What is GDPR?
Whom does GDPR cover?
Is Swordfish required to comply with GDPR?
What is Swordfish’s approach towards gdpr compliance?
Does Swordfish afford individuals some of the rights appearing in GDPR?
Who can exercise the rights in Swordfish’s privacy policy?
Are there aspects of GDPR that Swordfish does not follow?
Who is the point of contact within Swordfish that can answer my questions about GDPR compliance?
Last Updated: June 28, 2021
What is GDPR?
“GDPR” stands for the European Union’s General Data Protection Regulation. The GDPR is intended to harmonize data protection (data privacy and security) law within the countries of the European Union (EU). The GDPR also applies to countries in the European Economic Area (EEA), which include EU member states as well as Iceland, Liechtenstein, and Norway. The GDPR protects the privacy and security of personal data of individuals located in EEA member states. The GDPR has had worldwide influence on data protection laws in other countries and regions of the world.
The GDPR establishes fundamental data protection principles such as:
-
Integrating data protection into a product or service “by design”
-
Fairness of data protection
-
Transparency – providing clear notice of data protection practices
-
Purpose limitation – using personal data for disclosed purposes and not for other, undisclosed purposes without an additional basis, such as an individual’s consent
-
Data minimization – minimizing the amount of personal data collected and keeping personal data for only so long as it is needed
-
Accuracy – facilitating updates and corrections to personal data
-
Security – using appropriate technical and organizational measures to ensure a level of security for personal data appropriate to the risk
-
Accountability – offering complaint and dispute resolution mechanisms to make sure the business is accountability to individuals whose personal data is collected
Whom does GDPR cover?
-
Businesses that process personal data and are located in the EU. Since the EEA has made the GDPR applicable there, businesses that process personal data and are located in Iceland, Liechtenstein, or Norway would also fall under the GDPR.
-
Businesses that process person data, regardless of their location, that offer goods or services to individuals located in the EU or EEA.
-
Businesses that process the personal data of individuals located in the EU or EEA and monitor the behavior of individuals that takes place in the EU or EEA.
Also, businesses that directly or indirectly import personal data from EEA countries may have to comply with contracts that impose GDPR-level protections on personal data brought to countries without a decision of the European Commission deeming their data protection laws equivalent to the GDPR. For these importing companies, the GDPR applies by contract, rather than public law.
Is Swordfish required to comply with GDPR?
No. Swordfish is not required to comply with GDPR for four reasons:
-
It is a US-based company whose processing activities take place within the US, and not a member state of the EEA.
-
Swordfish does not direct its marketing efforts to EU or EEA members states to offer goods or services to individuals located in the EU or EEA.
-
Swordfish does not monitor the behavior of individuals located in EU or EEA member states (or individuals located in any other countries for that matter).
-
Swordfish has not been required by contract (or any other personal data transfer mechanism) to impose GDPR-level privacy or security standards to personal data of individuals located in the EU or EEA.
What is Swordfish’s approach towards GDPR compliance?
Although Swordfish is not required to comply with the GDPR, Swordfish recognizes that data protection is important to individuals around the world and that the GDPR establishes a number of “best practices” relating to handling of personal data. Swordfish has voluntarily adopted some of the principles mandated by the GDPR to offer robust data protection practices to our customers and business contacts. In specific, Swordfish adheres to the following GDPR principles:
-
Data protection “by design”: Swordfish focuses on data protection in maintaining and updating its service
-
Fairness: Swordfish established a privacy policy that it believes fairly addresses the rights of individuals and Swordfish’s responsibility for stewardship of the personal data to which it has access
-
Transparency: Swordfish’s privacy policy provides notice of its data protection practices to explain in detail what kinds of personal data it collects, how it uses that personal data, and its practices in sharing and disclosing personal data.
-
Purpose limitation: Swordfish limits its personal data processing to operations involved with providing its service to help customers find business profile information of individuals they seek in order to interact with them; Swordfish does not use personal data for any other purposes
-
Data minimization: Swordfish only has access to the personal data it needs to provide the service and deletes personal data after it no longer has a business purpose for retaining such personal data
-
Accuracy: Swordfish offers mechanisms to allow individuals to update and correct their personal data
-
Security: Swordfish is committed to reasonable and appropriate administrative, physical, and technical safeguards for personal data in its database in light of the nature of personal data to which Swordfish has access
-
Accountability: Swordfish is also committed to resolving disputes about privacy and security as described in its privacy policy
Does Swordfish afford individuals some of the rights appearing in GDPR?
Yes. Under Swordfish’s privacy policy, you have the following rights, which the GDPR also affords:
-
The right of access: you may access the personal data that Swordfish possesses about you, which helps in updating or correcting incorrect personal data.
-
The right of rectification: Swordfish will update or correct personal data about you upon your request, with some exceptions under applicable law.
-
The right of opt out and the right to deletion: Swordfish, will, upon your request, prevent your business profile from being shown to users of the service or delete personal data about you, again, with some exceptions under applicable law.
-
The right of data portability: when you access the personal data that Swordfish possesses about you, Swordfish can, upon request, provide the personal data in electronic format, which would allow you to provide your personal data to another service provider.
Who can exercise the rights in Swordfish’s privacy policy?
Any individual whose personal data is held or accessible by Swordfish can exercise the rights afforded by the Swordfish privacy policy. That includes individuals whose business profiles are accessible through Swordfish’s service and the personal data of Swordfish users.
Are there aspects of gdpr that Swordfish does not follow?
Yes. Examples include the following:
-
Swordfish does not have access to “special categories” of sensitive personal data provided heightened protection under the GDPR; therefore, Swordfish does not address special categories of sensitive personal data in its compliance program
-
Swordfish does not make automated decisions about any individuals and therefore does not address automated decision-making in its data protection program
-
Swordfish does not place restrictions on the transfer of personal data by users across national borders.
Who is the point of contact within Swordfish that can answer my questions about GDPR compliance?
Our point of contact for answering GDPR-related questions is Ben Argeband, who is the officer of our company in charge of data protection.
If you have any questions, comments or concerns about Swordfish’s data protection practices in relation to the GDPR, please contact our data protection officer by email at contact@swordfish.ai. You may also exercise rights or submitting a complaint under the Swordfish Privacy Policy by directing email to the same email address.