This document is designed to help Intrro customers and users understand, and where applicable, comply with the General Data Protection Regulation (“GDPR”). The GDPR is the most significant change to European data privacy legislation in the last 20 years and went into effect on May 15, 2018.
GDPR is designed to give European Union (“EU”) citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law.
Intrro has made information security and data privacy foundational principles of everything we do, and we recognize the importance of adhering to regulations to advance information security and data privacy for citizens of the EU.
We are fully GDPR compliant and follow GDPR principles, including explicit consent, purpose limitation, security, the right to be forgotten, and more.
You can read our Privacy Policy to learn more about how we use and safeguard privacy and data.
Intrro self-attests for GDPR compliance using Vanta and we're happy to share trust reports on request, with any customer or prospect who may potentially be interested in using Intrro.
We appreciate that our customers have requirements under the GDPR that are directly impacted by their use of our services. Below are several GDPR initiatives that have been implemented across our services.
GDPR strengthens rights of data subjects in many ways by including rights to request access to, correct, restrict, object, and/or erase personal data processed about them. Intrro has put a process in place to support data subject access requests that we receive which will assist our clients with compliance in supporting the right to object, and the rights of access, rectification and erasure.
GDPR places a much higher threshold on controllers that rely on consent as a basis for processing personal data. It will be dependent on our clients to determine the purpose and means of processing and to ensure it provides instruction on the lawful processing of personal data it sends to Intrro. For your employees that refuse to allow their personal data to be processed or withdraw their consent and you have no other lawful reason to process their data, we can try and offer alternative ways to use our services. This way, employees have a genuine choice without jeopardizing their ability to realize the value of their awards. For data which Intrro receives directly from your employees, Intrro has updated its Privacy Policy which can be found here.
GDPR implements new notification requirements on both controllers and processors for data breaches that lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data. While Intrro has a comprehensive Incident Response Policy in place already, we have updated this Policy to align with the new notification requirements which will ensure that we can update our clients without undue delay, to further allow our clients to meet their obligations under GDPR in the unlikely event of a personal data breach.
Can my organization request to modify the DPA?
We are unable to accept modifications to our DPA.
Have you adopted the new Standard Contractual Clauses?
Yes. In light of the new Standard Contractual Clauses adopted and approved by the European Commission, we have updated out DPA to incorporate the SCCs. You can learn more at New SCCs & the GDPR.
Contact our support team with any specific requests on questions, and you can expect us to reach back to you within 24 hours!