GDPR Compliance

GDPR: The EU General Data Protection Regulation

Learn about obligations under the GDPR, and how EPIC Services Group LLC is designed to help you achieve GDPR compliance.

Overview

EPIC Services Group LLC (“EPIC”) has always made security and privacy among its highest priorities. That’s why we’ve committed not only to respect and comply to GDPR but also to provide tools to facilitate your compliance with the GDPR and to educate you on your responsibilities as a business owner.  As the GDPR’s scope is broad, and the potential penalties for noncompliance are large, we’ve ensured that our tools are available to all our customers, at no additional cost.

This page will outline some of the key GDPR principles and terms and present how they apply to your use of EPIC Services Group LLC Services. Please review this carefully and share it with your privacy team with the legal documents listed below.

Disclaimer: This guide is not and should not be considered legal advice. Please consult a legal professional for details on how the GDPR may impact your business, and what you need for compliance.

General Data Protection Regulation (“GDPR”)

The GDPR is a unified regulation that supersedes and universalizes previous privacy laws in Europe, offering citizens and residents of the European Union (EU) greater transparency and controls over how their personal data is used by others. The GDPR requires the compliance of businesses which transact in Europe, or which facilitate transactions in Europe.

Definitions:

  • Service
    Service is the Websites operated by EPIC Services Group LLC
  • Personal Data
    Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
  • Data Controller
    Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. For the purpose of this statement, we are a Data Controller or Data Processor of your Personal Data depending on the specific processing being performed.

If you process any personal information, then you are also considered a Data Controller.  Since it is likely that you are processing personal information and for the purposes of this statement, you will be considered a Data Controller.

  • Data Processors (or Service Providers)
    Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.
  • Data Subject (or User)
    Data Subject is any living individual who is using our Service and is the subject of Personal Data.

Controllers and Processors

There are two key roles defined in the GDPR with respect to personal data: Controller and Processor. The Controller is the business or person — you. As a customer of EPIC, you operate as the Controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed in a lawful manner pursuant to the GDPR and that you are using controllers and processors, such as EPIC, that are committed to handling the data in a compliant manner.

EPIC may be considered both a Controller and a Processor depending on the specific processing. When we act on the instructions of the Controller (you), which come in the form of Website or external (API) requests we are acting as a Processor.

Once you have become a customer and have agreed to our Terms and Conditions, EPIC may use third party Processors and Sub Processors required to provide the services requested and contracted.  In this case, we are acting as a Controller and the third party we use would be considered a Processor. 

Both Controllers and Processors have an obligation to explain what they do with personal data.  As a Processor, we rely on you, the Controller of the data and our customer, to ensure that there is a lawful basis for processing.

Both Controller and Processors may, in the performance of their service, use other third-parties in the processing of personal data. These entities are known as Sub Processors. For example, EPIC leverages cloud infrastructure providers like Stripe, as well as other services like Active Campaign.

For a complete list of Service Providers, Processors and Sub Processors EPIC utilizes please see our Data Processing Addendum.

Lawful Basis for Processing of Personal Data

In order to process personal data, you need a lawful basis for processing. There are several methods to establish a lawful basis for GDPR compliance. 

EPIC may process your Personal Data because:

  • We need to perform a contract with you
  • You have given us permission to do so
  • The processing is in our legitimate interests, and it’s not overridden by your rights
  • For payment processing purposes
  • To comply with the law

Consent

Much of the GDPR revolves around the concept that your leads and customers have consented to you collecting their personal data, to you using (e.g. processing) their data, or to receiving communications. According to the ICO, the following criteria must be met to show valid consent:11.

  1. Consent must be freely given. This means giving people genuine, ongoing choice and control over how you use their data.
  2. Consent should be obvious and require positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise, user-friendly, and easy to understand.
  3. Consent must specifically cover the data Controller’s name, the purposes of the processing, and the types of processing activity.
  4. Explicit consent must be expressly confirmed in words, rather than by any other positive action.
  5. There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

If you reside in the European Economic Area (EEA), you must provide valid consent before using our Services.

