GDPR Readiness at Celigo

GDPR Readiness at Celigo 2018-07-18T16:51:20+00:00

GDPR Readiness at Celigo

In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation (GDPR), first proposed in 2012, to go into effect on May 25, 2018.

GDPR offers a new framework for data protection with increased obligations for organizations. GDPR focuses on protecting personal data and handing control of it back to the subject of the data.

We’ve been receiving a lot of questions from our Customers, Vendors, Prospects, and Partners. So we’ve provided some more information in the following areas:

1. Customer GDPR Roll-Out

Where customers are processing personal data with Celigo, as this is against third party data sources, we are asking our customers to advise us on the lawful processing condition for using our products/services. This ‘reason’ why will need to be determined by our customer, as they are the Data Controller. Celigo is the Data Processor who acts under their instruction.

There are six lawful processing conditions:

  • Compliance with a legal obligation
  • Performance of a contract
  • Legitimate interest
  • Public interest
  • Vital interest
  • Consent

2. Governance Structure and Celigo’s Data Protection Officer

Data privacy is discussed throughout Celigo with regular presentations to all of our Employees, the Executive Team, and members of our Board of Directors.

Celigo’s named Data Protection Officer is Jessica Curry.

Jessica leads the Privacy and Data Compliance initiative, where each Department Head has a core focus on the products Celigo delivers, helping embed data privacy into operations whilst also monitoring activity on an ongoing basis.

3. Data Mapping

Celigo has completed Article 30; our Data Mapping exercise. We know what data we have, where it’s held, how we access it, the classification of the data, records for transfer and flowcharts to show how it moves between systems, processes and countries.

4. Information Security

Led by our Chief Technology Officer, Scott Henderson the Engineering Team is focussed on maintaining an information security program which covers everything you would expect and more.

This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture across our product family;,, and

5. Privacy Impact Assessments

Where appropriate, a Privacy Impact Assessment will be completed and evidence gathered, such as copies of privacy notices, a due diligence questionnaire, periodic testing.

6. Responding to Subject Access Requests / Rectification / Deletion

Celigo has a process in place to manage these requests and sees no issue responding within the new GDPR required timescale of 30 days

7. Data Breach Reporting

The ICO or Information Commissioner’s Office has a Blog that clears up a lot of myths around data breach reporting. Art. 33 (2) states as data processor, Celigo’s obligation is to notify data controllers without undue delay after becoming aware of it. WP29 have provided some guidance on this which states:

“The GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay”. Therefore, WP29 recommends an immediate notification by the processor to the controller, with further information about the breach provided in phases as information becomes available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours.”

Celigo’s position is, the regulation states without “undue delay”, therefore this is what we will abide by. However, we recognise that for our Customer, the Data Controller, the clock will only start ticking when they become aware there has been an incident.

8. Cookies & Privacy Policy Update(s)

Celigo is happy to protect the privacy of all data subjects across the Globe. We have updated our Privacy Policy and Cookies Policy to provide users transparency.

9. Celigo Subprocessors

Celigo, Inc. uses certain subprocessors to assist it in providing to its customers the Services as described in the Terms of Service available at Terms of Service or such other location as the Terms of Use may be posted from time to time (as applicable, the “Agreement”). Defined terms used herein shall have the same meaning as defined in the Agreement. View a full list of Subprocessors here.

A subprocessor is a third party data processor engaged by Celigo who has, or potentially will have, access to or process Customer Content (which may contain Personal Data). Celigo engages different types of subprocessors to perform various functions as explained on the Subprocessors page.

10. Who to Contact

You can reach our Compliance team via email for any GDPR related questions at:

Updated: May 15, 2018 | v1