General Data Protection Regulation (GDPR)

To protect and empower data privacy for all EU citizens

What is GDPR

 

Overview

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe. The GDPR is intended to protect and empower all EU citizens when it comes to data privacy and to reshape the way organizations across the region manage data.

Basic GDPR terms

Data Subject: Any information that enables a person/entity (aka: the data subject) to be identified such as by a name, identification number, location data, or an online identifier. This can also reference one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject. This refers to Netcore’s customer’s clients.

Controller: The natural or legal person, public authority, agency, or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data. This refers to Netcore’s customers.

Processor: Any operation performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction at the direction of a Controller. This refers to Netcore.

Rights of the Data Subject

Netcore (as a Processor) enables its customers (the Controllers) to comply with their user’s (Data Subject) requests to exercise the Rights of the Data Subject under Article (12 – 23) of the General Data Protection Regulation (GDPR).

Right of access by the data subject

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not their personal data is being processed.

The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the controller may charge a reasonable fee based on administrative costs.

What it means with respect to Netcore

Netcore will facilitate the export of the Data Subject’s information, at the request of a Controller, including:

  • Any user identifiers
  • Attributes
  • Activity for that user

 

Right to rectification

The Data Subject shall have the right to update or correct, without undue delay, inaccurate personal data concerning their information maintained by the Controller. If the Controller has disclosed the personal data in question to third parties, they must inform the data subjects of the rectification wherever possible.

What it means with respect to Netcore

Controllers are provided with a facility to modify or update user profile data as necessary.

Right to erasure (‘right to be forgotten’)

The Data Subject shall have the right to obtain, from the Controller, the deletion of personal data concerning them.

What it means with respect to Netcore

Controllers are provided with a facility to delete user profile data as necessary.

Right to restriction of processing

The Data Subject shall have the right to obtain, from the Controller, restriction of processing due to the inaccuracy of personal data, the processing is unlawful, or the Controller no longer needs the personal data for the purposes of the processing.
A Data Subject who has obtained a restriction on data processing shall be informed by the Controller before the restriction on processing is lifted.

What it means with respect to Netcore

Facility to restrict processing user data.

Right of data portability

The Data Subject shall have the right to receive a copy of their personal data collected by the Controller. It should be in a structured, commonly used and machine-readable format. The Data Subject has the right to transmit that data to another controller without hindrance from the original Controller.

What it means with respect to Netcore

Controllers are provided with a facility to export data as necessary.

Right to object

There are three basic rights that can be used with regard to objecting to the processing of personal data under GDPR:

  1. Processing for direct marketing purposes
  2. Processing for scientific, historical research, or statistical purposes
  3. Processing based on two specific purposes:
    • 3.1. related to processing for specific purposes
    • 3.2. or which is justified on a particular basis.

There is no right for an individual to object to processing in general.

What it means with respect to Netcore

Controllers are provided with a facility to restrict user data when there is an objection to processing.

Thus, Netcore will help customers to comply with GDPR rules with upcoming API, JS SDK, App SDK releases.

For any queries, please contact [email protected]

For the relevant APIs, visit API Reference section of the Help CentreFor the official GDPR updates, please visit [here](https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en)

 

Data Privacy

Any user data sent to Netcore’s servers is safe and protected. Additionally, you can get started without sharing any PII with Netcore and still define and target specific user groups/segments

This is how our Product Experience Platform ensures complete user data privacy as we build nudges & walkthroughs for your app:

  1. Client side nudges – Every data point around users and related events are stored on the client side and none of the data flows to Netcore’s servers. Implementing Edge Computation makes this work
  2. This means absolute data privacy for your brand, helping you adhere to the data compliance and security needs pertaining to your specific industry.

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement (“Agreement”) between Netcore Cloud or its entities  under which it provides Customer or Licensee (as defined in the Agreement and hereinafter “Customer”) and, if applicable, its Affiliates certain products or services (“Services”) and in which this DPA is referenced.

 

Definitions

“Data Protection Laws” means all applicable privacy and data protection laws, rules, regulations, decrees, orders and other government requirements.

The terms “personal data”, “personal data breach”, “processing”, “processor,” and “data subject”, will have the same meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as “personal information” instead of “personal data,” they will be read herein as the same.

 

Scope

This DPA applies to the processing of personal data by Netcore Cloud on behalf of Customer and, if applicable, Customer Affiliates under the Agreement.

 

Scope of Processing

 

Processing by Netcore Cloud will be governed by this DPA, in particular, Netcore Cloud will process the personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law to which Netcore Cloud is subject; in such a case, Netcore Cloud will inform Customer of that legal requirement before processing, unless that law prohibits Netcore Cloud from doing so on important grounds of public interest.

