Spinbackup GDPR Compliance

Spinbackup GDPR Compliance


Spinbackup GDPR Compliance

In the last 20 years the global economy became increasingly digitized, and many companies hold highly sensitive and personal customer information obtained from various sources. Data is associated with a significance of risk if it’s stolen or abused.

What is GDPR?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union.

General Data Protection Regulation was officially adopted by the European Parliament in April 2016 to specify how customer data should be used and protected. Following a two-year post adoption period it will become enforceable in May 2018. GDPR will replace the 1995 EU Data Protection Directive , which was introduced two decades ago when the Internet has not yet revolutionized business communications.

The Impact of GDPR

GDPR is applicable extraterritorially to all parties involved in selling goods and services to EU citizens and processing their personal data, regardless of whether the organization is registered or operating within the EU, including companies on other continents. As an IT or cybersecurity professional you must learn how to address major data protection requirements and make sure that software vendors  you collaborate with are 100% GDPR compliant.

If data privacy infringement is committed, GDPR allows fines to be issued for violators, up to a maximum of either €20 million or 4% of the worldwide turnover, whichever is greater.

At Spinbackup we welcome the General Data Protection Regulation (GDPR) enforcement for B2B markets as it is individuals who handle business relationships. We are confident that GDPR compliance will help Spinbackup demonstrate that it has a high level of cyber security expertise and management when storing, encrypting, backing up, and securing our customer confidential data.

GDPR Overview. Why Important for Personal Data Protection?

It should be noted that seven essential requirements have been determined by GDPR to address personal data processing control issues.

7 core citizen rights afforded under GDPR requirements for personal data protection

  1. Consent. In obtaining consent for data use, companies cannot use indecipherable terms and conditions filled with legalese. It must be as easy to withdraw consent as it is to give it.
  2. Breach Notification. In the event of data breach, data processors have to notify their controllers and customers of any risk within 72 hours.
  3. Right to Access. Individuals have the right to obtain confirmation from the data controller of whether their personal data is being processed. The data controller is obliged to provide an electronic copy for free to data subjects.
  4. Right to be Forgotten. When data is no longer relevant to its original purpose, data subjects can have the data controller erase their personal data and cease its dissemination.
  5. Data Portability. Allows individuals to obtain and reuse their personal data for their own purposes by transferring it across different services.
  6. Privacy by Design. Calls for inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.
  7. Data Protection Officers. Professionally qualified officers must be appointed in public authorities or organisations that engage in large scale (companies with more than 250 employees) systematic monitoring or processing of sensitive data.

Below is a brief introduction to six key GDPR principles and how Spinbackup follows the GDPR requirements.

Fairness and Transparency.

Organizations must always process personal data lawfully, fairly, and in a transparent manner.

Spinbackup, based on its professional expertise, experience, best practices, and customer feedback, has developed these Terms of Service  and Privacy Policy , which transparently and accurately describe the conditions of obtaining, storage, and processing of personal data relating to the users of Spinbackup’s service. As of May 25, 2018 this Privacy Policy will be updated according to the GDPR requirements. Spinbackup will offer its customers the right to choose a geographic location of their data storage upon installation of the Spinbackup’s application. This feature allows European customers the choice of storing their data at the European data center of Amazon, located in Dublin.

Purpose Limitation

Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that’s incompatible with those purposes.

Upon customer registration, Spinbackup introduces the customers to the Terms of Service and Privacy Policy. By clicking the “I AGREE” button, the customer confirms that they understand the Terms of Service, along with what information is obtained, stored, and processed, and for what purpose. Additionally, by clicking the “I AGREE” button, the customer accepts these terms.

Data Minimization

Organizations can collect only personal data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.

The information stored in the G Suite profile is the primary data source for Spinbackup. This data will be retained by Spinbackup only for the purpose of correctly displaying information about the users.


Personal data must be accurate, and kept up to date when necessary.

Spinbackup automatically updates data every time a user updates their data in the Google profile. There is no other way to change or update information in Spinbackup’s system.

Data Deletion

Personal data must be kept only for as long as it’s needed to fulfill the original purpose of collection.

Spinbackup stores customer data only as long as it is needed to provide quality service to its customers. Any customer data that a customer leaves behind will be automatically deleted by Spinbackup after 30 days, which is when the licenses expire.

Additionally, Spinbackup can delete data upon customer’s request, if such a request meets the GDPR requirements and other legal acts.


Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encryption, pseudonymisation, and anonymization is recommended, and in some cases required to help protect personal data.

Spinbackup employs a professional team of technical and cybersecurity specialists. The experience of Spinbackup’s team allows it to provide a cutting-edge service built on the  “privacy by design” and “privacy by default “principles.


A data controller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processor)s, and using the principles of “privacy by design” and “privacy by default.” Additionally, a data controller must be able to demonstrate compliance, including keeping a record of processing activities and conducting privacy impact assessments.

Spinbackup’s GDPR Compliance

Recognising the importance of the GDPR compliance, Spinbackup applies G Suite Security best practices, international standards, and follows legal requirements when building a Information Security Management System (ISMS) within the company. We incorporate the highest security standards into every phase of Spinbackup’s software development process, from the outset to completion. Spinbackup employs the highest security and privacy controls, audited regularly in our SOC 2 reports. Spinbackup’s cutting edge services are driven by collaborative effort with leading cloud service providers such as Amazon, Google, and Microsoft, whose reliability is globally recognised. Spinbackup follows the recommendations provided by ISO/IEC 27002 to ensure that the information security controls are implemented in Spinbackup.

Learn more on the decisive role of CASB (Cloud Access Security Broker) in securing your data!