ITILITE enables GDPR support for all customers worldwide
ITILITE ensures conformance to global regulations and industry practices to maintain the privacy and security of its customer’s data. All our products provide GDPR-ready capabilities to help our customers meet their compliance obligations. ITILITE extends these capabilities not only to customers in the European Union(EU) but to all our customers worldwide.
To strengthen an individual's rights to privacy, the European Union brought about the General Data Protection Regulation or GDPR, fortifying existing directives on data protection. The Regulation issued by the European Union applies to businesses processing personal data of European residents and has been in force since 25th May 2018.
The GDPR encourages businesses to be responsible for an individual’s data. By ensuring the protection and privacy of this data, businesses earn customer trust and they are likely to engage better with the business. GDPR provides a framework for businesses to standardize and regularize real-world security and privacy needs of an individual's data used for business purposes. The key principles which the GDPR requires businesses to operate on are:
Lawful, fair and transparent processing: Emphasizes transparency for all individuals and businesses alike. The company collecting user data must be absolutely clear as to why data is being collected and what it will be used for.
Purpose of collection: Businesses should collect sensitive consumer data only for selective purposes. Data collected for specific purposes should not be further processed in a manner incompatible with the above mentioned purpose.
Data minimization: Ensure data captured is adequate, relevant and limited. Based on this principle, organizations must ensure they store a minimum amount of consumer data only specific to company regulations.
Accurate processing: Data controllers must ensure information remains accurate, valid and fit for purpose. To comply, organizations must institute processes and policies to address how they maintain the data that is being processed.
Storage limit based on identification: Companies that collect user data must have full control over its storage and use within the company. This includes implementing and enforcing data retention policies and preventing unauthorized movement and storage of data to safeguard it in accordance with the above mentioned policies.
High levels of security: An organization collecting and processing data is solely responsible for implementing appropriate security measures to protect the individual’s data.
Accountability and liability: Organizations must be able to demonstrate the adoption of necessary steps to protect an individual’s data, and be able to pull up every step within the GDPR strategy as evidence.
You can log into the ITILITE Platform using sign-in services made available to you by the applicable client or other service providers. These sign-in services will authenticate your identity and provide you the option to share certain personal information with us, like your name and email address, through which log-on to the ITILITE platform are facilitated. The GDPR legal basis for processing this information is the contractual obligation to the client i.e. your employer, to perform the services.
In case of any further questions regarding the ITILITE Platform settings, the information ITILITE has been authorized by the Client to process, or its privacy practices, you may contact the applicable Client administrator. If you no longer wish to have your personal information used by one of our Clients that use the ITILITE Platform, please contact your Client administrator. The GDPR legal basis for processing this information is the contractual obligation to the Client to perform these Services.
When acting as a service provider, ITILITE may have no direct relationship with the individuals whose personal information is provided to ITILITE while seeking our Services. An individual who is employed by one of our Clients and seeks access to, or who seeks to correct, amend, delete, or object to the processing of their Personal Data should direct the query to their employer’s ITILITE administrator if they are unable to make the appropriate changes via access to the ITILITE Platform. If the Client requests ITILITE to delete their data, we will respond to their request within 30 business days. If a user contacts us directly with such a request, we will notify the Client we are providing our services to.
In addition to the lawful transfer, processing and storage of your Personal Information, the GDPR gives certain European Union members additional rights over our use of your Personal Information. ITILITE respects your control over your information. In the event that you have provided personal information to us in your use of the site, we will provide you with details of any of your personal information we hold as detailed below. You may access, correct, or request deletion of your personal information by contacting us at firstname.lastname@example.org. Our team will get back to you at the earliest.
You can request details of your personal information we hold. We shall then confirm and disclose additional information including the types of Personal information, the sources it originated from, the purpose and legal basis for the processing, the expected retention period and the safeguards regarding data transfers to non-EEA countries, subject to the limitations set out in applicable laws and regulations. A copy of your personal information gathered will be shared free of charge, but additional costs may be incurred to cover our administrative costs in case more copies of the above mentioned information are required.
At your request, we will correct incomplete or inaccurate parts of your Personal information, although we may need to verify the accuracy of the new information provided to us.
At your request, we will delete your personal information if:
(i) it is no longer necessary for us to retain your Personal information,
(ii) you withdraw consent which formed the legal basis for the processing of your Personal Information,
(iii) you object to the processing of your personal information and there are no overriding legitimate grounds for such processing,
(iv) the personal information was processed illegally,
(v) the personal information must be deleted for us to comply with our legal obligations.
We will decline your request for deletion if processing of your personal information is necessary:
(i) for us to comply with our legal obligations,
(ii) for the establishment, exercise or defense of legal claims, or
(iii) for the performance of a task in the public interest.
At your request, we will restrict the processing of your personal information if:
(i) you dispute the accuracy of your Personal information,
(ii) your personal information was processed illegally and you request a limitation on processing rather than the deletion of your Personal information,
(iii) we no longer need to process your Personal information, but you need your personal information in connection with the establishment, exercise or defence of a legal claim, or
(iv) you object to the processing of your personal information pending verification as to whether an overriding legitimate ground for such processing exists. We may continue to store your personal information to the extent required to ensure your request to restrict processing is respected in the future.
At your request, we will provide you free of charge with your personal information in a structured, commonly used and machine-readable format, if:
(i) you provide us with your Personal information,
(ii) the processing of your personal information is required for the performance of a contract, or
(iii) the processing is carried out by automated means.
Where we rely on our legitimate interests (or that of a third-party) to process your Personal information, you have the right to object to this processing on grounds related to your particular situation if you feel it impacts your fundamental rights and freedoms. We will comply with your request unless we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defence of legal claims. We will always comply with your objection to the processing of your personal information for direct marketing purposes.
You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your Personal information, unless you have given us your explicit consent or where they are necessary for the performance of the contract with us.
You have the right to withdraw consent you may have previously given us at any time. In order to exercise your right to withdraw consent we may ask you for certain identifying information to ensure the security of your Personal information.
Please contact us at email@example.com to make a request to exercise any of the above rights. We will respond to your request within 30 days, or notify you in case of any delay. In case the request, it will be supported with the appropriate reasons. Typically, no fee is charged with respect to the exercise of your rights. However, if your request is manifestly unfounded or excessive (for example, because of its repetitive character) we may charge a reasonable fee, taking into account the administrative costs of dealing with your request.
Kindly note that if you decide to exercise some of your rights, we may be unable to perform the actions necessary to achieve the purposes set out above or you may not be able to use or take full advantage of our Services.
If you are not satisfied with our response, you have the right to complain or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction.
As part of the Services, we may send you transactional, promotional, commercial and informational emails. You may opt-out from receipt of these emails and unsubscribe by clicking “unsubscribe” at the bottom of the emails you receive from us.
You have the right to object to the use of your personal information for direct marketing purposes, on a going forward basis, by emailing us at firstname.lastname@example.org.
For users of the ITILITE Platform, we disclose information to your employer such as your travel behavior, redemption behavior and year-end redemption reporting for tax purposes.
We disclose your first and last name and email address to our third-party messaging platform to provide user support. In accordance with the Client contracts, we may disclose your personal information to other third-party vendors that enable us to provide the Services including an email service provider to send emails on our behalf and customer support providers (together with “Sub-Processors”).
If our assets are merged with or purchased by a third-party, your personal information will be transferred to that third-party.
We may also release your information when we believe release is appropriate to comply with the law, enforce our Privacy Policies, detect or prevent fraud, security or technical issues, or protect our or others’ rights, property, or safety. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention. Because our servers that store your information are located in the U.S.A., your information may be available to U.S. government entities or agencies under a lawful court order or other legal process in the U.S.
When acting as a service provider, we will retain your Personal Information, which we process on behalf of our Clients for as long as needed to provide services to our Client, for as long as your account is active, or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We retain your personal information for up to sixty (60) days after your account is closed.
We will take reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. We follow industry standards to protect this personal information submitted to us. All information is stored on secure cloud servers and protected with additional security layers, encryptions and passwords.
For example, our Services sit on secure servers operated by Amazon Web Services (AWS EC2). We use a method endorsed by the National Institute of Standards and Technology to protect your passwords (PBKDF2 algorithm with a SHA256 hash for password stretching). All of the data transfer is over secure HTTP protocol (HTTPS) and we deploy TLS1.2 for transport layer security. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.
Given that the Internet operates in a global environment and that, if you operate outside of the United States, transfer of your data is necessary for you to use any of our Services or request information from us, using the Internet to collect and process personal information necessarily involves the transmission of data on an international, or cross-border, basis.
By accessing any of these Services, and/or communicating with us by email, you acknowledge and voluntarily provide your express consent to our collection, processing and disclosure of your personal information in this way, including our disclosure to Sub-Processors and third-parties located in the US and other locations outside the EU.
By registering for the ITILITE Platform or by accessing any of the Services you voluntarily and expressly agree to such transfer and disclosure.
Free resources crafted with insights from our customer and industry experts