What is the GDPR?
The General Data Protection Regulation (GDPR) came into effect in the European Union (“EU”) and the European Economic Area (“EEA”) on May 25, 2018, and applies to all companies doing business in the EU or EEA regardless of their home country. It gives individuals control over their personal data and imposes obligations on organizations for the collection and processing of that personal data. The GDPR requires that any entity handling personal data have “technological and organizational” measures in place to protect that data. Personal data can be any identifying information, such as your name, email address or phone number. We at Copyright Clearance Center, Inc. (“CCC”) and RightsDirect B.V. (“RD”), CCC’s wholly-owned European-based subsidiary, work to comply with the GDPR and believe that compliance is good practice wherever our customers and partners are located.
Are CCC and RD in compliance with the GDPR?
CCC and RD take data protection and privacy seriously and invest substantial efforts in compliance activities. CCC and RD are actively engaged in all of the steps required for GDPR compliance and have successfully completed third party audits and certifications (described below) that indicate our dedication to data protection and privacy.
If I am not in the EU, do CCC and RD still have to follow the GDPR to process my personal data?
Anyone doing business in the EU/EEA or with EU and EEA citizens is subject to legal action under the GDPR. Any communications with individuals who are located in the EU/EEA or who are EU/EEA citizens are covered under the GDPR. Therefore, because we send and receive communications with customers, partners and prospects in the EU/EEA, we are subject to the GDPR.
In addition, the careful processing and the protection of data are important to our customers as well as to CCC and RD ourselves, whether or not a specific regulation applies. Thus, we employ a uniform policy consistent with GDPR, wherever our customers are located.
What have CCC and RD done to prepare for the GDPR?
As an organization, one of our missions has always been to protect data while making it accessible for legitimate uses. The protection of intellectual property is at the core of our business. We apply that same commitment and vigilance to the protection of personal data. We are continually working to improve our data security and privacy processes and procedures.
To prepare for the GDPR based on available information, CCC and RD chose to leverage our existing compliance initiative, which affects all types of data and which was based on measurable standards. We launched this company-wide initiative in 2016 based on the exacting and objective certification process of information security standard ISO 27001 of the International Organization for Standards, or ISO, as well as SOC 2 Type 2 (Security Operations Controls) audits. The processes required to meet these standards align closely with those required by GDPR.
CCC completed SOC 2 Type 1 and Type 2 audits 2017 and completed an ISO 27001 internal audit in early 2018, all with no major non-conformities. We anticipate ISO 27001 certification in late 2018. Our SOC and ISO preparedness activities enabled CCC to qualify in the initial group of applicants for the EU-US Privacy Shield and for recertification in 2018. In addition, our online privacy notices are reviewed annually by TrustArc (formerly TRUSTe). CCC and RD are confident that the activities we undertook to achieve these third-party certifications (and our intention to maintain them in order to provide service to our customers) have put us on course for continuing GDPR compliance.
Why do you need my personal data?
The GDPR requires us to have a “Legitimate Interest” to collect and use your personal data. For example, your personal data might be necessary for the fulfillment of the purpose of an agreement or an order, or to provide you with informational materials which you have requested or that are related to a service or product you use or an interest that you have otherwise indicated to us. Each of these is considered a “Legitimate Interest”.
How did you get permission to use my personal data or to contact me?
In most instances, we obtain consent to use personal data as part of a contract we sign with an organization providing the information (such as the company for which you work), or we obtain consent through direct communication with an individual in connection with a transaction in one of our services. Consent to use personal data might also be obtained through your selecting to “opt-in” to receiving certain informational materials.
Now that you have my personal data, what rights do I have?
You have the right to learn what information we are holding, or you may ask that action be taken to correct, remove, transfer or restrict the use of your personal information. When we receive such a request (through the email boxes identified below), we have one month to respond by verifying your request and then carrying it out, or by explaining our “Legitimate Interest” in not fulfilling your request.