The subject matter of the processing is the personal data provided in respect of the Services under this Agreement. The duration of the processing is the duration of the provision of the Services under the Agreement until disposal of the personal data in accordance with the Agreement. The nature and purpose of the processing is in connection with the provision of the Services under the Agreement. The types of personal data processed are those submitted to Netcore Cloud by or at the direction of Customer as part of the Services. The categories of data subjects are those whose personal data is submitted to Netcore Cloud by or at the direction of Customer as part of the Services.

The Agreement, including this DPA, along with Customer use and configuration of the Services, are the complete and final documented instructions to Netcore Cloud for the processing of the personal data. Additional or alternate instructions must be agreed upon separately by the parties. Netcore Cloud will ensure that its personnel engaged in the processing of the personal data will process such data only on documented instructions provided by Customer, unless required to do so by applicable law.

 

Confidentiality

Netcore Cloud will ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

 

Security of Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Netcore Cloud will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in the Agreement and including inter alia as appropriate:

 

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of

processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

 

In assessing the appropriate level of security, account will be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Customer and Netcore Cloud will take steps to ensure that any natural person acting under the authority of Customer or Netcore Cloud who has access to personal data does not process data except on instructions from Customer unless he or she is required to do so by applicable law.

Notwithstanding any provision to the contrary, Netcore Cloud may modify or update its security measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Agreement.

 

Sub-Processing

 
Customer hereby provides Netcore Cloud with general authorisation to engage other processors for the processing of personal data in accordance with this DPA.  Netcore Cloud will maintain a list of such processors at https://netcorecloud.com/dpa/sub-processors , which Netcore Cloud may update from time to time. At least 14 days before authorising any new such processor to process the personal data, Netcore Cloud will update such list on its website. Customer may object to the change without penalty, subject to the Agreement’s dispute resolution process or any applicable refund or termination rights Customer may have under the Agreement.

Where Netcore Cloud engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this DPA will be imposed on that other processor by way of a contract or under the Data Protection Laws.  Where that other processor fails to fulfil those data protection obligations, Netcore Cloud will (subject to the terms of the Agreement) remain fully liable to Customer for the performance of that other processor’s obligations.

 

Data Subject Rights

 
Taking into account the nature of the processing, Netcore Cloud will assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights.

Netcore Cloud will, to the extent legally permitted, promptly notify Customer of any data subject requests received by Netcore Cloud and reasonably cooperate with Customer to fulfil its obligations under the Data Protection Laws in relation to such requests. Customer will be responsible for any reasonable costs arising from Netcore Cloud providing assistance to Customer to fulfil such obligations.

 

Due Diligence

 
Netcore Cloud will assist Customer in ensuring compliance with data security, personal breach notification and other obligations as required under the Data Protection Laws, taking into account the nature of processing and the information available to Netcore Cloud  Cloud .
 

Termination of Service

 
Upon the expiration or termination of Customer’s use of the Services, unless applicable law requires storage of the personal data, Customer instructs Netcore Cloud to delete or return the personal data in accordance with the terms and timelines, if any, for the Services set forth in the Agreement. Where the Agreement provides Customer the choice to delete or return the personal data and Customer does not make that choice within 30 days following the termination of the Agreement, Customer hereby instructs Netcore Cloud to delete the personal data, unless applicable law requires storage of the personal data. In such cases, Netcore Cloud will delete the personal data as soon as practicable.

 

Audits

 
The rights for conducting audits are set forth in the Agreement. In the absence of such requirements in the Agreement, where the Data Protection Laws so require, audits will be: (i) subject to the execution of appropriate confidentiality or non-disclosure agreements; (ii) conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon 30 days written notice and having provided a plan for such review; and (iii) be conducted at a mutually agreed upon time, place, and manner.
 

Cross Border Transfer

 
Netcore Cloud will ensure that, to the extent that any personal data originating from Customer’s country is transferred by Netcore Cloud Cloud  to another country such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws

 

Personal Data Breach

 
Netcore Cloud will notify Customer without undue delay after becoming aware of a personal data breach involving personal data processed under this DPA and will reasonably respond to Customer’s request for further information so that Customer may fulfil its obligations under the Data Protection Laws.
 

Record of Processing Activities

 
Netcore Cloud will maintain all records required by the Data Protection Laws and, to the extent applicable to the processing of the personal data on behalf of Customer, make them available as required.
 

Lawful Basis for Processing

 
Customer warrants that, where required by the Data Protection Laws, it has provided notice to any and all data subjects and has received requisite consent from the data subject or its legally authorised representative or guardian.
 

