Effective Date: February 1st, 2023

Introduction 

One Umbrella is devoted to securing the privacy of our users and their clients. We keep abreast of changes in data protection legislation to ensure that you can trust in the safety of your personal data while utilizing our platform. 

This page is designed to clarify what the regulations are, how they apply to your use of the One Umbrella platform, and the measures we have undertaken to conform. This is not meant to provide legal counsel. 

We recommend reviewing this document along with our Privacy Policy and seek the advice of a legal expert if you require further details or guidance. 

General Data Protection Regulation (GDPR) 

Regulation (EU) 2016/679, often known as the General Data Protection Regulation (EU GDPR), is an EU regulation aimed at aligning data protection laws across the EU. 

The EU GDPR is dedicated to giving individuals more control over their data's use by corporations, and making the collection and processing of data more transparent. Following the end of the Brexit transition period, the EU GDPR was directly integrated into UK law, meaning that UK-based businesses and other entities subject to UK law are still obligated to comply with its provisions through the 'UK GDPR'. This document refers to the EU GDPR and the UK GDPR collectively as the GDPR.

Basic GDPR concepts

Controller and processor

The GDPR sets various responsibilities on a person depending on whether they are a controller or a processor of personal data.

A controller is an entity that decides to process personal data, making decisions about the processing basis and the methods to be employed. Before gathering personal data from your clients, you should familiarize yourself with the controller's specific obligations regarding personal data.

A processor is an entity that processes data for a controller and at their behest. They make no autonomous decisions regarding the data or its processing, as they solely process it as instructed by the controller.When you use the One Umbrella platform, you are the controller. You manage the data you upload to the One Umbrella platform, what you do with that data, and why. Hence, you are accountable for ensuring that you have a legal basis for processing the data, and that you do not retain the data any longer than required.

You should understand your responsibilities as a controller and update your systems and policies accordingly to allow lawful transfer of personal data to One Umbrella.

One Umbrella is a data processor. We store and process the data you have collected as per your instructions through the One Umbrella platform. We will never use any personal data that you have uploaded to the One Umbrella system for our purposes or without your instruction.

Legal basis for processing

The collection and processing of personal data can only occur if there is a legal basis for it. The acceptable legal bases are outlined in the GDPR.

As a processor, One Umbrella depends on our customers to choose the correct basis under which they will be collecting and processing personal data and to put the appropriate notices or consents in place. Before using the One Umbrella platform, you should identify which legal bases may apply to you, and only collect and process personal data to the extent required to perform that basis. You should avoid changing the basis under which you have collected personal data without a substantial reason, so it's crucial to understand the requirements of the different bases and ensure you choose the correct one initially.

Data subject access rights

The GDPR provides data subjects (i.e., your customers) certain rights related to their personal data, including the right to access, correct and/or delete any data concerning them. One Umbrella has systems in place for you to inform us if you receive such a request from a data subject, and for us to inform you if we receive such a request. You should familiarize yourself with the obligations that will be imposed on you, including any personal data you hold on your own systems or services other than One Umbrella.

Transfers of data to the USA

The transfer of personal data outside the EEA or the UK must comply with the GDPR. We use Standard Contractual Clauses as part of our Data Processing Agreement, which we sign with all our customers.

Data Security

We have implemented security measures and safeguards to help ensure that any personal data we hold is stored securely. Our products are regularly tested for bugs and vulnerabilities. We have systems in place for regular backups, data recovery, and data integrity to help minimize the risk of personal data corruption or loss. 

Steps we have taken to help ensure GDPR compliance

We take our obligations as a processor very seriously. We have instituted various procedures and taken several steps to help ensure that we comply with the GDPR such as: 

Our data processing agreement incorporates Standard Contractual Clauses to provide a mechanism to lawfully send personal data to us in the USA. 

- We have tools designed to detect personal data breaches and to notify our customers as promptly as possible. 

- We are capable of handling subject access requests and rights of erasure requests, and to inform you when a data subject has made such a request to us.

- We have evaluated and documented the personal data processed by us on your behalf.

- We encrypt personal data at rest and in transit and have implemented other security measures to ensure a level of security appropriate to the risk of processing your personal data.

If you have any questions, concerns, or requests related to this Data Protection or our privacy practices, please contact us:

Email: [email protected]

Please provide your full name, contact information, and a clear description of your request or concern. We will respond to your inquiries as soon as reasonably possible.