recommend that all customers sign the DPA so that our GDPR compliance can benefit their organization. Should the customer choose to sign the waiver, they can request a waiver form by emailing Contracts@certify.com and put “GDPR waiver” in the subject line.
No. There is no change in how Tallie will process or store customer data. If anything, Tallie has enhanced its security measures and granted additional rights to its customer for managing their data and privacy.
Customer data is processed within the US and Canada.
Most likely this customer has downloaded the DPA in Word. The conversion from pdf to word disturbs the formatting and numbering. Customers must download the pdf as is.
The automated process does not generate a fully executed version of the DPA. However, customers may download the pdf version after accepting it, counter sign the DPA and email a copy to their Account Manager for the company’s records.
The DPA is only available in a read-only pdf format.
There are no cons. Pros are that, if and when a customer’s employee/user travels to EU, the data transfer will be covered by the DPA.
No. The service will not be terminated or suspended but we urge all customers to co-operate and sign either the DPA or the waiver.
Additional GDPR resources can be found here:
As always, please feel free to contact your Account Manager or Support team with any questions or concerns you may have. Alternatively, you may contact us here.
This page is intended to provide helpful guidance to Tallie customers on the GDPR and not as a comprehensive solution or legal advice. Each organization should undertake their own steps to ensure compliance with the new regulation.