General Data Protection Regulation | GDPR

GDPR Overview

Right to data is a fundamental for every individual. With organizations across the world collecting customer data to enable them to provide services. It becomes important that companies manage data in a transparent manner with the customer’s consent.

GDPR is one of the most important change to data privacy regulations in the last two decades. It stands for “General Data Protection Regulation”. It establishes a new framework for handling and protecting the personal data of EU-based residents which comes into effect on May 25, 2018. It provides the citizens of the EU greater control over their personal data and assurance that their information is being securely protected across Europe.

Does GDPR affect you?

Although GDPR is a data protection framework for the citizens residing in the EU. It also applies to all companies that handle personal data of individuals from the EU, which means almost every major corporation in the world will need to be ready when GDPR comes into effect.

If you or your organization stores and processes personal data in connection to services or goods offered in EU, then the laws will apply to you. Also, in the the event of infringement of these laws, you can face fines and penalties from 10 million to 20 million or 2% to 4% of the annual revenue of the organization depending upon whichever is higher.

Our commitment to GDPR

We are fully committed towards being GDPR compliant by the 25th of May, by when the regulation comes into effect. Over the past few months, multiple internal teams have been working towards making sure that we are aligned to the GDPR framework. Also, we’ve built product features for great privacy and data control for our product. Learn about our organization wide efforts for GDPR.

At Freshworks, the makers of Freshservice, we have always implemented and practiced processes which ensure that customer data is stored and processed in ways only necessary to serve our customers in the best possible way. Our privacy, security & data storage policies are also streamlined with the GDPR goals and objectives. Visit our security page, to know more about the privacy and security policies.

GDPR Readiness Initiatives at Freshservice

At Freshservice, we are committed towards upholding the underlying principles of GDPR and below are some of the initiatives undertaken.

Accountability

At Freshservice, there exists an established Privacy Policy created with support from our leadership. Our leaders commit to support and provide guidelines for data protection compliance through a framework of standard policies and procedures.

Customer's Personal Data with Freshservice

The GDPR require organisations to provide more information about the way individuals’ information is used. Freshservice delivers on our customer’s privacy policy objective by enabling comprehensive data flow and process maps for the customer’s data which is updated and in sync with the GDPR guidelines.

Know more about the Data Processing Addendum →

Privacy by Design and Default

Programs, projects, and processes at Freshservice are aligned to Privacy Principles right from the inception of an idea or project, thereby supporting Privacy by Design and Default principles.

Individual Rights, Subject Access, and Communication

The GDPR program thoroughly evaluates how Freshservice, both as a data controller and processor, is placed with its existing procedures for readiness to:

Provide rights of individuals under GDPR
Assist customers in responding to data access requests from individuals.

Features built for GDPR readiness

How can I forget/delete a user’s personal data?

GDPR mandates that if a user decides to exercise their right to be forgotten, it should be complied with. To support you with these requests, Freshservice has built a 'Forget User' option. This would permanently delete user information in the system, as well as tickets/notes/calls that belong to the user.

When the admin decides to ‘Forget a user’, Freshservice displays a pop-up indicating confirmation of the action. As part of this, Freshservice provides the admin with all necessary information related to the action they are about to take. This is achieved by providing a hyperlink pointing to detailed information on what 'Data' and 'Activities' mean.

If a ‘Requester’ (eg: Employee) wants to be forgotten

This process can be only carried out by the admin.
The admin can visit the respective user’s profile page and select option ‘Forget User’.
On selection of the option, a popup is displayed informing the admin of resulting actions and dependencies.
On an affirmative action from the admin, the first step is to delete PII. This data is replaced with a tag called ‘Forgotten User

As a next step, the system will check if the Requester was involved in any core helpdesk related activities like Approvals, Change requests, etc. If there are no core helpdesk activities, all related data such as tickets, notes and chats will be deleted.

Core helpdesk activities of the ‘Forgotten user’ identified by the system will be retained.

If an ‘Agent’ wants to be forgotten:

This process can be only carried out by the admin.
Similar to the case of the Requester, the admin will visit the agent profile page and select option ‘Forget User’.
On selection of the option, a popup is displayed informing the admin of resulting actions and dependencies.
On an affirmative action from the admin, the first step is to delete PII. This data is replaced with a tag called ‘Forgotten User

None of the helpdesk related items will be deleted, activity data will be retained as is

Note: All these actions are recorded under ‘Activities’ and actions pertaining to ‘Forget Agent’ will be listed in Audit Logs too.

How to address a user’s request to opt-out of analytics?

To meet the customer’s need to opt out of their data being used for business analytics, Freshservice provisions for two things:

User level opt-out

Irrespective of user type (agent or requester) the admin must navigate to the user profile page and select option,‘Opt out of analytics’. On actioning this, sharing of user data will be terminated.

Customer level opt-out

In order to stop analytics for the whole account, the customer must reach out to our support team, and we will terminate tracking account data.

Do I need to move my data to an EU data centre ?

["The GDPR program thoroughly evaluates how Freshservice, both as a data controller and processor, is placed with its existing procedures for readiness to,"]

GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on the transfer of personal data outside the EU. GDPR only mandates that such transfers be legitimised through any of the mechanisms provided in the regulation.
Some ways of legitimised transfers are through EU-US Privacy Shield Certification and Model Contractual Clauses. Freshworks is certified under the EU-US and Swiss-US Privacy Shield.

For more information or questions about the Freshservice Privacy Policy, please contact support@freshworks.com

Freshworks is committed to providing secure products and services by implementing and adhering to prescribed compliance policies, both as a data controller and processor. The upcoming GDPR enforcement is critical to our mission of providing EU and all our global customers with safe and dependable business software suite.

Disclaimer: This is for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and/or your organisation. We encourage you to obtain independent professional advice, before taking or refraining from any action on the basis of the information provided here.