1. What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The series of laws builds on an earlier policy, the Data Protection Directive, which Europe adopted in 1995. The GDPR aims primarily to give control to residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
2. What steps does FullContact take to secure Personal Data?
FullContact is SOC2 Type 2 certified and part of the Cloud Security Alliance (CSA) demonstrating an effective and mature security posture. Additionally, FullContact has implemented compliance frameworks for GDPR, CCPA, and other international and domestic privacy laws. The company employs a privacy professional in-house who is responsible for privacy program management and is CIPP/E certified.
3. What is considered ‘personal data’?
According to the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
4. What is ‘client personal data’?
‘Client personal data’ is any ‘personal data’ that a Client sends or otherwise makes available to the FullContact Platform for processing.
5. Can I control the data FullContact has about me?
Yes, you can. Simply click on the “Own Your Personal Data” button in the left sidebar to access and modify your data.
6. What does a Data Protection Officer do? Does FullContact have a Data Protection Officer?
The Data Protection Officer (DPO) informs and advises FullContact on its obligations pursuant to GDPR; monitors compliance in relation to the protection of personal data (including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits); provides advice on data protection impact assessments; and cooperates with the supervisory authority.
FullContact was one of the first companies to have a GDPR (CIPP/E) certified executive and Data Privacy Officer. The CIPP/E is the first professional credential specific to European data protection professionals that is part of a comprehensive, principles-based framework and knowledge base in information privacy.
Data Protection Officer
Data Solutions Customers:
These answers apply only to customers who are on the Private Plan and have signed a Data Processing Addendum (DPA) or will sign DPA as requested by Article 28 to satisfy GDPR compliance.
7. Under what conditions are FullContact products & services GDPR compliant?
FullContact data products and services are GDPR compliant. For our data-products, the customer must execute a Data Processing Addendum (DPA). A Private Plan is also an option available for additional privacy protection, so no private data is ever stored in our data co-op and use of 3rd party sub-processors, with the exception of Amazon Web Services (AWS), is restricted.
8. What client personal data is covered under the GDPR?
Only personal data of EEA data subjects is covered under GDPR. However, because it is often difficult to determine whether or not personal data belongs to an EU data subject, for Clients on the Private Plan, FullContact treats all client personal data as if it falls under GDPR.
9. Does a Client on the Private Plan contribute to the data co-op?
No, the Private Plan (which is currently required for GDPR compliance) does not allow for participation in the data co-op.
10. Can a client be on the Private Plan and also opt-in to using Insights Bundles?
All Insights Bundles are available to customers on the Private Plan. This includes Affinities, Social, Demographic, Location, Email Hash, Employment History, Key People, Individual, Professional, Finance, Household, Purchases, Lifestyle, and Shopping Habits.
11. What does FullContact do with the personal data that a Client submits (e.g., a query to the FullContact API)?
Clients send client personal data (such as one or more personal identifiers) to FullContact when making an API request or providing a customer file for matching. API queries are logged in order to honor our contractual obligations related to fair billing. However, the log files of Private Plan clients record only the minimum query fields necessary for billing purposes and any client personal data is secured by encryption.
12. How does FullContact comply with the GDPR requirement for a processor to provide a list of sub-processors?
We do not use any sub-processors for Clients who have executed a DPA, except for FullContact’s hosting provider, Amazon Web Services, with all relevant AWS data centers used by FullContact being located in the United States of America.
From where does FullContact source data?
Does FullContact share my information with third parties?
FullContact Apps Users:
These answers apply to users of our FullContact app to manage their contacts.
15. Where can I change my consent elections in the FullContact Contact Management App?
You can review and change your consent elections from the Settings page in any FullContact app (or Preferences in FullContact for Mac), or by visiting the following page: https://app.fullcontact.com/account/privacy
16. Where does FullContact store my data?
Our data is stored on Amazon Web Services (AWS) servers that are located in the United States.
17. As a FullContact Apps user, how can I control the use of my contact data?
As an Apps user in the EU, you can alter how FullContact uses your data at any time by adjusting your consent in the Privacy Settings which can be found in Settings screen in all apps (or Preferences in FullContact for Mac), or by visiting the following page: https://app.fullcontact.com/account/privacy.