GDPR Compliance and EU Data Protection Policy
Learn more about how the GDPR applies to your use of QuickInvoice and what we've done to ensure compliance and give you more control over your data.
GDPR Introduction
QuickInvoice is a strong advocate for privacy. We care about our users' rights. Leading up to the implementation of the GDPR (the new EU privacy law since 25 May 2018), we have been hard at work building numerous features that give customers more control of the data that is stored on our platform. We have designed and enabled these features for all our customers, regardless of whether the GDPR specifically impacts them. We built this document to present you how the GDPR will apply to your use of QuickInvoice and what we have done to ensure we are compliant with the new rules.
We recommend that you review this document carefully and present it to your privacy team.
Note: EU data protection laws, including the GDPR, are complex. This guide should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.
What is the General Data Protection Regulation (GDPR)?
The GDPR is a regulation designed to harmonize data privacy laws throughout the European Union (EU). This new regulation offers individuals in the EU greater transparency and control over how their personal data is used and make companies handling personal data accountable for their choices. Even businesses that are not based in the EU must comply with the GDPR if they are collecting and processing personal data of individuals located in the EU.
Is QuickInvoice a controller or a processor?
If your data processing activities fall under the scope of the GDPR, one of the first question you should ask yourself is “Am I a data controller or a data processor?". The answer to this question will help you determining what are your compliance obligations under the GDPR. The controller is the organization that determines the purposes and means of processing. As a customer of QuickInvoice, you operate as the controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed lawfully and that you are using processors, such as QuickInvoice, that provide sufficient guarantees to meet key requirements of the GDPR.
QuickInvoice is considered a processor. We act on the instructions of the controller (you), which come in the form of API or HTTP requests. Similar to controllers, processors are expected to comply with the GDPR.
On which legal basis can you collect and process personal data?
As a processor, we rely on our customers to ensure that personal data are collected on the basis of one of the GDPR lawful grounds for processing. You, as a controller, can collect personal data based on one of the following legal basis: (i) consent; (ii) processing is the necessary for the performance of a contract you have with the data subject; (iii) processing is necessary for compliance with a legal obligation; (iv) you need to protect the vital interest of the data subject or of another person; (vi) you (or another third party) have a legitimate interest to process personal data and this is not overridden by the interests, rights and freedoms of the data subject.
What personal data does QuickInvoice collect and how is it used?
We are committed to be transparent in how we handle and process personal data. As one of our customers, you should be aware of how we handle personal data on your behalf.
We keep data only as long as it is necessary to provide our services. Where possible, we employ mechanisms that allow us to automatically remove data after it is no longer needed to offer our services.
How have we engaged in complying with the GDPR?
As a processor, we have specific obligations under the GDPR. In this section, we highlight how we handle personal data and what efforts we are making to ensure you, as one of our customers, can trust us. In our efforts to comply with the GDPR, we have conducted a detailed risk analysis of all applications that may process personal data of individuals located in the EU. Based on the result of such analysis, we have put in place appropriate measures that allow us to comply with the new requirements. First of all, we have gathered a dedicated team of data protection and security specialists who review QuickInvoice processing of personal data and ensure we have always privacy in mind.
Thanks to our team, we have taken many proactive steps towards compliance with the GDPR:
We have implemented or are working on new policies and procedures to be able to detect personal data breaches and notify our customers without undue delay to ensure they meet the breach notification requirements of the GDPR. We have developed procedures to be able to deal with the requests we receive from data subjects and inform you of such requests. We have reviewed and updated the security policies and controls we have in place. These are continually tested and evolve in line with changing regulations and governance requirements. We carry out regular data protection training for our employees and staff. We created and maintain a record of pour data processing activities. The above are only some of the steps we have taken in our path towards GDPR compliance, which is an ongoing exercise that we are engaged in.
What about QuickInvoice’s sub-processors?
Processors may leverage other third-parties in the processing of personal data. These entities are commonly referred to as “sub-processors". We, at QuickInvoice, use cloud infrastructure providers like Digital Ocean, Amazon Web Services, and Google Cloud Platform to host QuickInvoice. Payment infrastructure providers like Cashfree, Instamojo, Paytm, PayU, and RazorPay. E-mail infrastructure providers like MailJet, MailGun, ElasticMail, and Google. SMS infrastructure providers like Msg91, Twilio, SendGrid, and TextLocal. As required under the GDPR, we have put in place appropriate measures with our sub-processors that will allow us to secure the personal data we process on your behalf. If you are one of our customers, we will provide you with an exhaustive list of the sub-processors we use.
How do we support you in dealing with data subject rights?
As part of the GDPR, EU data subjects can access their personal data, correct, remove or export them. They also have the right to restrict the processing of their personal data. We have designed our platform with several self-service features that our customers can leverage to assist in reviewing the personal data stored on our platform to respond to data requests. In particular, these features are designed to support the right to data portability, right to access, and right to be forgotten. When we, as a processor, receive directly a request from a data subject, we will engage the respective customer within seven days to respond to the data subject request (unless otherwise required by law).
What is a Data Processing Agreement and do we need one?
If you are a data controller, the GDPR requires that you enter into an agreement with your data processors. This agreement is referred to as “Data Processing Agreement" and sets out how a controller and a processor meet the requirements of the GDPR. To make your life easier, we have drafted a DPA that our customers can sign. Our DPA is designed to address the requirements of Article 28 of the GDPR. It includes the respective obligations of QuickInvoice, as a data controller, and our customers, as data processors. If you are one of our customers, we will provide you with the DPA on-demand.