Consulting

Privacy and Security at Wizeline

Wizeline takes the protection of personal data seriously and has been working hard to ensure that all personal data we process is used, shared, and protected well. In addition to our own internal processes and practices we have implemented to take care of your information, we have been paying attention to, and working to comply with, some major privacy regimes – the General Data Protection Regulation of the European Union (GDPR) and the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”).

GDPR

The European Union’s new regulation, the GDPR, protects personal data and establishes clear rights for individuals impacted relating to their personal data, including who uses that data, how, and for what purposes. The GDPR includes several requirements for companies processing personal data relating to how the data is used, how it is protected, and the internal systems, security, and roles needed to ensure all requirements are met. In order to ensure that Wizeline is meeting these requirements, we have made adjustments to our internal policies and procedures,  our contractual relationships, and to our technical and organizational data security protocols corresponding to the GDPR requirements. Below, we describe several GDPR requirements and how we have risen to the challenge of meeting them.

Scope

To put it simply, the GDPR applies to any personal data coming from an individual in the European Union. This includes individuals in the EU inputting information through company websites, from other companies passing on personal data relating to individuals in the EU, and other methods. We extend certain GDPR rights and protections to all personal data we process, including personal data of individuals outside the EU.

Right to Be Informed

Under the GDPR, data subjects must be told how their personal data will be processed, the purpose of the data processing, limitations on the company’s use of the personal data or data sharing, how long the personal data will be held and use, and other information related to the personal data. Wizeline provides all of these details in our updated Privacy Policy.

Controllership and Legal Basis for Processing

With respect to the personal data we process on behalf of our customers in the course of implementing our chatbot products and providing software development services, Wizeline acts as a data processor. This means that we only process personal data obtained from our customers on the basis of their documented instructions. We do not use this data for our own purposes. Our customers are typically data controllers, which means that they determine the purposes and the means of processing the personal data they collect. Our role is to provide a service that enables our customers to achieve their purposes more efficiently. In this context, our customer is primarily responsible for ensuring that a lawful basis of processing exists and for responding to requests from data subjects to exercise their rights under the GDPR.

In some contexts, such as where we collect and process personal data to market and sell our products and services and where we process data of our own employees, Wizeline is itself a data controller. All personal data processed under the GDPR must have a legal basis justifying the processing. The GDPR lists several potential bases for processing, and Wizeline has identified four specific bases for processing that apply to processing with regard to which it is a controller: (i) processing in order to perform a contract with the individual; (ii) processing in order to pursue legitimate interests, such as marketing or selling its services; (iii) processing as necessary to comply with legal requirements, and (iv) processing based on the consent of the individual. These processing bases are identified in the Wizeline Privacy Policy.

Vendor Compliance

Any third parties to which Wizeline transfers GDPR-regulated personal data must also comply with the GDPR requirements. To ensure that this takes place, Wizeline has reviewed all of its contractual agreements with vendors and (which are either processors or subprocessors with respect to the personal data they process on our behalf) and amended any that did not meet the personal data protection standards required. In addition to implementing GDPR-compliant data processing agreements with these vendors, Wizeline also ensured that each vendor was capable of providing the same level of data protection as required by the GDPR by obtaining and reviewing each vendor’s internal security policies, procedures, and any applicable third-party audit reports, including ISO 27001 certifications and SOC 2 audit reports.

Security

The GDPR requires that any company processing personal data that falls under the GDPR maintains technical and organizational security measures that are appropriate for the sensitivity level and amount of personal data they process. To that end, Wizeline has reviewed its security procedures, updating technical security where needed and establishing internal security procedures and training within the company to ensure the security of data. This review included all steps of the personal data lifecycle, as identified during data mapping.

As a member of the VeraSafe Privacy Program (see below), Wizeline’s Chatbot and professional services systems underwent a complete security audit against the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and were found in compliance.

For more information about Wizeline’s security infrastructure, including SOC 2 compliance, please visit https://www.wizeline.com/security-and-compliance/.

Data Subject Rights

Individuals whose personal data is processed under the GDPR (data subjects) are given certain rights with regard to their data. These rights include:

  • Access to the data connected to them that is being processed, specifically information on whether data about them is being processed and what that data is. A data subject may request information relating to all personal data about them that is processed or only certain subset of their personal data (i.e. types of data or data from a particular time period.
  • A copy of the personal data being processed about the data subject in an easily-useable and readable format.
  • The ability to edit or correct any incorrect personal data about the data subject.
  • Requesting that processing of their personal data be restricted to certain uses or to certain data types or that processing stop entirely.
  • Objecting to the processing of their personal data.
  • Requesting deletion of their personal data from all systems and records.

Wizeline provides notice of all of these data subject rights within our Privacy Policy, informing individuals that they can request any of these things. The Privacy Policy also provides simple ways for data subjects to contact Wizeline in order to exercise these rights.

