monday.com and the GDPR
monday.com is GDPR ready
At monday.com, nothing to us is more important than our customers’ success and the protection of their data. With customers in nearly every country in the world, we adhere to the General Data Protection Regulation (GDPR). The GDPR expands the privacy rights granted to European individuals and requires certain companies that process the personal data of European individuals to comply with a new set of regulations. In particular, the GDPR may apply to companies that process the personal data of European individuals and have a presence in the EU (e.g. offices or establishments) and to companies that do not have any presence in the EU but target the European market (e.g. by offering goods or services to the European market) or monitor the behavior of European individuals. We’re here to help our customers in their efforts to comply with the GDPR.
What is the GDPR?
The European Union’s General Data Protection Regulation (GDPR) became applicable in May 2018 and established a structured and comprehensive framework on how to collect, process, use, and share personal data in order to protect the privacy rights of EU data subjects. The GDPR generally applies to any organization operating within the EU and any organizations outside of the EU that offer goods or services to customers or businesses in the EU – and process personal data of EU-based individuals.
The GDPR expands the privacy rights granted to European individuals and is designed to protect their data protection rights by strengthening the security and protection of their data, and strengthening their control over how their personal data is handled.
In the UK, parts of the GDPR were incorporated into local law by the enactment of the Data Protection Act 2018. On 31 December 2020, the remaining provisions of the GDPR were incorporated into local UK creating what is known as the “UK GDPR”. Currently, the UK GDPR contains very similar requirements to the EU GDPR. When we refer to “the GDPR” we are referring both to the EU GDPR and to the UK GDPR.
Roles and Responsibilities
The GDPR distinguishes between two main types of roles regarding the processing of personal data: “Data Controller” and “Data Processor”. A data controller determines the purposes and ways that personal data is processed, while a data processor is a party that processes data on behalf of the controller.
Customers who are using monday.com’s services to process personal data for their own purposes and means will typically be considered as the “Data Controller”, and are primarily responsible for meeting all applicable GDPR requirements; while monday.com serves as its customer’s “Data Processor”, processing such personal data on behalf of its customers.
Compliance with the GDPR?
Our legal and privacy teams regularly monitor and review our practices in order to ensure ongoing and full compliance with the GDPR, including:
- Reviewing and strengthening our security infrastructure and practices, data encryption in transit and at rest, backup, logs, and security alerts.
- Conducting periodical risk assessments and a data mapping processes to ensure proper management of personal data in accordance with GDPR’s requirements.
- Engaging in regular monitoring of the guidance around GDPR compliance and ensuring ongoing compliance with the GDPR through our internal procedures, processes and controls and recurring training sessions for the team.
- Enabling our customers to respond to data subject requests to exercise their privacy rights, and deleting or anonymizing analytics data of users after user’s deletion.
- Engaged EY as external auditor to obtain a SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA).
- Received an internationally recognized security certification for ISO 27001 ISMS (information security management system) and ISO 27018 (for protecting personal data in the cloud).
- Ensuring appropriate contractual terms are in place, to perform our role as a data processor for our customers while complying with the GDPR.
- Revised our Data Processing Addendum to ensure the protection of personal data, according to customary industry standards, and such appropriate lawful mechanisms and contractual terms in compliance with the GDPR following the invalidation of the Privacy Shield Framework.
- Allowing our customers to enter into standard contractual clauses (SCCs) adopted by the European Commission on 4 June 2021 (both controller-to-processor and processor-to-processor) for the international transfers of personal data, including an Annex intending to cover transfers of personal data from the UK to third countries (see Annex III). We have supplemented the SCCs with Additional Safeguards (see Annex IV) to further strengthen the rights and freedoms of data subjects.
- Regularly performing security and privacy assessments of our sub-processors to ensure their adherence to GDPR principles.
- Designating a representative in the EU and in the UK and appointing a Data Protection Officer (DPO) for monitoring and advising on monday.com’s ongoing privacy and data protection compliance and serving as a point of contact in relation to data protection and privacy matters for individuals and supervisory authorities.
- Having procedures for handling suspected breaches concerning personal data, limiting use, disclosure and retention of personal data, and regularly conducting privacy training for all relevant members of our staff.
If you have any questions concerning monday.com’s privacy program and our compliance with the GDPR, please feel free to contact our Data Protection Officer & Privacy Team at firstname.lastname@example.org.