What is GDPR?
The EU General Data Protection Regulation (“GDPR”) is a comprehensive data protection law that came into effect on May 25, 2018. It replaced the existing EU Data Protection law to strengthen the protection of “personal data” and the rights of EU individuals regarding how their personal data is used & collected. It is a single set of rules which govern the processing and monitoring of EU data.
Clay is headquartered in the United States. Our websites and services are controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States. However, some of our enterprise customers may be based in the EU or engage in other activities that require them to comply with the GDPR.
Today, thousands of individuals and organizations rely on Clay as the backbone for their people and relationships. We know that our customers take GDPR seriously and need vendors that can help accommodate their GDPR needs. Our legal, operations, and product teams, therefore, consistently ensure that we have appropriate product safeguards, policies, and knowledge to facilitate our customers' continued use of Clay.
Legal basis
Since some elements of Attribute Data are not collected from data subjects directly, Clay's processing activities are based on (i) consent or (ii) the legitimate interest of both Clay and its business customers, among other legal bases as applicable depending on the context. Clay's data is processed to provide business intelligence (for sales, marketing, and operations) and help organizations drive revenue by providing users with accurate and up-to-date business information.
Legitimate Interest and Data Protection Impact Assessment
Many advanced privacy regimes claim that personal data must be obtained and processed lawfully and fairly. Personal data should be collected and processed based on a legitimate purpose, after balancing the interests of the organization against the interests and rights of the individual whose data is processed.
Clay conducted a Data Privacy Impact Assessment (“DPIA”) with the help of privacy experts. The DPIA confirms that Clay's processing of business profile information satisfies the grounds for the processing of personal data for a legitimate interest. It also determined that this legitimate interest is not overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data. Here are the findings:
Nature of the data.
The information collected by Clay is extremely limited. It does not contain any special categories of personal data and is not related to children.
Reasonable expectations of Contacts.
Although any personal information about data subjects that we provide our customers access to can be found on business social platforms or during the course of normal business correspondence, we do not collect data directly from the data subjects. As a result, they may not know that their data is in our database. They can always exercise their rights in relation to their data through our Privacy Request Form.
Processing proportionate to the purpose.
Clay follows data minimization principles and only collects data that are strictly necessary to achieve its purposes. Clay has processes in place to limit the data processed to business contact information which is professional in nature. Through our Privacy Request Form, individuals can claim control over their data.
Data subject rights
Clay operates in accordance with fundamental privacy principles that underlie global privacy regulations, with respect to an individual’s right to know what personal data is collected and how it is used or otherwise processed. Clay has features that support customers' ability to handle data subject requests, such as requests for access, correction, or erasure, by allowing individuals to access and modify applicable personal information via our Data Request Form.
Data deletion and retention
Clay periodically verifies the accuracy of all of the information in its databases. Data that is found to be inaccurate or out of date is removed from the database. In addition, we honor all opt-out requests so if any person requests deletion of their data, then such data would be deleted.
When a customer terminates their contract with us, we delete their account and remove any associations of such customer with any data in our databases promptly, and no later than 90 days of termination of their contract.
Data access
Clay enforces the “rule of least privilege” and has documented segregation of duties. We also enforce formal logical and account separation of the development, QA and production environments.
Data residency
Currently, Clay stores all its data in servers of US-based cloud companies. The GDPR doesn’t require personal data of EU citizens and residents to be only stored within the EU.
Subprocessors
We maintain a list of the subprocessors that we use as part of our products and services, including the activities and services performed by such subprocessors and their country location.
Privacy notices
Our privacy policy is available here.
We operate in accordance with internal privacy and data protection policies that are based on privacy principles that underlie international privacy regimes, including the GDPR and the California Consumer Privacy Act (CCPA). We actively monitor and intend to comply with any new applicable privacy laws.
Training and awareness
We require annual privacy and security training that’s mandatory for all Clay personnel. These trainings are actively tracked and regularly reviewed to help ensure compliance and relevance for our business activities. We also deliver periodic privacy and security communications to supplement required trainings, further reinforcing data privacy and data security best practices.
Governance and accountability
Clay's privacy program is directed and overseen by its VP, Legal and Privacy, and a team of dedicated professionals. IAPP-certified privacy professionals review company activity with privacy and data protection implications, assess compliance, and make recommendations to help meet compliance requirements.
Privacy by design
Our product and engineering teams work closely with our global privacy team to embed privacy principles in our products and services and help ensure privacy compliance with respect to the various phases of product development, starting at concept, through requirements gathering, to implementation and release. Beyond product development activities, our privacy team drives our privacy-by-design approach on a corporate-wide basis, including assessing a variety of activities across the company involving personal data for privacy compliance.
Clay is GDPR compliant.
Clay has undergone a GDPR compliance review and we’ve taken many steps to ensure full compliance and security for all our user data. Here are a few highlights of what we have done:
Data Protection Officer
We’ve appointed a Data Protection Officer, Zachary Hamed, to oversee and advise on our data management. Get in touch by emailing care@clay.earth.
Data Processing Addendum
We’ve created a data processing addendum (DPA) that supplements our Terms of Service and provides contractual safeguards to our customers for the processing of the personal data sent through People Data Labs, enabling these customers to be compliant with the GDPR. If you need a copy of our DPA, your organization’s administrator can email care@clay.earth.
International Data Transfers
In connection with the performance of the Agreement, the Customer authorizes Clay to transfer Personal Information to the United States. Customer and Clay will enter into Standard Contractual Clauses for the Transfer of Personal Data to Processors Established In Third Countries pursuant to Commission Decision 2010/87/EU of 5 February 2010 Countries (”Model Contract”). This document is covered in Exhibit B of our Data Processing Addendum.
Vetting Sub-processors
As part of our compliance review, we’ve scrutinized all third-party vendors we use to make sure they also prioritize the security and privacy of personal data. We’ve ensured our signed contracts with them take the highest levels of security into consideration. We know data security doesn’t just stop with us, and we’ll continue to vet any new sub-processors in the future.
Processes, procedures, and training
Being a process-driven company was a great help in becoming compliant. We’ve updated our existing processes and implemented some more around subject access requests, and process reviews. We’ve also had all team members undergo data protection training and GDPR training.
Breach Management
We updated our existing breach management and communication process to comply with the GDPR regulations concerning the escalation process and requirements for data subject notification.