Data Protection / GDPR

EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens' data. It will take effect from May 2018.

At SpotMyCrib, we've been working hard to prepare for GDPR, to ensure that we fulfil its obligations and maintain our transparency about user and customer data and how we use data.

Here's an overview of GDPR, and how we are preparing for it at SpotMyCrib.


What is GDPR?

The GDPR is a comprehensive European data protection law that provides significant data rights for protecting the privacy of natural persons residing in the EU. SpotMyCrib is committed to ensuring that our platform is GDPR-compliant when the regulation becomes enforceable on May 25, 2018.

How is GDPR applicable to SpotMyCrib?

We collect data from our users and customers to better serve them. We also take ID proofs, references from our users as a supporting document for their letting application. We respect everyone's personal information, and it makes perfect sense for us to have one privacy policy and set of procedures to protect everyone's interests, including compliance with applicable local laws.

What personal information does SpotMyCrib process on behalf of its customers?

  1. We collect and maintain personal contact details which includes contact name, job title, email address, telephone number, and company name. If the customer is an individual sole proprietor or unaffiliated with any commercial or non-profit entity, it's possible that additional information such as street address and credit cardholder data is included.
  2. All customer data, that is, data controlled by our customers which we process according to their instructions, is appropriately classified as Confidential. This confidential data could contain personally-identifiable information about our Customers' End Users, which we cannot identify because it is encrypted and not accessible by SpotMyCrib staff.
  3. We also collect personal identity information as references to users application to a property. For example passport ID, PPS, resume or other details are collected to help you with your application process.
  4. More covered on privacy page.

What are Data Controllers and Data Processors?

GDPR is designed to ensure protection of the privacy rights of data subjects. Data subjects are people from whom or about whom you collect information in connection with your business and its operations. Your obligations with regard to data subjects and their personal data depend on whether you're considered a controller or a processor under GDPR.

  • Data Controllers

GDPR defines a data controller as "the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data." In other words, if your organization processes personal data for your own organization's purposes and needs-not merely as a service provider acting on behalf of another organization-then you are likely to be a data controller.

SpotMyCrib is a Data Controller for our direct customers.

  • Data Processor

Businesses or organizations that process personal data solely on behalf of, and as directed by, data controllers are data processors. In other words, when a data controller outsources a data processing function to another entity, that other entity is generally a data processor.

For purposes of the GDPR, SpotMyCrib is also considered a Data Processor for our customers' end-users.

What steps is SpotMyCrib taking to ensure GDPR compliance?

  1. We conducted an internal review of all data our data points, how its collected, stored and how it's being used.
  2. We conducted an internal Data Protection Impact Assessment (DPIA) to discover what information we collect, and how it's being used.
  3. We will provide users and customers with resources and helpful information about privacy and GDPR, including whitepapers and blog posts.
  4. We will announce an update of our Privacy Policy for GDPR.

Our Customers and the GDPR

As a SpotMyCrib customer, what are my main responsibilities under the GDPR?

SpotMyCrib customers are responsible for protecting the personal information of their end users, as Data Controllers and/or Data Exporters.

Your responsibilities under GDPR will depend on the nature of your business and your personal data processing activities. Nonetheless, broadly speaking, GDPR requires that personal data be:

  1. Processed lawfully, fairly and in a transparent manner,
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes,
  3. Adequate, relevant, and limited to what is necessary for achieving those purposes,
  4. Accurate and kept up to date
  5. Stored no longer than necessary to achieve the purposes for which it was collected, and
  6. Properly secured against accidental loss, destruction or damage.

It is our customer's responsibility to obtain the EXPRESS CONSENT of individual Data Subjects (for example, tenants, applications) to transfer their Personal Data to SpotMyCrib as a Data Processor and/or Data Importer. SpotMyCrib processes all such information as Confidential Data in accordance with the terms of our Data Processing Agreement and/or this Privacy Policy.

What actions does our customers need to take?

  1. In addition to seeking independent legal advice regarding your obligations under the GDPR, here are some tips to get you started:
  2. Educate yourself on the provisions of the GDPR to understand how they may differ from your existing data protection obligations and practices.
  3. If you don't have dedicated data privacy or security personnel in-house, consider appointing a directly responsible individual (DRI) or small team to manage your company's GDPR compliance efforts.
  4. Create an up-to-date inventory of personal data that you collect and manage.
  5. Create a list of vendors who you send data to (analytics tools, CRMs, email tools, etc.), and understand whether they are a controller or a processor. Then, determine what their obligations are, and make sure they have a plan to be ready for the GDPR.
  6. Develop a plan for obtaining and managing consent in accordance with the GDPR or establish other lawful grounds for using personal data.
  7. Determine if your company needs to appoint a Data Protection Officer (DPO). For public authorities, and companies processing large amounts of special categories of personal data, the appointment of a data protection officer (DPO) is mandatory. Organizations will be expected to hire someone who has real expertise and knowledge of the latest laws and practices.
  8. Becoming GDPR compliant takes time, and will require you to rethink how you collect and manage customer data. If you have any questions about the GDPR or want to learn how SpotMyCrib can help you prepare, please let us know.

What are the penalties for non-compliance with GDPR?

Depending on the nature of the violation, data protection authorities may issue fines or penalties for non-compliance up to € 20 million or 4% of global revenue.

Where can I get more information about GDPR?

  1. From the original source: The Council of the European Union where the legislation was approved.
  2. For more general GDPR readiness portals, we suggest:
  3. From leading Privacy advocacy organizations:

Have more questions? Submit a request