HQ Blog CK2 B6 Collector Processor Header

With the new GDPR, Teamleader acts both as a controller and processor of data. Learn what this means for you as a Teamleader user, how you can benefit from our GDPR measures and what your own responsibilities are.

Disclaimer: the summary of GDPR responsibilities and compliance measures are designed to give customers an idea of the steps we’re taking in order to prepare for compliance by May 25th 2018. These are, however, not the only measures we will be taking. All our security measures will be listed in the TOM or Technical and Organisational Data Security Measures documentation.

25 May 2018 marks the day the General Data Protection Regulation (GDPR) will come into force. The GDPR provides EU citizens with better control over personal data and assures more data security across Europe. Teamleader will be compliant when the GDPR comes into force. This blog is designed to help outline the role and responsibilities of Teamleader in the GDPR.

Data controller vs. data processor: what does this mean?

GDPR - Teamleader - Data controller vs. data processor

The new GDPR states that we, as a cloud service provider, control and process personal data of you, our user. To help you understand our responsibilities in this regard, let's start by defining what a data controller and data processor is.

Here's what Article 4 of the GDPR says:

  • Controller: the entity which determines the purposes and means of the processing of personal data
  • Processor: the entity which processes data on behalf of the controller and maintains detailed records of the data

A few examples to demonstrate this in practice:

  • a data controller could be your doctor holding your medical record, a baker holding your address information for a customer loyalty card, or any company holding their employees’ data for e.g. payroll.
  • a data processor could be any IT service provider, just like Teamleader, that processes data on behalf of a controller. For example, a web agency uses a direct marketing tool to contact new leads. The direct marketing tool processes data of the new leads on behalf of the web agency.


Note that businesses can be both data controllers and processors. In the case of a payroll company, they’re also controller of data about their own staff, but act as a processor when it comes to their clients.

Defining Teamleader’s dual role as data controller and processor

Teamleader’s role as a data controller

Teamleader’s role as a data processor

Control data you enter in Teamleader and determine the purposes and means of processing

Process the data stored in your Teamleader account and maintain detailed records of this data

In relation to: customers, prospects, business partners, service providers, employees/personnel

In relation to: customers (as controllers), standard third-party integrators (sub-processors such as email delivery service SendGrid, VoIP cloud solution Twilio and product analytics platform Mixpanel) and Marketplace integrations (sub-processors such as MailChimp and LinkedIn)

As a collector, we will have these documents in place to comply with the new framework:

  • a privacy declaration with a data subject (i.e. an identified or identifiable natural person to whom the personal data relates, such as a customer, prospect or business partner)
  • form ‘exercise rights of the data subject’: e.g. when you ask us to delete or change personal data
  • incident management procedure: a clear and well-defined step-by-step plan to detect and report security breaches

On top of the documents we will have as a controller, these are some examples of documents we will have as a processor:

  • a data processing agreement with our customers
  • a data processing agreement with our sub-processors
  • our security measures policy

Teamleader’s responsibilities to be GDPR-compliant

GDPR - Teamleader - GDPR compliantTo get a sense of the measures we’re taking in order to be fully compliant by May 25th 2018, here’s a list of some of the GDPR principles and how these will translate into practice:

  • Fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner. We will inform customers about which personal data we collect and how we’re using this.

    In practice: the GDPR doesn’t allow for data processing without a lawful basis, such as selling customers’ personal details to third parties.

  • Data minimisation: the data we collect needs to be adequate, relevant and limited to what’s necessary for the purpose of collecting it.

    In practice: our updated privacy declaration documentation will make reference to the GDPR and will contain information about the type of personal data that’s collected, the use and the retention period.

  • Accuracy: personal data should be accurate and up to date.

    In practice: when your personal info changes (e.g. you moved), you can ask us to update your information accordingly.
  • Right to be forgotten: as a user or potential customer, you have the right to have your data erased at any moment, even if you've given us consent to process that information earlier on.

    In practice: you can ask us to permanently delete personal data and will be able to easily do so for your customers’ data too
  • Confidentiality: our data should be processed in a manner that ensures appropriate security of the personal data and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.

    In practice: we have an internal incident management procedure in place to detect and report security breaches. That procedure also specifies which steps we need to take in case of a data breach.

Your responsibilities as a Teamleader user
GDPR - Teamleader user - GDPR compliant

“At Teamleader, we try to take away some of the pains of becoming GDPR compliant for our customers, so they can focus on what really matters, their core business.” - Tom Schouteden, CTO at Teamleader

Teamleader is taking the necessary precautions to enable your GDPR compliance by May 25th. However, it’s key to emphasise when our users enter personal data (e.g. from their customers) into Teamleader, they act as a data controller and have exclusive responsibility to be privacy-compliant. In this case, Teamleader as a platform solely acts as a facilitator and processor of personal data. Consequently, in our role as data processor we can’t provide GDPR assistance to our customers.

Data security, privacy and legal compliance have always been key priorities for us. This will only be reinforced when the new GDPR comes into effect. Rest assured: now and in the future, Teamleader will remain a trustworthy solution to handle your personal data - and we will have all the documents and measures in place required by the GDPR.