How does the GDPR apply to my data within Smartsheet?
The GDPR may apply if your company is processing personal data within Smartsheet relating to European Union (“EU”) residents, regardless of your physical or geographic location, or if you yourself are a EU resident. European law separates those who process data into two categories of “Controllers” (those who control the collected personal data and determine the purposes and means of the processing of personal data) and “Processors” (entities which process personal data in accordance with the written instructions of the Controllers). The GDPR applies to both categories, and the two are not mutually exclusive (i.e., an entity may be acting as both Controller and Processor depending on the data set). In its business operations and in providing its services to customers, Smartsheet can be a Controller and a Processor of Personal Data, and sometimes both at the same time. Smartsheet’s role as either a Controller, Processor, or both will typically be identified in a contract related to the Processing at hand or as otherwise provided for in Smartsheet’s Privacy Notice.
“Processing,” as defined by the GDPR, refers to any operation or set of operations performed on personal data or sets of personal data, whether or not by any automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Smartsheet is obligated under the GDPR, and other global privacy law, in its capacity as both a Controller and Processor of personal data. As a Controller, Smartsheet respects the rights of all data subjects and outlines its practices (specifically, the type of personal data that is collected, used, and shared) in its publicly available Privacy Notice. As a Processor, Smartsheet respects the rights of data subjects and follows the guidelines below when processing personal data. Although the GDPR applies only to European residents, Smartsheet does not distinguish between users located inside or outside of the European Union and has taken a global approach to its privacy and security practices.