GDPR

What is data privacy and data protection?

Data privacy and data protection both deal with the processing of data. Data protection focuses on protecting assets from unauthorized use, while data privacy defines who is authorized to access the data in the first place. One important difference is who controls which part. With data privacy, controls are mostly given to the user (in other words, the user can control which data is shared with whom), while data protection is mostly a company's responsibility.

What is personal data?

Personal data is defined as any data that can be linked back to a natural person. Everything you do online - from creating a Facebook account to posting a photo on Instagram - leaves a digital footprint. While it may seem small, it adds up and unprotected, an individual is vulnerable to having their personal data shared with third parties. Luckily, data privacy law focuses on ensuring an individual's rights are secure.

What's the General Data Protection Regulation (GDPR)?

Today, data protection law impacts organizations and governments around the world. The EU implemented a higher protection threshold than most other countries with the introduction of General Data Protection Regulation (GDPR) in 2018. GDPR introduced changes to previous data protection and data privacy law, specifically around areas like consent, reporting obligations, internal procedures, accountability, and penalties.

Does GDPR apply to you?

Yes. GDPR applies to you too - even if you are located outside of the EEA (European Economic Area). It applies to any business that a) markets their products to people in the EEA or b) monitors the behavior of people in the EEA. In other words, even if you’re based outside of the EEA, if you control or process the data of EU citizens, GDPR applies to you.

‍

Wonder was founded shortly after GDPR came into effect. As a result, we have been focused on ensuring GDPR compliance from the very beginning. We have signed DPAs with all of our third-party business providers (sub-processors) as well as DPA's with all US service providers listed in the Privacy Policy that incorporate the EU standard contractual clauses (see below). In addition to external efforts, we have taken a number of steps to ensure GDPR compliance at all levels of the company. We have implemented strict Technical and Organizational Measures (TOM's) that detail our internal procedures related to data and we do require all employees to undergo GDPR training. Furthermore, we have a dedicated Data Protection Officer (DPO) who can be reached at dpo@wonder.me. If you are a business customer of Wonder, you can find our Data Processing Agreement here. Download our pre-signed PDF version and sign it.

Privacy Policy

• Within the use of the Wonders' website and/or its videochat-platform we, as the data controller, collect and store data our user provided as long and so far this is necessary to fulfill the specified purposes and legal obligations. The Privacy Policy will inform the user what data is involved, how the data is processed and what rights he/she has in this regard.
• Wonders Privacy Policy

DPA - Data Processing Agreement (Auftragsverarbeitungsvertrag)

• A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.
• Wonders DPA

TOM’s - Technical and Organizational Measures

• Part of the DPA are TOM's - which are functions, processes, controls, systems, procedures, and measures that organizations can implement to promote secure processing and storage of personal data, avoid data breaches, and facilitate compliance with relevant data protection obligations.
• See a description of Wonders TOMs in Wonders DPA Appendix 2

Third-country / US Data transfer - Standard Contractual Clauses - US-Europe privacy shield - Schrems II

• We have concluded a contract/DPA with all US service providers listed in the Privacy Policy incorporating the EU standard contractual clauses. This ensures that a level of protection comparable to that in the EU is in place (see Privacy policy section 2f and section 3c on data transfer to the USA). Additionally, we have implemented necessary TOM’s (technical organizational measures) that you can find in Wonders DPA in Appendix 2. This information can be found on our website in the GDPR-section as well as in the Privacy Policy and DPA.

Records of processing activities (Verarbeitungsverzeichnis)

• The records of processing activities is a documentation requirement of the EU GDPR. Under Art. 30 GDPR, companies must draw up a list of all activities in which they process personal data (processing activities). Together with our DPO we have set up this list of records of processing activities and our Privacy Policy & DPA is based on it. We regularly meet with our DPO and update if necessary the subsequent sections.

DPO - Data Protection Officer

• Wonders DPO is Gregor Klar who can be reached through the email address dpo@wonder.me. His main responsibility is to cooperate with the supervisory authority and act as a point of contact for the supervisory authority in data relevant topics.
• He'll also monitor Wonders' compliance with legal requirements related to the client's personal data protection policies, including the assignment of responsibilities and training of employees as well as assigning responsibilities, raising awareness and training employees, and conducting audits in this regard.

Wonder is hosted on Amazon Web Services (AWS). The servers where Wonder's data is stored are located in Ireland (eu-west-1 region).

See Privacy policy section 2 - Collection and storage of personal data and as well as nature, purpose and their use

See Privacy policy section 3 - Transfer of data

See Privacy policy section 4 - Cookies and Pixels

See Privacy policy section 5 - Data subject rights & section 6 Right to object pursuant to Art. 21 GDPR

Just send us an email to info@wonder.me stating that you want us to delete your personal data we may have stored. We have an internal standard procedure and will get back to you confirming that your request has been taken care of.