FAQs - General Data Protection Regulation (GDPR)

You are here

Amber Road welcomes the General Data Protection Regulation (GDPR) as an opportunity to reaffirm our commitment to data protection and privacy rights. Amber Road is GDPR compliant and we are committed to supporting your GDPR compliant use of the Amber Road platform. We understand that data privacy and compliance with GDPR is a shared responsibility between Amber Road and you, as our customer. To support your GDPR compliance, we have outlined in this FAQ the most common questions asked about GDPR and your use of the Amber Road platform.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new privacy law in the EU that came into effect on May 25, 2018. The objective of GDPR is to strengthen the personal data rights of EU individuals through tighter limits on processing of personal data, providing increased transparency into the nature, purpose and use of personal data and increasing the individual’s rights over their data. The GDPR replaces the existing Data Protection Directive, also known as Directive 95/46/EC.

Who does GDPR apply to?

GDPR regulates the processing of personal data of EU individuals. If you are established in the EU and processing personal data, then GDPR applies to you. If you are not established in the EU but you offer goods or services to EU individuals, then GDPR applies to you. Essentially, GDPR applies to any organization that processes personal data of EU citizens, regardless of where it is located.

What is considered personal data?

Any information relating to an identified or identifiable natural person in the EU is considered personal data under GDPR. An identifiable person is one who can be identified directly or indirectly, particularly by reference to an identifier such as name, email address, identification number, or location, as well as online identifiers such as IP address. In certain instances, the Amber Road platform processes personal information such as name, email, telephone, address, business title and other, generally business, contact information. These are called “categories of personal data”.

Who are the “data controllers”, the “data processors” and what is “processing” under GDPR?

Under GDPR, a data controller is the organization that collects the personal information and determines the purposes, conditions and means of the processing of personal data. A data processor is an organization that processes personal data on behalf of the data controller. When you use the Amber Road platform to enter personal data, your organization is the data controller and Amber Road, by virtue of its platform, is the data processor.

As the data controller, you determine the personal data we process on your behalf through your use of the Amber Road platform. As the data processor, we process data on your behalf based on instructions you provide, which include your configuration and use of the Amber Road platform and terms set out in our contractual agreement with you.

Data processing is a broadly defined term under GDPR and includes collection, storage, transfer, use or deletion of personal data.

What steps does Amber Road already take to protect personal data?

As a software-as-a-service (SaaS) provider, Amber Road has already implemented a number of state-of-the-art data protection measures and for further security we offer our customers’ optional encryption for data at rest. For more information on our security measures, please review our Customer Data and Network Security White Paper  and our Privacy Policy.

What steps has Amber Road undertaken to comply with new GDPR requirements?

We understand the importance of personal data and have taken steps to protect and secure this information within the infrastructure of the Amber Road platform. We place the utmost importance on data protection and are committed to helping our customers comply with this new regulatory law. We have recently undertaken the following actions in connection with GDPR compliance:

  • Modifying our products, where applicable, to reduce collection of personal data and ensure compliance with GDPR requirements for processing personal data.
  • Making sure our data deletion practices comply with GDPR.
  • Updating product design policies to ensure our engineers are building products with privacy principles in mind.
  • Updating our privacy policies to keep our website visitors and customers informed of how we may collect and use their personal information.
  • Entering into data processing addendums with current customers and vendors to reflect the parties’ GDPR security obligations and privacy requirements.
  • Reviewing our marketing practices to ensure we are communicating with prospects and customers in a manner that respects their rights under GDPR.
  • Reviewing our security practices to ensure that the personal data we process on behalf of our customers, through their use of our services, is adequately protected.

Does EU data need to stay in the EU?

No. Although Amber Road generally stores personal data of EU customers on our European servers, GDPR allows personal data to be transferred outside of the EU if adequate data protection measures are in place. Any Amber Road transfer would be pursuant to a valid transfer mechanism that protects the data once it leaves the EU, such as a data processing addendum (DPA), Standard Contractual Clauses or the EU-U.S. and Swiss-U.S. Privacy Shield Certifications.

Is Amber Road certified under the EU-U.S or Swiss-U.S. Privacy Shield Frameworks?

Yes. Amber Road is certified under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. It is a reflection of our commitment to our customers that we maintain adequate safeguards for transfer of personal data from the EU and Switzerland to the U.S. Our active Privacy Shield certification can be found here.

I’m an Amber Road customer, what is a GDPR data processing addendum (DPA) and how do I put one in place?

If you are subject to GDPR and if your organization is a data controller (responsible for collecting data and determining how it is processed), GDPR requires that you enter into an agreement with anyone who handles data on your behalf, i.e., a data processor. A data processing addendum is an addendum to an existing services agreement between a data controller and a data processor, and sets forth how they will both meet the requirements of GDPR.

As a data processor, we offer an industry standard and GDPR compliant DPA to our Subscription Agreement that our customers may review and sign, which can be found here.

How does Amber Road ensure that its vendors comply with GDPR?

As part of our Privacy Shield compliance and GDPR readiness program, Amber Road regularly reviews the privacy and security compliance of vendors that handle personal data on Amber Road’s behalf. We are also working to ensure that all contracts with vendors that process EU personal data are supplemented with a GDPR DPA.

How does Amber Road ensure that its employees comply with GDPR?

Amber Road has developed annual security training with GDPR content that is mandatory for all employees to complete. These trainings are tracked through our employee training system to ensure employee completion. Amber Road also provides periodic privacy and security reinforcements for employees to reinforce data privacy and data security best practices.