The General Data Protection Regulation (GDPR) defines and creates laws concerning the privacy of individuals in the European Union. This affects any company that processes the personal data of people who live in the EU—whether that company is based in the EU or not.
While not legal advice, this document can help you understand the GDPR provisions built into Submittable. Within the terms of the GDPR, you are the “controller” and Submittable is the “processor.” Submittable processes data on your behalf.
Submittable helps your organization observe the GDPR by respecting the rights of people as outlined in it. These rights include:
Submittable is committed to notifying those affected by a data breach within 72 hours of discovery.
Your users have the right to ask you if you are using their personal data, and how it is being used. Submittable has always allowed you to search for users by name to find their data. We also provide self-service features that allow your users to monitor the status of their submissions or applications and review the data they previously submitted.
Your users have the right to ask you to delete all of their personal data that you process. This excludes information you need for legal purposes such as taxes. This data is not limited to personally identifiable information, but refers to any data directly linked to that person.
Your users have the right to export their data in a “commonly used and machine readable” format. Submittable provides tools that allow your users to easily export their data as a CSV file.
Submittable has always held user data securely and privately. We do not share this data with third parties. We are transparent about how the data is used, and we only process what is necessary.
We have drafted changes to our Terms and Conditions as well as a clear mapping from the General Data Protection Regulation to our terms and conditions. These updated legal documents are available on the Submittable website, along with the application changes related to consent and data erasure.