Since May 25, 2018 (and even beforehand) Paperturn has been compliant with the GDPR. The General Data Protection Act (GDPR) is the most significant piece of European data protection legislation introduced in the European Union (EU) in 20 years, and replaces the 1995 Data Protection Directive. The GDPR enhances European individual's privacy rights and places significantly enhanced obligations on organisations which handle data. At Paperturn, we are 100% committed to the GDPR.
Yes. As a company headquartered in Denmark, Paperturn is both EU GDPR Compliant and UK GDPR Compliant, and will continue to comply with both regulations on an ongoing basis.
Our legal and privacy teams regularly monitor and review our practices in order to ensure ongoing and full compliance with the GDPR, including:
Reviewing and strengthening our security infrastructure and best practices, data encryption in transit and at rest, backup, logs, and security alerts.
Conducting and reviewing risk assessments and data mapping processes (TIAs, Data Flows, Data Deletion Roadmaps etc.) on an ongoing basis to ensure proper management of personal data in accordance with the GDPR’s requirements.
Providing a comprehensive Legal Portal, including our Privacy Policy to help users understand how we collect and process data and how they can exercise their data rights.
Providing an easy process for users to exercise their data subject rights in accordance with the GDPR, CCPA and other privacy legislations.
Ensuring all of our sub-processors are GDPR compliant and that appropriate contractual agreements such as Data Processing Addendums (DPAs) and Standard Contractual Clauses (SCCs) are executed, where necessary.
Revised our Data Processing Addendum (DPA) to ensure the protection of personal data, according to customary industry standards, and such appropriate lawful mechanisms and contractual terms in compliance with the GDPR, following the invalidation of the Privacy Shield Framework.
Allowing our customers to enter into Standard Contractual Clauses (SCCs) adopted by the European Commission on June 4th, 2021 (both controller-to-processor and processor-to-processor) for the international transfers of personal data, including an Annex intending to cover transfers of personal data from the UK to third countries (see Annex III). We have supplemented the SCCs with Additional Safeguards (see Annex IV) to further strengthen the rights of Data Subjects.
Regularly performing security and privacy assessments of our sub-processors to ensure their adherence to GDPR principles.
Designating a representative in the UK and appointing an in-house Data Protection Officer (DPO) for monitoring and advising on Paperturn’s ongoing privacy and data protection compliance, and serving as a point of contact in relation to data protection and privacy matters for individuals and supervisory authorities.
Having procedures for handling suspected breaches concerning personal data, limiting use, as well as disclosure and retention of personal data, and regularly conducting privacy training for all relevant members of our staff.
Paperturn hosts its customer data on Amazon Web Services (AWS) data centres across Europe. We also host a small portion of customer data on dedicated servers with Hetzner in Germany.
Although Paperturn strives to use sub-processors located within the EU, some of our sub-processors are located outside of the EU. To comply with European Union data protection laws around international data transfer mechanisms, we offer European Union Model Clauses, also known as Standard Contractual Clauses (SCCs), to meet adequacy and security requirements for our customers who operate in the European Union and the United Kingdom.
Additionally, we are regularly performing security and privacy assessments of our sub-processors to ensure their adherence to GDPR principles, including, but not limited to, Transfer Impact Assessments (TIAs), security reviews and privacy assessments.
Business customers may need to sign a Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) with Paperturn to assist in their GDPR compliance. The Data Processing Agreement can be signed and executed here. The Standard Contractual Clauses are automatically incorporated into the executed DPA.
We certainly do. Our DPO sits in-house, at the highest level of Paperturn’s organisation, ensuring timely and intimate knowledge of Paperturn's data flows and security procedures.