Last Revised: August 29, 2024
Introduction to GDPR
The General Data Protection Regulation (GDPR) is a comprehensive European privacy law established by the European Commission in 2016, coming into effect on May 25, 2018. It replaces the previous Directive 95/46/EC, setting new standards for data protection and privacy within the EU. GDPR is designed to enhance individual rights and provide greater control over personal data, while also streamlining data protection regulations for international businesses operating in the EU.
Core Data Protection Principles
At Classified Billing, we adhere to the following GDPR principles to ensure your data is handled responsibly:
- Fair and Transparent Processing: We collect and process personal data in a manner that is fair, lawful, and transparent, ensuring it is used only in ways you would reasonably expect.
- Purpose Limitation: Personal data is collected for specific, legitimate purposes and is used solely for those purposes. We clearly communicate why we need your data at the time of collection.
- Data Minimization: We only gather data that is necessary for the purposes we have identified, ensuring that excess data is not collected.
- Data Accuracy: We strive to keep your personal data accurate and up-to-date, with mechanisms in place for correction when necessary.
- Storage Limitation: Personal data is retained only as long as needed to fulfill the purpose for which it was collected.
- Data Security: We implement robust security measures to protect your data from unauthorized access, alteration, or loss.
Why GDPR Matters
GDPR introduces stringent requirements for protecting personal data and increases penalties for non-compliance. It reflects our commitment to safeguarding your privacy and aligns with our values of integrity and transparency. At Classified Billing, we believe in exceeding these regulatory standards to ensure your data is always handled with the highest level of care.
Data Processing Addendum (DPA)
For our customers managing data from the EU, we provide a Data Processing Addendum (DPA) that meets GDPR requirements. This DPA, integrated into our Terms of Service, outlines our data protection commitments. We are unable to sign individual customer DPAs due to resource constraints, but our standard DPA fully complies with GDPR.
Training and Awareness
Our dedicated privacy team, led by our Data Protection Officer (DPO), oversees GDPR compliance across all areas of our business. This team includes representatives from Marketing, Engineering, and People Operations. They meet regularly to monitor progress, ensure GDPR readiness, and keep our staff informed about data protection practices.
Consent and Cookie Policy
We’ve revised our cookie policy to offer full transparency about the cookies used on our website. You can review our cookie policy to understand how cookies are used and learn how to manage your browser settings to control cookie usage.
Data Inventory and Protection
We have conducted a thorough review of our data collection and processing activities. This includes cataloging all data, such as cookies and conversations, and verifying our legal basis for handling personal data. Our Privacy Policy details our data practices and how we obtain and manage consent.
Third-Party Vendor Compliance
We are reviewing our third-party vendors to ensure they comply with GDPR standards. Many vendors already have GDPR-compliant DPAs, while others follow our approach of integrating the DPA into our Terms of Service.
Transparent Terms of Service and Privacy Policy
Our updated Terms of Service and Privacy Policy clearly outline how we collect, use, share, and store your personal data. We prioritize transparency and clarity, making sure our documentation is easily understandable and accessible.
Rights of Data Subjects – Access, Portability, and Deletion
We are committed to facilitating the rights of individuals under GDPR, including data access, correction, retrieval, and deletion. Personal data is processed and stored with our vetted, GDPR-compliant vendors. Data is retained for up to 6 years, or as long as needed unless an account is deleted, in which case data is disposed of within 60 days.
Risk Assessment and Data Protection Impact Assessments (DPIAs)
We conduct regular Data Protection Impact Assessments (DPIAs) to identify and address potential risks associated with personal data processing. Our engineering team evaluates any changes in data handling practices to minimize risks and ensure compliance.
Breach Management
We have established a comprehensive breach management and communication plan to meet GDPR requirements for data breach notifications and subject notifications.
Contact Us
We are here to address any questions or concerns about our GDPR compliance and data protection practices. Feel free to reach out to us for assistance.
