GDPR & Other Privacy Laws
Protecting personal and other confidential data is fundamental to our business.
GDPR & Other Privacy Laws
As of May 25, 2018, the new General Data Protection Regulation gives EU citizens and residents more control over their personal data and strengthens their data privacy protections.
While the GDPR goes further than other personal privacy laws, we're expecting other jurisdictions will continue to adopt greater protections.
The GDPR is intended to protect citizens and residents in the EU. However, any organization that collects, stores, transfers, or uses EU personal data must comply:
- even if the citizen lives outside the EU, and
- even if the organization with the personal data lacks a physical presence in the EU.
GDPR Key Concepts
The GDPR and other privacy laws governing use and protection of personal information generally establish rights and obligations in two buckets:
- Privacy rights of individuals, such as the "right to be forgotten," and the right to obtain a copy and correct the individual's information.
- Security obligations of companies respecting personal data, including integrity, backup, and support. The privacy rights only apply to companies that are data controllers.
The security obligations apply to data controllers and data processors.
Data Controller or Processor?
A data controller is the party in charge and makes the decisions about what personal data to collect and what to do with it.
A data processor is a service provider that carries out the controller's directions respecting the personal data.
GDPR & Our Company
The Role We Play
Relativity, as a company, is only a data processor for personal data that customers import into our SaaS product, RelativityOne. We do not review your personal or other case data, but we give you the tools to search, analyze, and act on it.
Relativity, as a company, is a controller for personal data we collect for other corporate purposes.
Security is integral to who we are and ingrained in how we operate. We take technical and organizational measures to ensure our products, systems, and facilities are secure for personal and other confidential data.
We have a chief security officer, security team, and compliance team, and we take pride in our ISO/IEC 27001:2013 certification, SOC 2 audit, and HIPAA compliance.
We do not know if customer data in RelativityOne is personal, a trade secret, or other sensitive data. So, we give all customer data our highest protection classification.
GDPR & Our Products
We're not just thinking about how our company stays ahead of privacy requirements, but how the security and design of our products supports our customers and their compliance with the GDPR.
Tools for Compliance
Relativity on-premises and RelativityOne include search and analytics tools to help you locate personal information records within a Relativity workspace that may contain personal data, as well as delete, modify, or export the information as needed to comply with your GDPR obligations.
Your e-Discovery Data
The GDPR contains many exceptions for judicial actions, legitimate interests, and legal obligations that may apply to the data you have stored within Relativity or RelativityOne.
You might violate local court rules if you modify or delete personal information from your case data prematurely. Always consult with a local data privacy legal expert before taking privacy-related actions with your data in Relativity or RelativityOne.
Support When You Need It
Though we don't provide services to locate, delete, modify, or export your personal or other customer data in our products, our team is always on hand to help you make the most of Relativity and RelativityOne, including training on how to locate records within a Relativity workspace, and how to delete, modify, or export data containing personal data for GDPR compliance.