Wizeline takes the protection of personal data seriously and has been working hard to ensure that all personal data we process is used, shared, and protected well. In addition to our own internal processes and practices we have implemented to take care of your information, we have been paying attention to, and working to comply with, some major privacy regimes – the General Data Protection Regulation of the European Union (GDPR) and the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”).
The European Union’s new regulation, the GDPR, protects personal data and establishes clear rights for individuals impacted relating to their personal data, including who uses that data, how, and for what purposes. The GDPR includes several requirements for companies processing personal data relating to how the data is used, how it is protected, and the internal systems, security, and roles needed to ensure all requirements are met. In order to ensure that Wizeline is meeting these requirements, we have made adjustments to our internal policies and procedures, our contractual relationships, and to our technical and organizational data security protocols corresponding to the GDPR requirements. Below, we describe several GDPR requirements and how we have risen to the challenge of meeting them.
To put it simply, the GDPR applies to any personal data coming from an individual in the European Union. This includes individuals in the EU inputting information through company websites, from other companies passing on personal data relating to individuals in the EU, and other methods. We extend certain GDPR rights and protections to all personal data we process, including personal data of individuals outside the EU.
Right to Be Informed
Controllership and Legal Basis for Processing
With respect to the personal data we process on behalf of our customers in the course of implementing our chatbot products and providing software development services, Wizeline acts as a data processor. This means that we only process personal data obtained from our customers on the basis of their documented instructions. We do not use this data for our own purposes. Our customers are typically data controllers, which means that they determine the purposes and the means of processing the personal data they collect. Our role is to provide a service that enables our customers to achieve their purposes more efficiently. In this context, our customer is primarily responsible for ensuring that a lawful basis of processing exists and for responding to requests from data subjects to exercise their rights under the GDPR.
Any third parties to which Wizeline transfers GDPR-regulated personal data must also comply with the GDPR requirements. To ensure that this takes place, Wizeline has reviewed all of its contractual agreements with vendors and (which are either processors or subprocessors with respect to the personal data they process on our behalf) and amended any that did not meet the personal data protection standards required. In addition to implementing GDPR-compliant data processing agreements with these vendors, Wizeline also ensured that each vendor was capable of providing the same level of data protection as required by the GDPR by obtaining and reviewing each vendor’s internal security policies, procedures, and any applicable third-party audit reports, including ISO 27001 certifications and SOC 2 audit reports.
The GDPR requires that any company processing personal data that falls under the GDPR maintains technical and organizational security measures that are appropriate for the sensitivity level and amount of personal data they process. To that end, Wizeline has reviewed its security procedures, updating technical security where needed and establishing internal security procedures and training within the company to ensure the security of data. This review included all steps of the personal data lifecycle, as identified during data mapping.
As a member of the VeraSafe Privacy Program (see below), Wizeline’s Chatbot and professional services systems underwent a complete security audit against the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and were found in compliance.
For more information about Wizeline’s security infrastructure, including SOC 2 compliance, please visit https://www.wizeline.com/security-and-compliance/.
Data Subject Rights
Individuals whose personal data is processed under the GDPR (data subjects) are given certain rights with regard to their data. These rights include:
- Access to the data connected to them that is being processed, specifically information on whether data about them is being processed and what that data is. A data subject may request information relating to all personal data about them that is processed or only certain subset of their personal data (i.e. types of data or data from a particular time period.
- A copy of the personal data being processed about the data subject in an easily-useable and readable format.
- The ability to edit or correct any incorrect personal data about the data subject.
- Requesting that processing of their personal data be restricted to certain uses or to certain data types or that processing stop entirely.
- Objecting to the processing of their personal data.
- Requesting deletion of their personal data from all systems and records.
In addition, Wizeline has taken several internal actions to ensure that we are able to respond quickly and correctly to any data subjects making requests relating to their personal data. This includes mapping our data by tracking the sources we get personal data from, reviewing every system and device that personal data may be processed by or stored in, monitoring what third parties we may share the personal data with in the course of delivering our services or for any other reason, and reviewing our policies on data retention and deletion. Wizeline has also set up an internal procedure for response to data subjects, identifying which employees are responsible for identifying and responding to requests and putting forth guidelines and training on how to respond properly and promptly.
Under the GDPR, any personal data that is transferred outside of the European Economic Area – such as a transfer from an EU country to the United States – must be protected through one of the listed safe methods of transfer. Wizeline protects GDPR-regulated personal data during transfer through its Privacy Shield certification and, where necessary, the implementation of Standard Contractual Clauses approved for such purposes by the European Commission. Wizeline has registered with the Privacy Shield program for data transfers, as described below.
Privacy Shield is an excellent cross-border data transfer mechanism available to businesses established in the United States. Organizations that self-certify to the Privacy Shield list may receive European personal data without additional formalities.
In order to become and remain certified under the Privacy Shield, an organization must adhere to the Privacy Shield Principles. While any organization may perform an internal self-assessment to ensure compliance with the Principles, Wizeline took the additional step of engaging VeraSafe, a leading privacy, data protection, and cybersecurity consulting firm, to perform an outside compliance review of the relevant information systems. VeraSafe’s auditing standard, known as the VeraSafe Privacy Program Certification Criteria, combine the Privacy Shield Principles with other applicable privacy and security standards, including the NIST CSF. As Wizeline’s official Privacy Shield verification provider, VeraSafe has certified to the U.S. Department of Commerce that Wizeline complies with the Privacy Shield Principles for its in-scope systems.
The Privacy Shield Principles are listed below. Wizeline has certified to the Privacy Shield and to its clients that it adheres to each of the following principles in its processing of personal data within our Chatbot application and with respect to our professional software development and consulting services.
Accountability for Onward Transfer
All data transfers under Privacy Shield must comply with certain requirements, including:
- Data will be transferred solely for limited and specified purposes.
- If sharing personal data with third parties, the company sharing the personal data must contractually mandate that the third parties will provide at least the same level of privacy protection as that required under Privacy Shield.
- In addition, any third parties that personal data is shared with must process the personal data in compliance with all other Privacy Shield obligations.
- If a third party cannot meet the Privacy Shield obligations in processing the personal data, the third party must immediately inform the company sharing the personal data and cease processing.
- All companies and third parties processing personal data must provide a summary of their privacy provisions and practices to the Department of Commerce upon request.
Wizeline has certified its compliance with all of these requirements and has taken internal and contractual steps to ensure that it consistently meets all requirements.
Similar to the GDPR, Privacy Shield requires that applicable organizations take appropriate measures to protect personal data from any loss, misuse, unauthorized access, processing, deletion, copying, or other impermissible uses. In the course of updating its technical and organizational security, Wizeline has ensured that it meets this requirement.
Data integrity and purpose limitation
Recourse, enforcement, and liability
A forward-looking perspective
GDPR was game-changing, but privacy compliance doesn’t stop with one regulation. Wizeline has implemented privacy and security compliance policies that will not only ensure a current state of full compliance, but also allow us as an organization to operationalize compliance with new laws, regulations, and standards like the CCPA and forthcoming ISO standards as they emerge and develop. Wizeline’s commitment to privacy and security is a part of our culture, and we’re excited to see what comes next.
If you have any additional questions about Wizeline’s privacy practices, please do not hesitate to contact us by email at email@example.com.