Jurisdiction Specific Terms

 
To the extent that Netcore Cloud is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms

European Economic Area, United Kingdom and Switzerland

 

  1. To the extent that Customer transfers personal data from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to Netcore Cloud located outside the EEA, UK or Switzerland, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 whereby:
      a.Customer is the “data exporter” and Netcore Cloud is the “data importer”;

      b.the footnotes, Clause 9(a) Option 1, Clause 11(a) Option and Clause 17 Option 1 are omitted, the time period in Clause 9(a) Option 2 is 14 days, and the applicable  annexes are completed respectively with the information set out in the DPA and the Agreement;

      c. to the extent that Customer acts as a controller and Netcore Cloud acts as a processor, Module Two applies and Modules One, Three and Four are omitted, and to the extent  that  each party acts as a processor, Module Three applies and Modules One, Two and Four are omitted;

      d. the “competent supervisory authority” is the supervisory authority in Ireland;

      e. the Clauses are governed by the law of Ireland;

      f. any dispute arising from the Clauses will be resolved by the courts of Ireland; and

      g. if there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail.
  1. In relation to transfers of personal data from the UK, the Clauses as implemented under section 1 above will apply subject to the following modifications:
  2.  

      a. the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018, as may be amended or superseded from time to time (“UK Addendum”);

      b. tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the information set out in the DPA and the Agreement (as applicable); and

      c. table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.

 

  1. In relation to transfers of personal data from Switzerland, the Clauses as implemented under section 1 above will apply subject to the following modifications:
  2.  

      a. references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FederalAct on Data Protection (“FADP”);

      b. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;

      c. references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;

      d. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;

      e. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;

      f. the Clauses are governed by the law of Switzerland; and any dispute arising from the Clauses will be resolved by the courts of Switzerland

    .

 

United States of America

California

To the extent that Netcore Cloud is processing on behalf of Customer any personal information in scope of the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, the “CPRA”), effective as of January 1, 2023:

  1. Netcore Cloud is prohibited from selling or sharing personal information it collects (as that term is defined in the CPRA) pursuant to the Agreement.

 

  1. The specific business purpose (as that term is defined in the CPRA) for which Netcore Cloud is processing  personal information pursuant to the Agreement is to provide, manage and secure the Services, and Customer is disclosing the personal information to Netcore Cloud only for the limited and specified business purpose set forth in the Agreement.

 

  1. Netcore Cloud is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any purpose other than for the business purpose specified in the Agreement or as otherwise permitted by the CPRA.

 

  1. Netcore Cloud is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any commercial purpose (as that term is defined in the CPRA) other than the business purposes specified in the Agreement, unless expressly permitted by the CPRA.

 

  1. Netcore Cloud is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement outside the direct business relationship between Netcore Cloud and Customer, unless expressly permitted by the CPRA.

 

  1. Netcore Cloud is required to comply with all applicable sections of the CPRA, including – with respect to the personal information that Netcore Cloud collected pursuant to the Agreement – providing the same level of privacy protection as required of businesses by the CPRA.

 

  1. Netcore Cloud grants Customer the right to take reasonable and appropriate steps to ensure that Netcore Cloud uses the personal information that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CPRA.

 

  1. Netcore Cloud is required to notify Customer after it makes a determination that it can no longer meet its obligations under the CPRA.

 

  1. Netcore Cloud grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Netcore Cloud  Cloud ’s unauthorized use of personal information.

 

  1. Netcore Cloud is required to enable Customer to comply with consumer requests made pursuant to the CPRA or Customer is required to inform Netcore Cloud of any consumer request made pursuant to the CPRA that they must comply with and provide the necessary information to Netcore Cloud to comply with the request.

 

Virginia

To the extent that Netcore Cloud is processing on behalf of Customer any personal data in scope of the Virginia Consumer Data Protection Act (VCDPA), effective as of January 1, 2023, Netcore Cloud shall:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

 

  1. At Customer’s direction, delete or return all personal data to Customer as requested at the end of the provision of the Services, unless retention of the personal data is required by law;

 

  1. Upon the reasonable request of Customer, make available to Customer all information in its possession necessary to demonstrate its compliance with the obligations under the VCDPA;

 

  1. Allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor; alternatively, Netcore Cloud may arrange for a qualified and independent assessor to conduct an assessment of Netcore Cloud’s policies and technical and organizational measures in support of the obligations under the VCDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Netcore Cloud shall provide a report of such assessment to Customer upon request.

 

  1. Engage any subcontractor pursuant to a written contract in accordance with the VCDPA that requires the subcontractor to meet the obligations of Netcore Cloud with respect to the personal data.
Unlock unmatched customer experiences,
get started now
Let us show you what's possible with Netcore.