GDPR
General Data Protection Regulation
General Data Protection Regulation (GDPR) is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents. It is the most comprehensive EU data privacy law in decades and became effective on May 25, 2018.
Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.
GDPR is intended to offer protection for you or any identifiable natural person (the “Data Subject”) regarding your information (your “Personal Data”, “data”). You, as a Data Subject, have broad rights.
Your Rights Under GDPR
Consent
Under GDPR, you opt in to have an organization (the “Data Controller”) collect your Personal Data.
Special Categories of Data
Unless specifically authorized, GDPR prohibits the processing of certain special categories of data such as race, ethnicity, political and religious beliefs, sexual orientation, genetic, and biometric data. Aptivio does not acquire or process any data belonging to these categories.
Right of Access
If you consented to a Data Controller processing your Personal Data, you may then request the following:
- A copy of your Personal Data undergoing processing
- Purpose of processing
- Categories of data processed (e.g., name, address, online browsing behavior)
- Any third-party recipients of your Personal Data, both backward and forward
-looking, especially recipients in third-party countries (i.e., countries outside of the EU)
- Any third-party sources of your Personal Data (i.e., not collected from the Data Subject directly, for instance by purchasing said data from another source that previously collected the data directly)
- How long such Personal Data would be stored, r if that is not determinable, how the length of this period would be determined
- Data rectification
- Data erasure
- Restriction of data processing
- Objection to data processing
Right to Rectification
You, as a Data Subject, have the right to have any errors or inaccuracies of Personal Data corrected. The Data Controller will implement requests without undue delay.
Right of Erasure
You, as a Data Subject, have the right to have your Personal Data erased or forgotten. The Data Controller will remove your Personal Data and confirm deletion via a notification to you. Data Controllers are also required to maintain these transactions.
Right to Data Portability
You, as a Data Subject, have the right to have your Personal Data exported and provided to you in complete form.
Breach Notification
In the event of a data breach and your Personal Data is compromised, your Data Controller is required to notify you within 72 hours.
Our Commitment to Protecting Your Personal Data
We are committed to partnering with customers and users to ensure that we are fully compliant with the requirements of GDPR. We recognize your rights under GDPR and will ensure that these rights are honored, and your Personal Data is protected.
Measures to achieve this include:
- A new Data Processing Addendum depending on our relationship with you and the country in which you are domiciled
- Additional investments in our security infrastructure
- Appointment of a Data Security Officer
- Support and maintenance of our Privacy Shield self-certification
- New clarity on procedures for consent, data portability, and privacy preference inquiries
We will continue to monitor the guidance around GDPR compliance from privacy-related regulatory agencies and serices and adjust our plans accordingly if that guidance changes.
International Data Transfers: Privacy Shield and Contractual Terms
In the event of a data breach and your Personal Data is compromised, your Data Controller is required to notify you within 72 hours.
To comply with EU data protection laws around international data transfer mechanisms, we self-certify under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to establish a way for companies to comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.
In addition, we offer European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the EU.
Data Controller Versus Data Processor
Your Personal Data may enter our processing scope in multiple ways. We are either a Data Controller or a Data Processor under the GDPR. The way in which your Personal Data is obtained, who has control over that data, and who has the responsibility for protecting and administering your rights, determines whether we are a Data Controller or a Data Processor. This section describes our role as both a Data Controller and Data Processor and explains how you can interact with us in either role.
Role of a Data Controller
When you interact with Aptivio via our marketing and sales development outreach programs as a website visitor, webinar participant, or asset downloads, we act as the primary Data Controller from a GDPR perspective. In these cases, we are responsible for obtaining your consent and providing means for exercising your data rights.
Personal Data
Personal Data you submit during registration, such as your name, email, phone number, and address.
Consent
- When you interact with web forms and similar registration pages at our website (or partners that we collaborate with), we will request explicit consent prior to you submitting your Personal Data.
- When we contact you and you provide information to us, and you consent to us for using the information we obtained from you
