What Is GDPR?
The General Data Protection Regulation (GDPR) is a privacy regulation that went into effect in the European Union (EU) on May 25th, 2018. It is designed to provide EU residents with more control over their personal data and governs how businesses collect, store, and process that data.
GDPR applies to all companies that conduct business in the EU or process or store data of EU residents. Check out the following sections for a high-level overview of important terms, and how Apollo complies with GDPR and assists you in your GDPR compliance practices.
To read the most recent version of the General Data Protection Regulation, please visit the EU GDPR website.
Why Is GDPR Important?
GDPR is important because of its broad application. It imposes obligations on any company that targets or collects people's data in the EU, regardless of where the company is located. Apollo highly recommends that you familiarize yourselves with GDPR and all other applicable privacy regulations and seek additional support from privacy counsel if any questions remain.
Failure to comply with GDPR regulations can be costly. The highest amount your company could pay is 4% of your global annual turnover or 20 million euros, whichever is higher. Fines for less severe violations can equal up to 2% of global turnover or 10 million euros. Each EU member country enforces GDPR separately and regulators determine the severity of the fine based on many factors.
Key GDPR Terms
Use the following glossary to learn important terms contained in the GDPR.
GDPR Term | Description |
---|---|
Consent | Consent must be "freely given, specific, informed, and unambiguous." |
Cross-Border Data Transfer | Sending data or personal information outside UK or EEA borders. |
Data Subject | A natural person of the EU whose personal data is being processed. |
Data Controller | A party who determines the purposes and means of processing personal data. Many of Apollo’s customers are considered data controllers, so we recommend that you consult with a privacy attorney to determine if GDPR applies to you. |
Data Portability | A data subject's right to receive their personal data from the data controller in a structured, commonly used, and machine-readable format. |
Data Processor | A party that processes personal data on behalf of a controller. |
Data Subject Rights | GDPR gives data subjects 8 rights, including the:
|
Personal Data | Any information relating to an identifiable natural person. Examples of personal data include name, phone number, email address, and IP address. Information that relates to a business, but not an individual, such as a business address, is not considered personal data under GDPR. |
How Does Apollo Comply with GDPR?
Apollo has taken the following actions to ensure that it complies with GDPR:
Transparency
Apollo's Privacy Policy provides notice of what data Apollo collects and how it processes that data. Apollo also sends a privacy notice to individuals located in certain jurisdictions, including the UK, EU, and Switzerland. Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.
Customer Agreements
Apollo's terms of service, including the Data Processing Addendum incorporated by reference therein, set forth to its customers Apollo’s responsibilities as both a data processor and data controller when providing services to its customers.
Certifications
Apollo is committed to maintaining a high bar of security and has achieved a SOC 2 and ISO 27001 security accreditation report. These accreditations evaluate Apollo controls, relevant to data security, availability, and confidentiality. Additionally, Apollo is certified under the EU, UK, and Swiss Data Privacy Frameworks.
Data Security
Apollo has implemented advanced data controls, including the technical and organizational measures described in Exhibit 2 of our DPA. The Apollo team regularly tests its product to fix any potential problems and maintains the industry’s highest standards in information security.
Apollo follows data incident response processes. It has built comprehensive processes to supplement data recovery and integrity to help any customers whose data is lost or unintentionally corrupted. Apollo also continuously revisits and tests its effectiveness in data-incident responses every year to ensure your data safety and security.
To learn more about Apollo’s data privacy and security controls, please visit Apollo's trust center.
Legal Basis
Like all providers in the industry, Apollo processes the business contact data in its database on a legitimate interests basis. Apollo has worked with outside counsel and its external DPO to conduct a legitimate interest assessment to ensure the legitimate interests of Apollo and its customers are not overridden by the interests of the data subjects whose business contact information is included in its database.
Additionally, Apollo provides all EU, UK, or Swiss residents with a data collection notice informing them that it has obtained their data and how they can opt out.
However, what a customer does with the data they obtain from Apollo is ultimately under the customer’s control. Depending on the customer’s intended use and relationship with the contact, the customer is responsible for providing any additional notices required by applicable law or obtaining any additional consent. For example, if double opt-in for email marketing listserves with net new contacts is required.
Right to Access and Opt-Out
In Apollo’s privacy center, Apollo affords all individuals a right to access the data Apollo holds about them and the ability to be deleted from Apollo’s database. For any individual who has opted out of its database, Apollo includes their information on a "suppression list" to ensure that they are not inadvertently added back to the database in the future.
How Does Apollo Help You Comply with GDPR?
Apollo helps its users comply with GDPR in the following ways:
GDPR Compliance Settings
You can automatically remove all EU-located individuals from your prospecting, emailing, and email tracking activities in the Apollo platform. These compliance settings function on an app-wide basis to ensure that no users accidentally contact a prospect in the EU. However, Apollo does not currently apply these safeguard controls from the Apollo Chrome Extension. Please use caution and double-check a prospect's location on LinkedIn when prospecting from the extension.
Apollo also lets you individually manage your GDPR compliance by allowing you to:
- Delete a saved contact upon receiving an EU data subject request.
- Send a data subject a report of all their personal data with a CSV export.
- Update a data subject’s personal data across all systems with a CRM sync.
- Control access to users’ data with governance profiles.
Unsubscribe
If you use Apollo to engage in email prospecting with EU residents, you must give people the option to opt out of any future messages. Apollo allows you to include opt-out links within your emails in the Apollo engagement platform.
Do Not Call
Apollo offers screening against Do Not Call (DNC) lists in the US and UK. When admin users turn on the Do Not Call toggle and request a new direct dial, Apollo displays the Do Not Call tag for any numbers on the Federal Do Not Call list or UK Telephone Preference Service (TPS). Apollo is working hard to expand this functionality to more EU member countries in the future.
Data Processing Addendum
Apollo’s terms of service include its data processing addendum, which sets forth Apollo’s responsibilities as both a data processor and a data controller under GDPR and other privacy laws.
Further Measures
Beyond the measures above, Apollo undertakes the following actions to maintain compliance with GDPR:
- Working with its legal counsel (and when requested, those of its customers) to ensure full preparation and compliance with GDPR.
- Evaluating new and existing functionality within its platform to ensure compliance.
- Crafting internal workflows to quickly and thoroughly complete data subject requests.
- Updating contact information and notices so data subjects and customer data controllers may contact Apollo if necessary.
- Obtaining and providing resources and documentation necessary for ongoing compliance.
- Evaluating customer contracts where necessary to ensure a path for legal compliance and to clearly detail Apollo's own responsibilities to avoid any possible confusion.
Apollo understands that laws and regulations continue to change and will continue to maintain compliance while helping you do the same.
When in doubt, your best course of action is to talk to attorneys with data privacy expertise. For all Apollo-related questions, the Apollo support team is more than happy to help.