General Data Protection Regulation (GDPR)

Transparency and Accountability

Purpose of the GDPR Obligation

Ensure transparent communication with data subjects regarding the processing of their personal data. Ensure data subjects are notified of their rights under the GDPR.

Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You

Brandy' Terms of Service Agreement, Privacy Policy, and supporting policies provide a transparent notice to inform its customers. In addition, Brandy offers legal mechanisms for cross-border transfers of personal data from the EU.

Exceptions to the GDPR Obligation

A data controller is exempt from these obligations if it cannot identify which personal data in its possession relates to the relevant data subject (i.e., if personal data is anonymized and cannot be re-identified).

Access and Rectification

Purpose of the GDPR Obligation‍

Allow data subjects to require a data controller to rectify any errors in their personal data.

Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You

Agents have access to their profiles to amend inaccuracies.

Exceptions to the GDPR Obligation

Provision of this right to a data subject should not adversely affect an organization’s intellectual property (i.e., giving access to a data subject should not require disclosure of trade secrets).

Right to be Forgotten

Purpose of the GDPR Obligation

Provide data subjects with the right to delete their personal data if the continued processing is not justified. For example, you may need to delete your customer’s personal data to comply with your GDPR obligations.

Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You

Data will be deleted upon request immediately

Exceptions to the GDPR Obligation

A company is not required to delete data, except when one of the following reasons is present:

• The personal data is no longer needed in relation to the purposes for which it was collected or otherwise processed.
• The data subject withdraws consent, and there are no other legal grounds for processing.
• The data subject objects to processing, and there are no overriding legitimate grounds for processing.
• The personal data has been unlawfully processed.
• The personal data has to be erased for compliance with a legal obligation.
• The personal data has been collected in relation to the offer of information society services to a minor under 16 years old.
  

Data Portability

Purpose of the GDPR Obligation

Provide data subjects with the right to transfer their personal data between data controllers. For example, your customer requests for you to export and provide them with all associated personal data that you store.

Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You

Brandy Helpdesk has an industry standard REST API that can be used to export all the data from Brandy.

Exceptions to the GDPR Obligation

Inferred and derived personal data (e.g., a credit score or health assessment) are not included because they are not “provided by the data subject.” Data controllers are not obligated to retain personal data simply for the purposes of providing a copy of the personal data pursuant to a potential data subject request.‍

Objection to Processing

Purpose of the GDPR Obligation‍

Provide data subjects with the right to transfer their personal data between controllers.

Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You

Brandy has documented and implemented internal mechanisms to:

• Cease processing personal data based upon specific data subject requests, confirmed instructions by Brandy' customer in its capacity of data controller, and the particular reasoning for objecting to processing.
• Cease processing for direct marketing purposes upon request.
• Cease processing of personal data for scientific, historical, or statistical purposes.

Exceptions to the GDPR Obligation

Data controller must cease processing upon request unless:

• The data controller demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject.
• The data controller requires the data in order to establish, exercise, or defend legal rights.
• Processing for scientific, historical, or statistical purposes is carried out for reasons of public interest.