GDPR Policy

What is GDPR?

The General Data Protection Regulation (GDPR) is a privacy regulation enacted by the European Union (EU) in April 2016 to safeguard the privacy and control over personal data in the digital world for citizens of member countries.

The regulation came into effect on May 25, 2018, with significant potential financial penalties for non-compliance. The sections below present a high-level overview of essential terms, impacts, and how Crono aligns with GDPR regulations.

Why is GDPR important?

GDPR is crucial because it likely impacts many individuals more than they realize. The safest assumption is that GDPR affects your company to some extent, especially if your company is established in the EU, sells to people within the EU, or monitors the actions of EU citizens, regardless of your headquarters’ location or where marketing emails are sent.

Failure to comply with GDPR guidelines can incur substantial costs. The maximum penalty for a single company is 4% of their global annual turnover or 20 million euros, whichever is higher. Lower-tier fines apply to lesser violations and can amount to 2% of global turnover or 10 million euros.

GDPR Terminology Glossary

Refer to the glossary below to understand the key terms in GDPR.

• Consent: Contacts in the EU must provide explicit permission before being contacted. If contact information is obtained through a third party, the source must be specified during the initial contact with the Data Subject.
• Cross-Border Data Transfer: Sending data and/or personal information outside of EU/EAA borders.
• Data Subject: A natural person and EU citizen whose information has been collected and can be identified by a data controller.
• Data Controller: Entities managing or collecting personal data. Crono and Crono’s customers are considered data controllers.
• Data Portability: A data subject’s right to their personal data from the data controller in a familiar, machine-readable format.
• Data Processor: A party instructed by the controller on how to handle personal data. Crono is also considered a data processor.
• Data Subject Rights: New rights within GDPR, including the right to be forgotten, the right to data portability, and the right to object to profiling.
• GDPR Articles: The GDPR includes two sections—the recitals and the Articles. The Articles contain the text of the legislation and the Privacy Management Activities (PMAs) required for compliance.
• Personal Data: Information included in Crono typically comprises name, company address, company phone number, email address, and IP address.
• Privacy by Design and Default: Companies are obligated to prioritize data privacy throughout the design process and incorporate default and adequate privacy controls into all new features.

GDPR’s Effect On Sales Teams

A critical aspect of GDPR that may create business challenges is the level of consent required from individuals. To collect and process personal data of Europeans, marketers, and services like Crono must have a “legal basis.”

Two common legal bases include:

1. Consent of the data subject.
2. A “legitimate interest” to use the data not outweighed by fundamental “rights and freedoms,” considering data subjects’ “reasonable expectations” of how data may be used.

The GDPR cites “direct marketing” as an example of a likely “legitimate interest.” Legal experts have noted that the GDPR leaves many questions unanswered, with potential resolutions in the future. Based on current legal interpretations, Crono (and others) believe that most B2B marketing is protected as a “legitimate interest” if executed thoughtfully. However, campaigns not targeted effectively may not fit this criterion.

These considerations are relevant only for prospects located in the EU, so if you’re emailing anyone outside the GDPR’s jurisdiction, these regulations do not apply.

How does Crono adhere to GDPR?

The Crono team diligently ensures compliance for the benefit of both the company and its customers. The Crono platform’s data handling complexity necessitates intricate compliance measures.

Our Privacy Policy and Terms & Conditions include a Data Processing Addendum, granting users control over their data and the freedom to access or remove their data from our system.

GDPR outlines distinct requirements for “Processors” and “Controllers” of data. Crono operates as a data processor, facilitating user communication with prospects.

Crono’s Adherence to GDPR as Data “Processors”

In addition to the precautions mentioned above, Crono has completed and will undertake the following actions to maintain compliance as a data processor:

1. Collaborating with legal counsel to ensure full preparation and compliance.
2. Evaluating every use case within our platform to substantiate decisions under potential legal scrutiny.
3. Creating internal workflows for swift and thorough handling of data subject requests.
4. Conducting an in-depth review of all requirements implications for data processors.
5. Updating contact information and notices for data subjects and customer data controllers.
6. Acquiring necessary resources for ongoing compliance requirements and documentation mandated by GDPR.
7. Updating and maintaining data security standards and workflows to meet GDPR requirements.
8. Reviewing customer contracts to ensure legal compliance paths are outlined clearly.
9. Staying vigilant for changes in laws and regulations, continuing efforts to maintain compliance and assisting customers in doing the same.

If in doubt, consulting with legal professionals or a data-specific officer is recommended. For Crono-related questions, we are happy to assist.