Is Diffbot compliant with GDPR?

Starting on May 25, 2018, The European Union will begin enforcing  EU General Data Protection Regulation (GDPR) in an effort to strengthen the security and protection of the personal data of EU residents. The GDPR has different requirements depending on how your business interacts with personally identifiable user data (PII).

Personal data means data which relate to a living individual who can be identified –

  1. from those data, or
  2. from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Data controllers are companies that supply goods or services to EU residents, or that track or monitor EU residents and decide why and how data is collected and processed. If you collect data about EU residents or you employ residents of the EU, you are considered a data controller under the GDPR. One of your requirements as a data controller is to work only with compliant data processors.

Data processors are vendors or businesses that process data on behalf of data controllers. As an intelligent systems platform and SaaS provider, Diffbot is considered a data processor when acting on your behalf.

Diffbot will be ready for the GDPR on May 25, 2018, when the law goes into effect. Below is a list of the commitments we make as one of your data processors:

  • A New Data Processing Agreement (DPA): Our new DPA reflects the additional requirements of the GDPR. Contact us at privacy@diffbot.com for more information.
  • Secure data transfer and storage outside the EU: Transfers of personal data outside the European Economic Area (EEA) are permitted as long as certain safeguards apply. Our DPA contains the EU Model Clauses, which are industry standard for data safety. This means that Diffbot agrees to protect any data originating from the EEA in line with European data protection standards.
  • Technical and organizational security measures: Diffbot takes a holistic, risk-based approach to security. This means the platform restricts and secures data access and provides continuous incident monitoring.
  • Processing according to controller instructions: We process data according to instructions from the data controller (our clients).
  • Prompt breach notifications: Diffbot will promptly inform you of any incidents involving your data.

As a data controller, you will be managing individuals’ requests to exercise their rights as defined by the Regulation. To help you comply with user requests related to the right to erasure (the right to be forgotten), the right to object (the various rights to halt certain processing), and the right to restrict processing (the right to restriction), Diffbot will support:

  • Deletion requests: We make it easy for you to honor requests related to the right to be forgotten. Just send an email to privacy@diffbot.com to request a deletion.
  • Automatic suppression: To help you comply with requests related to the right to object or restrict, any PII associated with a deletion request that you submit via email to privacy@diffbot.com will automatically be placed on a suppression list. For any PII on the suppression list, we will block all incoming personal data pertaining to that PII.

With regards to the additional rights defined in the GDPR, including the rights to access, data portability, and rectification, Diffbot enables you to be compliant to:

  • Honor the rights to access and portability: Under the GDPR, EU residents have a right to access their personal data and are entitled to obtain their personal data in a commonly used format, such as a CSV file. Diffbot enables you to compile all data you have submitted or collected about a person and export it in a structured format such as CSV or JSON file.
  • Rectify user data: The GDPR also empowers individuals to correct any personal data that is deemed inaccurate or incomplete. Diffbot will update data about a user upon the request of a client submitted via email to privacy@diffbot.com. Data about the user will be suppressed until the requested changes are verified.

If you have any questions about the GDPR or want to learn how Diffbot helps you be compliant, please contact us at privacy@diffbot.com.