Contents

Data Transfers

• Does GDPR prohibit data transfers to 3rd countries?
• What transfer mechanism does Sailthru use to transfer personal data from the EU to third countries as a data processor?
• To what countries does Sailthru transfer personal data?
• Does Sailthru share subscriber data with third parties?
• How does Sailthru document and track the processing of personal data?

Individual Privacy Rights

• How does Sailthru assist me in providing for individual privacy rights?
• Does Sailthru act upon individual privacy rights requests it receives directly from my subscribers/end users?

Data Transfers

GDPR has many provisions designed to ensure that data subjects retain their rights and the transparency of data processing regardless of who is processing it and where the processing occurs. Particularly where data transfers are to entities operating outside the EU, it’s important that the adequacy of protections is assessed and appropriate guarantees are made via a Data Protection Agreement (“DPA“) with an approved transfer mechanism.

Does GDPR prohibit data transfers to 3rd countries?

GDPR does not prevent data from being transferred from the EU to the US or other third countries. It does require that the data is protected and processed in ways that meet EU standards and adds a burden of proof to that requirement. Sailthru’s DPA contains information our customers need to know about how we comply with GDPR, including when we transfer data to third countries in order to provide our services.

What transfer mechanism does Sailthru use to transfer personal data from the EU to third countries as a data processor?

Sailthru will ensure GDPR standards are met wherever customer data is processed, regardless of geographic location, by providing appropriate safeguards for that data and ensuring that the data subject rights laid out in the regulation are preserved. Our DPA includes the controller-to-processor Standard Contractual Clauses approved by the European Commission and found here.

To what countries does Sailthru transfer personal data?

Sailthru processes personal data in the United States, United Kingdom, and Australia.

Does Sailthru share subscriber data with third parties?

Customer data will be shared with our sub-processors who are engaged by us to provide certain features/functionalities embedded with the Services. This data is not shared with third parties for their own use, and all transfers of personal data to our sub-processors and other vendors are governed by agreements which guarantee appropriate safeguards for that data.

How does Sailthru document and track the processing of personal data?

We have undertaken the task of ensuring security, privacy, and data subject rights throughout our product’s sub-processors in two parts:

1. The Data Processing Record. In preparation for GDPR, detailed audits of all areas of the business and their data handling practices were performed. Data Privacy Agreements were put in place (to the extent an agreement was not already in place) with all sub-processors that have access to our customers and/or their subscribers/contacts personal data to ensure appropriate technical and organizational controls are maintained and that they have committed to meeting all requirements of GDPR related to data processor activities.
2. Vendor Onboarding Process. Similar to our efforts with current sub-processors, we will put in place data protection agreements with all sub-processors that will have access to our customers and/or their subscribers/contacts personal data to ensure appropriate technical and organizational controls are maintained and that they have committed to meeting all requirements of GDPR related to data processor activities. This process includes reviews by Legal, Privacy, Security, and Finance teams to ensure appropriate technical and organizational controls are maintained and that they have committed to meeting all requirements of GDPR related to data processor activities. This process includes reviews by Legal, Privacy, and Security teams to ensure adequate protection of personal data.

Individual Privacy Rights

GDPR, CCPA, and other global privacy laws give individuals defined rights to protect their privacy. While the nature of these rights may vary from law to law, they are based on fundamentally similar concepts, including the right of the individual to control their personal data. The broadening intersection of private life and data processing activities now demands more attention to maintain these rights while still allowing for secure and respectful data flows.

How does Sailthru assist me in providing for individual privacy rights?

Please review the information found here to learn more about the measures Sailthru put in place to assist our customers with individual privacy rights requests.

Does Sailthru act upon individual privacy rights requests it receives directly from my subscribers/end users?

Simply put, no. Data controllers are responsible for carrying out requests related to the rights of any data subjects about whom they store personal data. In order to fully complete a data subject’s request for retrieval or deletion, all processors acting on behalf of the controller must be notified. Only the data controller would have complete knowledge of how the processing activities are carried out, including any transfers of data to 3rd parties like Campaign Monitor.