GDPR General Statement
The General Data Protection Regulation (GDPR) took effect on May 25th, 2018. The regulation expands upon and replaces the EU Data Protection and Privacy rules with a more comprehensive framework that dictates how the personal information of EU data subjects is used, stored, transmitted and protected, and codified EU data subjects’ rights regarding that data. The GDPR also requires that businesses share with the EU data subject how personal data is being handled; respond to certain data subject requests about that data; and handle such with proper security controls. The regulation also sets a standard for how that data is shared with other controllers and processors and sets guidelines for use or transfer of that information in countries with different laws and regulations regarding data use and transfer. A copy of the text of GDPR can be found here.
How AIRINC adheres to the privacy standards of the GDPR
Our commitment to GDPR did not end on May 25th, 2018 as we are constantly improving our policies and procedures to adhere to the standard and to go a step further to ensure all data we collect is properly protected. The GDPR is not another checkbox for AIRINC but a process of improvement of our Information Security program and the controls we have in place to ensure the data we collect is done so properly, our systems are tested and our employees are trained to understand the regulation and other data protection laws. The goal is not only to ensure we are GDPR compliant but to provide a better service to our users.
AIRINC strives to be transparent with how we are collecting data regarding our customers and providing information to them on the data that we currently have. All our teams work to ensure that the data collected is only what is needed to provide the best service and utilizes data subjects’ information for the purpose of fulfilling those services only. AIRINC is Privacy Shield certified which requires the company to adhere to requirements for transference of data between the EU and US and Switzerland and the US. As of July 16, 2020 the European Court of Justice invalidated the EU-US Privacy Shield framework, since then AIRINC utilizes EU Standard Contractual Clauses with our clients and our European entities (AIRINC RESEARCH UK LTD., AIRINC EUROPE BVBA SPRL) as a legal framework for transferring data between the US and the EU.
How does AIRINC adhere to the GDPR?
AIRINC complies with and follows the direction of the GDPR in each of its business functions. Upon analysis of the regulation, AIRINC reviewed its environment to determine how customer data is acquired and stored and made necessary adjustments to our policies, procedures and security controls. As AIRINC works with clients around the world, we have worked to ensure that our current services adhere to the GDPR and we will apply what we learned to all future services we build.
How does AIRINC comply with the requirements for transferring data between the EU and US?
AIRINC is a Privacy Shield certified company and adheres to the framework set forth by the US Department of Commerce, Swiss Administration and EU Commission. As of July 16, 2020 the European Court of Justice invalidated the EU-US Privacy Shield framework, since then AIRINC utilizes EU Standard Contractual Clauses with our clients and our European entities (AIRINC RESEARCH UK LTD., AIRINC EUROPE BVBA SPRL) as a legal framework for transferring data between the US and the EU. Detail regarding the requirements we have set forth for AIRINC can be found in our Privacy Notice (https://www.air-inc.com/privacy-policy/).
Does AIRINC comply with the data transference requirements of the GDPR regarding third parties?
Once AIRINC collects a data subject’s personal information it avoids as much as possible sharing that information with any vendor, third party, contractor or other type of outside service. Once AIRINC collects the personal information, it is stored in our systems and is not transferred outside of our network to any controllers or subprocessors without explicit permission from our clients. AIRINC never sells personal data to other companies, and to the extent it is ever shared, it is only to complete the purpose for which the data was acquired.
Yes. Our Privacy Notice can be found here (https://www.air-inc.com/privacy-policy/) and outlines what actions AIRINC performs on personal information and how that information is collected. The Privacy Notice also includes contact information where further questions and concerns can be addressed.
How can an EU citizen request to have their information removed or modified? Is there a process for viewing the information that AIRINC has when request by an EU citizen?
Within the AIRINC Privacy Notice there is an Enforcement section that provides contact information on how to reach us regarding any questions or concerns you may have on your data privacy within the GDRP directives. This same contact information can be used for questions related to data subject access requests, portability, erasure, etc. The contact information is as follows:
Associates for International Research, Inc.
675 Massachusetts Avenue
Cambridge, MA 02139
Telephone (617) 250-6700 | Fax: (617) 354-2135
How can an AIRINC customer enter into a Data Protection Agreement (DPA) with AIRINC?
As required by GDPR, AIRINC’s data processing is governed by our privacy policies and DPA’s signed with our customers. Our standard DPA agreement can be found here, which includes the EU Standard Contractual Clauses.