- When your colleague from your organization volunteers your Personal Data to us via email or other information channels. We will follow up to obtain consent using the email provided to us, or we will indicate in our email communication that we do not yet have consent but request that you provide us consent to continue our use of your personal data.
We ensure that any data we procure from third-party services is obtained by that third party after obtaining your consent.If you had previously provided consent to collect your Personal Data, you may choose to withdraw that consent at a later point.
Please send an email request to GDPR@aptiv.io and we will implement the request and provide a confirmation of your consent withdrawal via a reply email to your email address. The acknowledgment email will also provide you with the consequences of withdrawing your consent.
Onward Transfers
We do not sell Personal Data to any other third-party organization. We do not transfer rights to Personal Data to any party or use the data other than for the original purpose it was obtained. Any transfer to a third party is solely intended for the processing of data and Aptivio has secured agreements with downstream Data Processors to protect Personal Data and enforce GDPR data rights for you.
Data Access
As part of GDPR, you have the right to request your Personal Data be made available to you. We will provide:
- All Personal Data that we have on record- How and when we obtained the data
- Our use of your data
- Whether any data was transferred to any other third party
To request this data, please contact GDPR@aptiv.io and we will respond within 30 days of your request.
Data Erasure, Accuracy, and Portability
You may submit a request via GDPR@aptiv.io to delete all data about you. We will comply with this request but will use your email to send a confirmation notice that we performed the requested action.
You may submit a request via GDPR@aptiv.io to update Personal Data that we have about you. We will perform this and will use your email to send a confirmation notice that we performed the requested action.
You may submit a request via GDPR@aptiv.io to obtain an export of all your data for data portability. We will provide this information via a CSV or JSON file. Such a report will include meta-data such as when particular data was added, any updates to the data. This will include an audit trail of the data.
Data Breach Notification
We will notify you by email if your Personal Data was compromised via a breach within 72 hours. This includes any breach that was caused by a Data Processor that we have authorized to process your data.
Filing a Complaint
In the event that you are not satisfied with our resolution of your requests, you have the right to file a complaint. Please submit a request via GDPR@aptiv.io to file a complaint. You also have a right to file a similar complaint with a supervisory authority for the jurisdiction you are in and seek appropriate remediation.
Role of a Data Processor
To request your Personal Data, please send a request to GDPR@aptiv.io. For data processed by us, we will forward your request to your employer or the organization to which you provided the data (the Data Controller), who will then initiate a request to provide that information. Since our role is only that of a Data Processor, we will not be able to provide your Personal Data directly.
Consent
When we process and display your Personal Data, that data was acquired from your employer or our customer that you interact with. If it is Personal Data that you submitted to your employer, you provided consent to your employer to use that data for their business purposes. If it is Personal Data that our customers obtained in the process of conducting business with you or your employer, they rely on your consent to use the data for business purposes. To withdraw an earlier consent that you provided, contact your employer or the organization to which you provided the original Personal Data. We will not be able to alter your consent, as we are the Data Processor.
Data Breach Notification
In the event of a data breach, Aptivio, as a Data Processor, is required to notify your employer/organization that there was a data breach. Your organization will then notify you regarding the breach, its impact, and potential remedies. We will not notify you directly.
Data Erasure, Accuracy, and Portability
To request an export or erasure or update of Personal Data held by Aptivio, please send a request to GDPR@aptiv.io. We will forward your request to your employer/organization, who will then initiate a request for us to complete the request. Since our role is only that of a Data Processor, we will not be able to perform these actions directly.
List of Sub-Processors
STATEMENT OF WORK
Aptivio as a Data Processor has engaged the services of the following sub-processors. Some or all of your Personal Data may be transferred to them. All such transfers are governed by Master Service Agreements that establish the scope of processing as well as the legal basis for such processing. We require sub-processors to perform the specified processing only for the purposes of delivering the services that are part of the agreement. To learn more about the GDPR initiatives of our sub-processors, please visit the web pages listed here:

- Amazon Web Services, Inc.

- Microsoft Azure

- Oracle Cloud

- Opt-Out