Contract

In addition to consent, another lawful basis for processing data is if the processing of personal data is necessary for the performance of a contract. Password reset, billing notifications, and onboarding communication would likely fall under this lawful basis. In other words, if it’s a customer who transacts with you, there are certain processing tasks that must be undertaken for you to provide the service. Likewise, to keep its commitments under its EULA and provide service to you, EPIC has to perform certain processing.

Data Subject Rights

Data Subject Data Protection Rights Under General Data Protection Regulation (GDPR)

If you are a resident of the European Economic Area (EEA), you have certain data protection rights. EPIC aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please contact us.

Under the GDPR you have the following data protection rights:

  • The right to access, update or to delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you.
  • The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
  • The right to object. You have the right to object to our processing of your Personal Data.
  • The right of restriction. You have the right to request that we restrict the processing of your personal information.
  • The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable and commonly used format.
  • The right to withdraw consent. You also have the right to withdraw your consent at any time where EPIC relied on your consent to process your personal information.

To exercise any of these rights please contact us at: support@epicnetwork.com. Please include the phrase “GDPR Request” in the subject line, the domain name of the website you are inquiring about, along with your name, address and e-mail address. We will respond to you within thirty (30) days of receiving such a request.

Please note that we may ask you to verify your identity before responding to such requests.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).

Data Processing Addendum

Our data processing addendum (DPA) to our Terms and Conditions Agreement formalizes many of the details described on this site in specific legal language. As part of the EULA, the DPA will govern the terms by which EPIC, as either a data controller or a data processor, processes data on behalf of its customers (who are typically data controllers) in accordance with Article 28 of the GDPR.

The Data Processing Addendum includes:

  • Sub-processors engaged in delivering our services
  • Countries through which the data is passed (cross-border protocol)
  • security measures undertaken to ensure that your data is kept private
  • breach notification protocol

FREQUENTLY ASKED QUESTIONS

Does the GDPR impact businesses outside of the EU?

In many cases, yes. Even businesses that are not based in the EU are considered to be subject to the GDPR if they are collecting personal data on EU residents. Enforcement of the GDPR outside of the EU will be by EU authorities and it remains to be seen how aggressive they will be. Consult your own legal counsel but it is widely accepted that companies that collect personal data from EU residents will be subject to the requirements of the GDPR.

Does the GDPR require data to be stored in the EU?

The GDPR does not require that data processing (including storage of data) be limited to the EU.  EPIC’s Data Processing Addendum includes the EU Standard Contractual Clauses, which is also a valid mechanism for the lawful transfer of data between the EU and US.

Do you have a Privacy Policy?

Yes! It contains information on our policies and efforts to comply with all applicable regulations and to guarantee the privacy of your data. It can be found here.

Do you have a Data Processing Policy?

Yes! Our Data Processing Addendum to our EULA contains the details of our data processing and how we work with Controllers and Sub Processors to comply with the applicable regulations and to ensure the privacy of your data. You can obtain a copy of the EPIC DPA by making a written request by email to our Data Protection Officer at support@epicnetwork.com.

Who is EPIC’s Data Protection Officer (DPO)?

EPIC’s DPO: Robert Smith

Email address: support@epicnetwork.com.

In accordance with Article 38 of the GDPR, members of the public may contact the DPO with regard to issues related to processing of their personal data and to exercise their rights under the GDPR – for example, to object to the processing of their data in cases where the data controller (i.e., EPIC customer) does not provide an adequate response.

Is EPIC PCI Compliant?

EPIC adheres to, and is audited annually for compliance with, the Payment Card Industry Data Security Standard, which is a rigorous data protection framework oriented towards the protection of payment card data.

Our most recent PCI DSS audit documentation is available upon request. Please contact support@epicnetwork.com if you require the documentation.

Any more questions?

Feel free to reach out to us by emailing us at support@epicnetwork.com. with any questions you may have.  

© Copyright 2024 - All Rights Reserved

About Us   | Terms & Conditions   | Privacy Policy   |   GDPR Compliance   | Contact Us