GDPR Compliance

GIMLabs Is GDPR Compliant

The European Union (EU) General Data Protection Regulation (GDPR), enforced from May 2018, is one of the biggest changes to data privacy regulation for businesses with customers from the European Union. We put security, privacy, and data protection at the core of our product. We are fully certified as GDPR compliant, and constantly strive to go above the minimum regulatory standards. We regularly update our Terms of Service to be in compliance with GDPR and other generally acceptable privacy law.

Taking into account new case law (especially "Schrems II" decision of European Court of Justice) as well as Brexit, GIMLabs took additional steps to be compliant with the EU and UK data protection law.

EU Data Transfers

The European Data Protection Board (EDPB) advises that each EU entity which is data exporter conducts an assessment of whether or not it can transfer EU personal data on the basis of the EU Standard Contractual Clauses (EU SCCs). In particular, GIMLabs recommends the following steps:

1. Consider the technical and organisational security measures included in the updated Data Processing Addendum. Based on the type of data you process on GIMLabs, determine whether these are sufficient for your use.
2. Review GIMLabs' Data Processing Addendum, which includes the new supplemental clauses recommended by the EDPB and incorporates the new version of the SCCs approved by the European Commission.
3. Conduct a risk assessment for the transfer of personal data to the US in your use of GIMLabs. Information on this page and our Security page may be helpful for your review.

Can UK-based customers transfer UK personal data to GIMLabs?

The Information Commissioner’s Office (ICO) advises that each UK entity conducts an assessment of whether or not it can transfer UK personal data on the basis of the UK Standard Contractual Clauses (UK SCCs). In particular, GIMLabs recommends the following steps:

1. Consider the technical and organisational security measures included in the updated Data Processing Addendum. Based on the type of data you process on GIMLabs, determine whether these are sufficient for your use.
2. Review GIMLabs' Data Processing Addendum, which includes the UK SCCs.
3. Conduct a risk assessment for the transfer of personal data to the US in your use of GIMLabs. Information on this page and our Security page may be helpful for your review.

GIMLabs' GDPR Commitment

As a geotechnical information management platform, GIMLabs has two kinds of relationships:

• Customer - an Organisation using GIMLabs
• User - a user that has a login to GIMLabs

Everything you do in your Organisation is data (e.g. projects) owned by your Organisation. Your Organisation is the data controller (in certain cases it is possible that it can be data processor) of that data. GIMLabs is data processor of that data and acts exclusively based on the instructions of your Organisation as data controller.

To be fully compatible with GDPR we’ve added the option to destroy all data from your Organisation on request. If an Organisation decides to leave GIMLabs they can request the complete deletion of all business data.

In certain cases GIMLabs can be data controller of your data (e.g. when we communicate directly, when you apply for a position in our company etc.).

Please check our Privacy Policy to learn how your data is being processed.

GIMLabs' Security Standards

We keep your data secure 100% of your time. We regularly review and update our security measures.

Please check implemented security measures on our Security page.

Has GIMLabs ever had to disclose data to US authorities?

GIMLabs has not received any data access request from the US government under Section 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333.

If such a request were received, GIMLabs will use reasonable efforts:

1. to have the governmental authority request such data directly from you; and
2. to notify you of the request promptly, unless prohibited under the applicable law of the requesting government authority or GIMLabs. If prohibited from notifying you, GIMLabs will use reasonable efforts to obtain the right to waive the prohibition to communicate as much information to you as possible.

Also, please check Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (so-called White Paper), where powers of US public authorities are explained in detail. This document includes a more detailed interpretation of relevant US legislative and amendments that were made after Schrems II.

Where does GIMLabs store data?

GIMLabs stores data on Amazon Web Services servers located in the EU, specifically in Ireland.

Does GIMLabs sell or market the data to third parties in any way?

No, GIMLabs does not sell or market your data to third parties.

Will GIMLabs sign my company’s DPA?

GIMLabs can’t sign DPAs from other companies. However, GIMLabs' DPA should be sufficient in any customer relationship with GIMLabs. GIMLabs' DPA contains EU SCCs for EU and UK SCCs for UK data and includes terms specific to how GIMLabs works.

Contacting GIMLabs

If you would like to know more about our security measures and GDPR compliance, please contact us at privacy@gimlabs.io. We’ll be happy to answer all your questions.