In addition, Wizeline has taken several internal actions to ensure that we are able to respond quickly and correctly to any data subjects making requests relating to their personal data. This includes mapping our data by tracking the sources we get personal data from, reviewing every system and device that personal data may be processed by or stored in, monitoring what third parties we may share the personal data with in the course of delivering our services or for any other reason, and reviewing our policies on data retention and deletion. Wizeline has also set up an internal procedure for response to data subjects, identifying which employees are responsible for identifying and responding to requests and putting forth guidelines and training on how to respond properly and promptly.

Data Transfer

Under the GDPR, any personal data that is transferred outside of the European Economic Area – such as a transfer from an EU country to the United States – must be protected through one of the listed safe methods of transfer. Wizeline protects GDPR-regulated personal data during transfer through its Privacy Shield certification and, where necessary, the implementation of Standard Contractual Clauses approved for such purposes by the European Commission. Wizeline has registered with the Privacy Shield program for data transfers, as described below.

Privacy Shield

Privacy Shield is an excellent cross-border data transfer mechanism available to businesses established in the United States. Organizations that self-certify to the Privacy Shield list may receive European personal data without additional formalities. 

In order to become and remain certified under the Privacy Shield, an organization must adhere to the Privacy Shield Principles. While any organization may perform an internal self-assessment to ensure compliance with the Principles, Wizeline took the additional step of engaging VeraSafe, a leading privacy, data protection, and cybersecurity consulting firm, to perform an outside compliance review of the relevant information systems. VeraSafe’s auditing standard, known as the VeraSafe Privacy Program Certification Criteria, combine the Privacy Shield Principles with other applicable privacy and security standards, including the NIST CSF. As Wizeline’s official Privacy Shield verification provider, VeraSafe has certified to the U.S. Department of Commerce that Wizeline complies with the Privacy Shield Principles for its in-scope systems.

The Privacy Shield Principles are listed below. Wizeline has certified to the Privacy Shield and to its clients that it adheres to each of the following principles in its processing of personal data within our Chatbot application and with respect to our professional software development and consulting services.

Notice

Under Privacy Shield, data subjects must be notified that the company or organization in question adheres to Privacy Shield principles. The company must provide a link to the list of Privacy Shield-certified companies and must inform the data subjects of their rights under Privacy Shield and the method of data processing the company uses, among other things. Wizeline provides all this information in the Wizeline Privacy Policy.

Choice

Data subjects must be able to opt out of their personal data being disclosed to third parties (with the exception of third parties acting as agents of Wizeline to deliver the services) or being used for purposes other than those disclosed previously. Wizeline has included information in our Privacy Policy about how individuals can contact us and exercise this right to opt-out.

Accountability for Onward Transfer

All data transfers under Privacy Shield must comply with certain requirements, including:

  • Data will be transferred solely for limited and specified purposes.
  • If sharing personal data with third parties, the company sharing the personal data must contractually mandate that the third parties will provide at least the same level of privacy protection as that required under Privacy Shield.
  • In addition, any third parties that personal data is shared with must process the personal data in compliance with all other Privacy Shield obligations.
  • If a third party cannot meet the Privacy Shield obligations in processing the personal data, the third party must immediately inform the company sharing the personal data and cease processing.
  • All companies and third parties processing personal data must provide a summary of their privacy provisions and practices to the Department of Commerce upon request.

Wizeline has certified its compliance with all of these requirements and has taken internal and contractual steps to ensure that it consistently meets all requirements.

Security

Similar to the GDPR, Privacy Shield requires that applicable organizations take appropriate measures to protect personal data from any loss, misuse, unauthorized access, processing, deletion, copying, or other impermissible uses. In the course of updating its technical and organizational security, Wizeline has ensured that it meets this requirement.

Data integrity and purpose limitation

Privacy Shield requires that, among other measures, companies limit their collection of personal data to only the personal data that is needed in order to fulfill the purpose that the personal data is being collected for. In addition, processing of the personal data should be limited to only the purposes listed at the time of data collection or purposes which are compatible with the listed purpose. Wizeline has ensured that it does so in its practice of data processing and has described these limitations in its Privacy Policy.

Access

Data subjects must be able to access their personal data subject to Privacy Shield and to correct or amend any incorrect or out of date data and to delete any data that is either incorrect or that is collected or otherwise processed in violation of the Privacy Shield principles. Wizeline provides contact information enabling data subjects to exercise these rights in its Privacy Policy.

Recourse, enforcement, and liability

Adherents to Privacy Shield must provide an independent recourse mechanism that can investigate and resolve any disputes arising between the data subject and the company. Wizeline has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure and includes information about this mechanism in its Privacy Policy.

A forward-looking perspective

GDPR was game-changing, but privacy compliance doesn’t stop with one regulation. Wizeline has implemented privacy and security compliance policies that will not only ensure a current state of full compliance, but also allow us as an organization to operationalize compliance with new laws, regulations, and standards like the CCPA and forthcoming ISO standards as they emerge and develop. Wizeline’s commitment to privacy and security is a part of our culture, and we’re excited to see what comes next.

If you have any additional questions about Wizeline’s privacy practices, please do not hesitate to contact us by email at privacy@wizeline.com.

Written by Wizeline Security Team
Written by Wizeline Security Team

Nellie Luna

Posted by Nellie Luna on October 16, 2019