GDPR Compliance with Regie.ai

Under GDPR, there is a clear distinction between data controllers and data processors. A data controller is the entity that determines the purposes and means of processing personal data. In contrast, a data processor processes data on behalf of the controller. Regie.ai operates as a data processor, while its customers act as data controllers.

Responsibilities of Data Controllers:

• Obtaining lawful consent from data subjects

• Defining the purposes and legal bases for data processing

• Upholding the rights of data subjects, including the right to access, rectify, and erase personal data

Responsibilities of Data Processors (Regie.ai):

• Acting strictly on the documented instructions of the data controller

• Implementing appropriate technical and organizational measures to ensure data security

• Assisting the data controller in responding to data subject rights requests and maintaining records of processing activities

For more detailed information on the roles and responsibilities under GDPR, we recommend consulting the official GDPR resource.

As a data processor, Regie.ai operates under the instructions of its customers—the data controllers. This means Regie.ai is tasked with handling personal data in a manner that complies with GDPR requirements while ensuring that it adheres to the specific instructions and policies set forth by its customers.

Regie.ai's primary responsibility is to follow the controller's instructions regarding data processing activities. This includes implementing appropriate technical and organizational measures to ensure data security, assisting with data subject rights requests, maintaining records of processing activities, and ensuring transparent sub-processing practices.

Regie.ai empowers customers to customize their data processing activities, from list setups to geographic targeting and audience expansion. Customers maintain control over the data they process using Regie.ai, ensuring that they adhere to their own GDPR compliance policies. For instance, customers can specify which geographic regions to target or avoid, manage opt-in consent, and determine the content of communications. Regie.ai ensures it operates strictly within these guidelines, allowing customers to remain compliant.

Data security is paramount under GDPR. Regie.ai employs stringent technical and procedural security measures to protect customer data. The platform complies with several industry-recognized security standards, including SOC 2 and AppExchange security certifications. In addition, Regie.ai has earned GDPR compliance certifications that validate its commitment to data security. These certifications, alongside regular security audits, demonstrate that Regie.ai has implemented robust measures to safeguard personal data against unauthorized access, loss, or breaches.

Regie.ai maintains a fixed and transparent list of sub-processors involved in data processing activities. This list is regularly updated and communicated to customers. Any changes to this list, such as the addition of a new sub-processor, are communicated to customers in advance, allowing them to review and approve or reject the new sub-processor. The list is available upon request. This transparency ensures that customers are fully informed about how and where their data is processed, maintaining compliance with GDPR's requirements for data processors.

Regie.ai maintains detailed records of processing activities to support its customers in their compliance efforts. This includes tracking all actions taken on personal data, such as importing data, sending emails, making calls, and managing sequences. These records are readily available to customers, allowing them to demonstrate compliance with GDPR's record-keeping requirements. For example, Regie.ai logs every interaction it has with a customer’s sales leads, providing a comprehensive history of how personal data has been processed within the platform.

In the unlikely event of a data breach, GDPR requires data processors to notify the data controller within 30 days. Regie.ai is committed to this requirement and has established procedures to ensure prompt notification. This allows the data controller to take necessary steps to mitigate any potential impact on data subjects and fulfill their legal obligations to inform regulatory authorities and affected individuals.

GDPR grants data subjects specific rights, including the right to access, rectify, and erase their personal data. Regie.ai assists its customers in fulfilling these requests efficiently. For instance, data subjects can request to access, change, or delete their data by contacting [email protected]. Regie.ai will ensure that the requested data is updated or deleted within 30 days, in compliance with GDPR.

Upon contract termination, Regie.ai ensures that all personal data is either returned to the customer or securely deleted within 30 days. The platform offers a process for securely archiving and purging data to ensure it is no longer accessible or recoverable. During this period, the data is rendered inaccessible to ensure it cannot be used for further processing, in line with GDPR requirements.

While this resource focuses on GDPR, Regie.ai also acknowledges the importance of other data protection laws, such as the California Consumer Privacy Act (CCPA). Furthermore, upcoming regulations, like the AI Act, are on Regie.ai's radar. As a low-risk provider under the AI Act, Regie.ai is already preparing to ensure continued compliance as the regulatory landscape evolves.

Regie.ai is dedicated to supporting its customers in their GDPR compliance efforts by acting as a responsible data processor. Through robust security measures, transparent data processing practices, and a commitment to assisting with data subject rights requests, Regie.ai provides a platform that prioritizes data privacy and security. By leveraging Regie.ai, customers can confidently maintain compliance with GDPR, ensuring that personal data is handled with the utmost care and in accordance with legal requirements.