The GDPR is the most important change in data privacy regulation in decades. Nitoku is a strong advocate for privacy. We care about our users' rights. We have been hard at work building numerous features that give customers more control of the data that is stored on our platform. We have designed and enabled these features for all our customers, regardless of whether the GDPR specifically impacts them.
We built this document to present you how the GDPR will apply to your use of Nitoku and what we have done to ensure we are compliant.
We recommend that you review this document carefully and present it to your privacy team.
Note: EU data protection laws, including the GDPR, are complex. This guide should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.
The GDPR is a regulation designed to harmonize data privacy laws throughout the European Union (EU). This new regulation offers individuals in the EU greater transparency and control over how their personal data is used and make companies handling personal data accountable for their choices. Even businesses that are not based in the EU must comply with the GDPR if they are collecting and processing personal data of individuals located in the EU.
In EU data protection law, there are two types of entities that can process personal data — the data controller and the data processor. The data controller is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. The data processor is the entity which processes personal data on behalf of the controller.
Nitoku is considered a processor. Similar to controllers, processors are expected to comply with the GDPR.
Nitoku customers will typically act as the data controller for any personal data they provide to Nitoku in connection with their use of Nitoku’s services. The data controller determines the purposes and means of processing personal data.
Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.
If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR as applicable.You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifcally tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for legal advice.
We have developed procedures to be able to deal with the requests we receive from data subjects and inform you of such requests. We have reviewed and updated the security policies and controls we have in place. We have appointed a Data Protection Officer, who is in charge of compliance with the GDPR across our business. We carry out regular data protection training for our employees and staff. The above are only some of the steps we have taken in our path towards GDPR compliance, which is an ongoing exercise that we are engaged in.
Processors may leverage other third-parties in the processing of personal data. These entities are commonly referred to as “sub-processors". We, at Nitoku, use Google Cloud as infrastructure provider, Mailgun as email service provider, and Stripe for payments procesing. As required under the GDPR, we have put in place appropriate measures with our sub-processors that will allow us to secure the personal data we process on your behalf.
As part of the GDPR, EU data subjects can access their personal data, correct, remove or export them. They also have the right to restrict the processing of their personal data.
We have designed our platform with several self-service features that our customers can leverage to assist in reviewing the personal data stored on our platform to respond to data requests.
In particular, these features are designed to support the right to data portability, right to access, and right to be forgotten.
When we, as a processor, receive directly a request from a data subject, we will engage the respective customer within seven days to respond to the data subject request (unless otherwise required by law).
If you are a data controller, the GDPR requires that you enter into an agreement with your data processors. This agreement is referred to as Data Processing Agreement ("DPA") and sets out how a controller and a processor meet the requirements of the GDPR. If you need a DPA please contact Nitoku at support@nitoku.com and we will provide with one.
The GDPR does not require that data processing activities are limited to the EU, but regulates the transfer of personal data outside of the European Economic Area (EEA). In order to do that, the GDPR provides for different transfer mechanisms.
One particularly important mechanism for personal data flows from the EU to the United States is the Privacy Shield framework. The EU-US and Swiss-US Privacy Shield is a method of ensuring that an organization offers an adequate level of data protection, by requiring that an organization certify and register according to the requirements of the Privacy Shield framework. At Nitoku data flows from the EU to the United States are managed by Nitoku sub-processors, all of them ( Stripe, Google Cloud and Mailgun ) are certified to the EU-US and Swiss-US Privacy Shield for this reason.