Commercient’s GDPR Compliance Statement

Introduction

The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018.

The regulation aims to standardize data protection laws and processing across the EU, giving people greater rights to access and control their personal information.

Under the regulation, all businesses are categorized as a Controller, a Processor or both, depending on the nature of the business. Commercient is categorized as a Processor. We Sync or transfer data between ERP and CRM upon the instruction of the Customer, who is the Controller of their data.

Our Commitment

Commercient takes the rights of an individual very seriously. As a Processor, we have taken a stance to protect an individual’s data by ensuring enhanced security for individual data at rest, plus encrypted data in transit.

Commercient is defined as a Processor (see GDPR definitions). Commercient processes data from a source database to a destination database, as an online service, and we control all of our technology platforms. Commercient’s customers, namely you, are defined as a Controller (see GDPR definitions). You, the Customer, control your customer’s personal information in the databases in your possession and under your control (ie ERP, CRM, E-commerce, etc) and it is your responsibility, upon request from your Customers, Suppliers, Employees or other Stakeholders, to remove their personal data in any of your databases under your control.

Commercient is a reactive service agent and we only process the data that exists in a source database. Commercient does not evaluate or analyze the data we process. If you have removed the personal information of a person or customer in a database that you control as per your GDPR compliance processes, it stands to reason that no information will be processed by Commercient from your source databases to your destination databases.

If you delete a record in the database that you control, you acknowledge that you have removed any and all records of a person’s personal information from your databases. If the information does not exist in your databases, it will not exist on our servers. If you find that you need to remove data from any of your databases, use the tools in those databases to remove the data, (ie ERP, CRM, E-commerce, etc) respectively, and validate that the data has been removed in the target sync system too. If you require assistance with the deletion of record, or the record is unable to be deleted due to database constraints of the source or destination systems please contact Commercient support for assistance.

Personal Data

Personal Data means any information relating to an identified or identifiable natural person that is processed by the Provider; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Commercient. Commercient does not evaluate the data to determine whether it contains Personal Data, but processes all data as though it is assumed to contain Personal Data.

Commercient will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written or verbal instructions. Commercient will not process the Personal Data for any other purpose or in a way that does not comply with the Data Protection Legislation.

Commercient will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Commercient to process or disclose Personal Data, Commercient will inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice. Commercient will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation.

Commercient employees are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data. Our employees have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and are aware both of our duties and their personal duties and obligations under the Data Protection Legislation.
Commercient takes reasonable steps to ensure the reliability, integrity and trustworthiness of employees and we conduct background checks consistent with applicable law on all of our employees with access to the Personal Data.

Our Practices

Commercient has a consistent level of data protection and security across our organization and has introduced measures to address GDPR compliance.

• In the highly unlikely occurrence of a data breach, processes have been well defined to notify the Controller of said information of the breach within 72 hours of learning of the breach.

• We have revised our Privacy Policy to comply with the regulation, to ensure customers are aware of our role as a Processor.

• We have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.

Information Security and Technical and Organizational Measures

Commercient implements appropriate technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data
Commercient’s security measures to ensure a level of security appropriate to the risk involved, include as appropriate:

• the pseudonymisation and encryption of personal data;

• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

• a process for regularly testing, assessing and evaluating the effectiveness of security measures.

Personal Data Breach

Commercient will promptly and without undue delay notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.  Commercient will immediately OR within 72 hours of learning of the breach, and without undue delay notify the Customer if it becomes aware of:

• any accidental, unauthorized or unlawful processing of Personal Data; or
• any Personal Data Breach.

Where Commercient becomes aware of a data breach, it will provide the Customer with the description of the nature of the breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned and a description of the measures taken, or proposed to be taken.

Immediately following any unauthorized or unlawful Personal Data processing or Personal Data Breach, the parties will coordinate with each other to investigate the matter. Commercient will reasonably cooperate with the Customer in the Customer’s handling of the matter, including:

• assisting with any investigation;
• facilitating interviews with stakeholders involved in the matter;
• making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
• taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.

Cross border transfers of personal data

Commercient will not transfer or otherwise process Personal Data outside the European Economic Area (EEA) without obtaining the Customer’s prior written or verbal consent.

Subcontractors

Commercient may authorize a third party (subcontractor) to process the Personal Data. Amazon Web Services, Salesforce, Sugar, Zoho, Magento, Microsoft and Zapier are some of Commercient’s processing subcontractors. The Customer is provided with an opportunity to object to the appointment of each subcontractor within 2 days after Commercient supplies the Customer with full details regarding such subcontractor.

Complaints, data subject requests and third party rights

Commercient will take such technical and organizational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

• the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
• information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.

Commercient will notify the Customer immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.

Commercient will notify the Customer within 10 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.

Commercient will give the Customer its full cooperation and assistance in responding to any complaint, notice, communication or Data Subject request. The Customer controls the personal data in the databases in their possession and under their control (ie ERP, CRM, E-commerce, etc) and it is the Customer’s responsibility, upon request from your Customers, Suppliers, Employees or other Stakeholders, to remove their personal data in any of your databases under your control.

Audit

If a Personal Data Breach occurs or is occurring, or Commercient becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Legislation, Commercient  will:

• promptly OR within 5 days of the triggering event, conduct its own audit to determine the cause;
• produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
• provide the Customer with a copy of the written audit report, at Commercient’s discretion
• remedy any deficiencies identified by the audit within 30 days.

At the Customer’s written request, and for due cause, at a current service fee rate, and at Commercient’s discretion, Commercient will:

• conduct an information security audit before it begins processing any Personal Data;
• produce a written report that includes detailed plans to remedy any security deficiencies identified by the audit;
• provide the Customer with a copy of the written audit report, at Commercient’s discretion
• remedy any deficiencies identified by the audit within 30 days.