Our Commitment To Privacy

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: March 13, 2025

termly-commitment-to-privacy

At Termly, we are committed to safeguarding personal data and complying with the EU General Data Protection Regulation (GDPR).

Below is a summary of our adherence to GDPR requirements and the measures we have in place to protect individuals’ rights and privacy.

Table of Contents
  1. Transparency & Lawfulness (Articles 5, 6, 7, 12, 13, 14)
  2. Individual Data Rights (Articles 15-22, 23)
  3. Security & Breach Notifications (Articles 25, 32-34)
  4. Accountability & Governance (Articles 5(2), 24, 30, 35-39)
  5. Vendor Management & Subprocessors (Articles 28-29, 46-49)
  6. International Data Transfers (Articles 44-50)
  7. Key Resources & Links

1. Transparency & Lawfulness (Articles 5, 6, 7, 12, 13, 14)

Controls We Have:

Privacy Notice: Our Privacy Notice explicitly details:

  • The categories of personal data we collect.
  • The purposes for processing (e.g., service delivery, legal obligations, or legitimate interests).
  • How and why data is used, stored, and shared.

Lawful Bases: We process personal data only where a valid lawful basis applies (e.g., contractual necessity, legal obligations, or legitimate interests), as outlined in our Privacy Notice.

Cookie Policy: Our Cookie Policy outlines how cookies and tracking technologies are used, with options to manage preferences via our Cookie Banner and Preference Center.

Privacy Center: All privacy-related information, including data practices and rights, is centralized in our Privacy Center for easy access.

Right to Be Informed: We ensure individuals are provided with clear, transparent, and easily accessible information at the time of data collection (Articles 12-14).

In Summary:

  • We collect only the necessary data for legitimate purposes.
  • We provide clear, accessible notices so users understand how we handle personal data.

2. Individual Data Rights (Articles 15-22, 23)

Controls We Have:

Streamlined DSAR Process: Users can submit requests for access, correction, deletion, object to specific data processing, or enquire about data portability via our DSAR Form.

Opt-Out Tools:

  • Marketing: Unsubscribe instantly via the “unsubscribe” link in emails.
  • Tracking: Adjust cookie/tracking preferences in our Preference Center.

How We Uphold Your Rights:

  • Timely Responses: We address all requests within 30 days (GDPR Article 12).
  • No Fees: Requests are free unless manifestly unfounded or excessive.
  • Verification: We authenticate identities to protect your data before fulfilling requests.
  • Transparency: Explain refusals (if any) with legal reasoning and appeal options.

Need Help? Contact our Data Protection Officer (DPO) for GDPR-specific requests.

3. Security & Breach Notifications (Articles 25, 32-34)

Controls We Have:

Data Protection by Design and by Default: We implement technical and organizational measures ensuring that, by default, only necessary personal data is processed (Article 25).

Robust Security Measures:

  • See our Security FAQ for an overview of our encryption, access controls, and penetration testing procedures.

Incident Response Plan:

  • We conduct regular risk assessments and tabletop exercises to prepare for any potential data breaches.

In Summary:

  • In the event of a breach that poses a risk to individuals, we will notify the relevant authorities and affected users promptly.
  • We pseudonymize data where possible and adhere to industry standards to keep personal data secure.

4. Accountability & Governance (Articles 5(2), 24, 30, 35-39)

Controls We Have:

In-House DPO & EU/Swiss Representative:

  • We have a dedicated Data Protection Officer, EU/UK/SWISS Representative, and we partner with external privacy counsel worldwide for audits and ongoing improvements.
  • Records of Processing Activities (ROPA): Maintained for all data processing, including purposes, categories, and third-party sharing (GDPR Article 30).
  • Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing (e.g., large-scale processing) and updated as risks evolve (GDPR Article 35).
  • Annual Policy Reviews: Documented reviews ensure alignment with regulatory updates (e.g., EDPB guidance, national laws) and industry standards.
  • DPO Responsibilities: The DPO ensures compliance monitoring, impact assessments, internal compliance, conducts training and serves as a contact point for supervisory authorities (Articles 37-39).
  • Sub-Processor Oversight: All service providers are contractually bound by:

    • GDPR-compliant Data Processing Agreements (DPAs).
    • Standard Contractual Clauses (SCCs) or Data Privacy Framework (DPF).

5. Vendor Management & Subprocessors (Articles 28-29, 46-49)

Controls We Have:

Vetted Subprocessors & DPAs:

  • All subprocessors we work with are carefully vetted for GDPR compliance.
  • We have strict Data Processing Agreements (DPA) with each of them, ensuring that they process data securely and in line with GDPR requirements.
  • Our Data Processing Agreement (DPA) is available upon request.
  • View our Subprocessors List for details on our third-party service providers.

Details:

  • We ensure that all vendors handling personal data have appropriate safeguards in place.
  • Our contracts include Standard Contractual Clauses (SCCs) for international data transfers where required.
  • We periodically audit and review all subprocessors to ensure ongoing compliance.

6. International Data Transfers (Articles 44-50)

Safeguards We Implement:

EU-U.S. Data Privacy Framework (DPF):

  • We are certified under the EU-U.S. DPF and UK / Swiss Extension to the DPF (Article 45 adequacy decision). Annual re-certification is conducted via the U.S. Department of Commerce.

Standard Contractual Clauses (SCCs):

  • For transfers outside the DPF, we use EU/UK-adopted SCCs (Article 46) alongside supplementary technical safeguards like encryption, access controls, and data minimization.

UK & Swiss Compliance:

  • Transfers to the UK and Switzerland adhere to the UK International Data Transfer Agreement (IDTA) and Swiss FADP requirements.

Last Updated: 03/13/2025

 

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources