Teamleader & GDPR
The General Data Protection Regulation (GDPR) is a European law on data protection and privacy which has been in force since May 2018. It imposes rules on companies which deal with personal data. Teamleader strives to be as GDPR compliant as possible itself all the while helping its customers meet their obligations under the GDPR.
To understand how we deal with the GDPR at Teamleader, it is important that you are familiar with the following terms:
Any data that can be used to identify a person. This is a very broad concept, not just limited to names, addresses and contact details. For instance, in some cases, IP addresses can be considered personal data.
Anything you do with personal data: collect it, store it, manage it, analyze it, consult it, share it, sell it. You name it.
The person whose personal data is being processed. In other words, the person who can be identified using the data one has about them.
The GDPR makes a clear distinction between two roles:
- The ‘data controller’: determines which personal data is processed and for which purposes the personal data is used (deciding);
- The ‘data processor’: processes certain personal data on behalf of the data controller (facilitating).
A party’s responsibilities regarding personal data are different depending on its role.
It is possible for one party to act as a data controller in some cases and as a data processor in others. This is the case for us.
When using our work management software, you enter personal data (e.g. name, telephone number, email address, etc.) of third parties into your account. These third parties can be your company's or organization's customers, leads, business partners, etc. (“contacts”). Basically anyone whose personal data you’ve collected for your own purposes, e.g. to provide your services. You are the data controller in relation to their personal data.
We facilitate the management of your contacts’ data through our software. By entering their personal data into your account, you are sharing this data with us. Our job is to keep this data, for which you are the controller, available and safe on your behalf. That makes us the data processor here.
Wherever possible, we provide tools and assistance enabling you to meet your obligations under the GDPR. Even though we make reasonable efforts to help you with GDPR compliance, it remains your final responsibility as data controller to meet your obligations under GDPR.
To clearly define the respective GDPR responsibilities of us (as processor) and you (as controller) we have made sure that there is a DPA in place.
In the DPA, we list the different technical and organizational measures we take to safeguard the security of your data and the reliability of our software. The DPA also sets out a clear and well-defined procedure in case of a data breach.
In addition, the DPA includes a general overview of the personal data which we expect to process on your behalf.
Read the DPA for more information:
As a processor, we engage a limited number of sub-processors. These parties can process some parts of the personal data, for which you are the controller, for specific purposes.
We rely on these trusted sub-processors for three main reasons:
- to host our applications for you and to make sure they run smoothly;
- to offer certain built-in functionalities (“standard integrations”); and
- to provide customer support.
All of these sub-processors were carefully selected because of their strict data protection policies and thorough security measures. We have made the necessary contractual arrangements with each of them to make sure that they meet the same high standards set forth in our DPA with you.
See the full list of sub-processors:
All customer data is hosted on servers located in the EU:
- For Teamleader Focus: AWS servers in Dublin, Ireland (EU-WEST-1 region);
- For Teamleader Orbit: Microsoft Azure servers in Amsterdam, the Netherlands (West Europe region).
Do note that some of the sub-processors we rely on are US-based. As a result, data in your account can be transferred outside the European Economic Area (EEA) to a very limited extent and only for very specific purposes. For this, we have proper governance (transfer mechanisms) in place in line with the GDPR requirements.
This section in the DPA deserves additional attention.
As long as you are a customer with us, we keep the data in your account. You are of course free to delete any data from your account, e.g. to meet your own obligations as a controller regarding data minimization and storage limitation.
When your contract with us ends, you will have the possibility to export the data from your account. We permanently delete the personal data in your account within a short period of time after your contract with us has ended:
- For Teamleader Focus: 3 months;
- For Teamleader Orbit: 12 months.
The reason we keep the data temporarily after the end of the contract is to be able to restore your account should you wish to do so. You can always ask for the data to be deleted earlier. Once the deletion is done, we can no longer restore your account or provide you with an export of your data.
By deleting the personal data in your account, we effectively anonymise the data. In other words, we no longer have a way to identify your contacts using the data that is left. We retain the remaining anonymized data for research, training, educational, statistical and commercial purposes. This is also clearly stipulated in our terms of service. Anonymous data is not covered by the GDPR and can be used freely.
We are a data controller when we decide to collect and use your personal data for our own commercial purposes. We mainly do this to provide and improve our services.
Read our Privacy Statement to learn more about why we collect certain personal data about you, how long we store this data, which privacy rights you have, etc.
As a data controller, we engage several service providers which we instruct to process your personal data on our behalf for various purposes, e.g. to send you our newsletter or to collect feedback from you. We have DPAs in place with all these processors to ensure that they apply the same high standards of data protection as we do.
Next to everything mentioned above, we have some strict internal policies and procedures in place to carefully handle all personal data. As an example, in a limited number of well-defined cases, colleagues from our Development, Support and Customer Success teams can access the data in your account. Access rights are restricted to authorized personnel only, based on the principle of least privilege. All actions in the account are duly logged. These audit logs are regularly reviewed to prevent abuse.
We also organize recurring awareness initiatives to ensure that data protection remains top-of-mind with our colleagues at all times.
Ensuring the security of your data and complying with data protection legislation is an important part of our mission. We continue to invest effort and resources to make improvements in this area.
If you have a question or feedback regarding our privacy practices feel free to contact our Data Protection Officer (DPO) via email@example.com.