GDPR FAQ

What is GDPR?

GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018. GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.

Our policy is to respect all laws that apply to our business and this includes GDPR. We also appreciate that our customers have requirements under GDPR that are directly impacted by their use of Planbox products and services. We are committed to helping our customers stay in compliance with GDPR and their local requirements.

Does Planbox process personal data?

Yes. We process personal data to respond to any inquiries, to provide access to our products, deliver our services and for other purposes as outlined in our Privacy Policy.

Does Planbox make commitments to its customers with regard to the GDPR?

Yes. GDPR requires that controllers (such as organizations using Planbox cloud-based innovation management platform) only use processors (such as Planbox) that provide sufficient guarantees to meet key requirements of the GDPR. Planbox has taken the proactive step of providing these commitments to all customers as part of its agreements. As part of our commitment to GDPR compliance, we have updated our Privacy Policy.

What is Planbox doing to comply?

Planbox’s GDPR Terms reflect the commitments required of processors in Article 28. Article 28 requires that processors commit to:

  • Where we are transferring data outside of the EU, Planbox commits to having the appropriate data transfer mechanisms in place as required by GDPR.
  • Planbox commits to follow appropriate security measures and precautions in accordance with GDPR.
  • Only use subprocessors with the consent of the controller and remain liable for subprocessors.
  • We will hold any subprocessors that handle personal data, including our data center partners, to the same data management, security, and privacy practices and standards to which we hold ourselves.
  • Process personal data only on instructions from the controller, including with regard to transfers.
  • Ensure that persons who process personal data are committed to confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk.
  • Assist controllers in their obligations to respond to data subjects’ requests to exercise their GDPR rights.
  • Planbox will assist with notifying regulators of breaches and promptly communicating any breaches to customers and users to fully meet the breach notification and assistance requirements.
  • Assist controllers with data protection impact assessments and consultation with supervisory authorities.
  • Delete or return personal data at the end of provision of services.
  • Support the controller with evidence of compliance with the GDPR.
  • We will ensure that Planbox employees and consultants authorized to process personal data have committed to confidentiality.
  • Where appropriate, we will offer contractual language such as a Data Protection Addendum (DPA) documenting our commitments to our customers to support their GDPR obligations.
  • Planbox will assist our customers, insofar as possible, to respond to data subject requests our customers may receive under the GDPR.

Does GDPR require to move my data to the EU data center?

Planbox has multiple data centers including one in EU, you can choose from available plans for options. However, GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on the transfer of personal data outside the EU. GDPR only mandates that such transfers be legitimized through any of the mechanisms provided in the regulation. One way of legitimizing transfers is through Model Contractual Clauses. Planbox uses this method to legitimize data transfers.

Where can I find Planbox’s contractual commitments with regard to the GDPR?

You can find Planbox contractual commitments with regard to the GDPR in the GDPR section of Planbox’s online helpdesk at planbox.helpdesk.com. Planbox master service agreements include or can be amended to include the Data Protection Addendum (DPA) agreement which provides Planbox’s core privacy and security commitments, data processing terms, Model Clauses, and our GDPR Terms. The GDPR Terms commit Planbox to the requirements on processors in GDPR Article 28 and other Articles of GDPR. The GDPR Terms are in the Data Protection Amendment document available from Planbox upon request. Planbox extends the GDPR Terms commitments to all customers, regardless of the applicable version of customer’s Master Services Agreement and Terms.