monday.com & the GDPR
At monday.com, nothing is more important to us than our customers’ success and the protection of their data. With customers in nearly every country in the world, we go to great lengths so ensure our compliance with local privacy and data protection laws.
As an organization offering services to, and processing the personal data of, individuals in the EU, monday.com has developed a robust privacy program in line with the requirements of European data protection laws, including the General Data Protection Regulation (GDPR).
Following Brexit, the GDPR was incorporated into local UK law, creating what is known as the “UK GDPR”. Currently, the UK GDPR contains very similar requirements to the EU GDPR. When we refer to “the GDPR” we are referring both to the EU GDPR and to the UK GDPR.
Roles and Responsibilities
The GDPR distinguishes between two roles as relating to the processing of personal data. Under the GDPR, such roles are defined as the “Data Controller” and “Data Processor”. A Data Controller determines the purposes and means for the processing of personal data, while a Data Processor processes the personal data on behalf, and under the instruction, of the Controller.
Customers who are using monday.com’s services to process personal data for their own purposes and means will typically be considered the “Data Controller”, and are primarily responsible for meeting all applicable GDPR requirements. monday.com serves as its customers’ “Data Processor”, for the processing of personal data submitted onto the monday.com platform (for example, via monday.com boards). The extent of our roles and responsibilities with respect to each of our Data Subjects and customers is further detailed in our Terms of Service, Privacy Policy and Data Processing Addendum.
How does monday.com comply with the GDPR?
At monday.com, we regularly monitor and review our practices to ensure ongoing compliance with the GDPR, including by:
- Embedding a robust privacy program and regularly reviewing and updating policies and procedures to ensure the program remains appropriately targeted and fit for purpose.
- Maintaining a vendor onboarding process requiring all vendors to comply with relevant data protection obligations.
- Reviewing and strengthening our security infrastructure and processes, data encryption in transit and at rest, backup, logs, and security alerts.
- Conducting periodical risk assessments and data mapping processes to ensure proper management of personal data in accordance with the GDPR’s requirements.
- Regularly monitoring guidance around GDPR compliance and ensuring ongoing compliance with the GDPR through our internal procedures, processes and controls and recurring internal training sessions.
- Engaging external auditors to audit, on an annual basis, our various compliance certificates, including our SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA), ISO 27001 ISMS (information security management system) and ISO 27018 (for protecting personal data in the cloud).
- Ensuring transparency around collection, use and disclosure of personal data, including via our Privacy Policy and Job Candidate Privacy Notice.
- Notifying customers and Data Subjects when any substantive changes are made to public-facing policies to align with updated data handling practices and regulatory requirements.
- Having a robust Data Processing Addendum (DPA) in place to ensure the protection of personal data, according to customary industry standards, and such appropriate lawful mechanisms and contractual terms in compliance with the GDPR. Such DPAs allow us to perform our role as a data Processor for our customers, and similar DPAs allow the same when we act as the Controller and engage with our data processing vendors, in compliance with the GDPR.
- Regularly performing security and privacy assessments of our sub-processors to ensure their adherence to GDPR principles.
- Entering the Standard Contractual Clauses (SCCs) with customers and vendors for the international transfers of personal data, and relevant UK and Swiss equivalents. We have supplemented monday.com’s version of the SCCs with Additional Safeguards to further strengthen the rights and freedoms of data subjects.
- Enabling our customers to respond to data subject requests to exercise their privacy rights, and having a process in place to respond to data subject requests where we act as the Controller of such data.
- Designating a representative in the EU and UK, and appointing a Data Protection Officer (DPO) for monitoring and advising on monday.com’s ongoing privacy and data protection compliance and serving as a point of contact in relation to data protection and privacy matters for individuals and supervisory authorities.
- Having procedures for handling suspected breaches concerning personal data, limiting use, disclosure and retention of personal data, and regularly conducting privacy training for all relevant members of our staff.
Data transfers subject to the GDPR
monday.com is headquartered in Israel, a jurisdiction that is considered by the European Commission, the UK Secretary of State and the Swiss Federal Data Protection and Information Commissioner (FDPIC) as affording an “adequate” level of protection for personal data originating from the EEA, UK and Switzerland, respectively. Accordingly, transfers of personal data from Europe to monday.com Israel are done in reliance on this “adequacy” status as a lawful transfer mechanism, without the need for additional safeguards.
monday.com’s US subsidiary, monday.com, Inc., has been certified under the US Department of Commerce’s Data Privacy Framework (DPF) to receive data transfers from the EEA to the US, from the UK to the US, and from Switzerland to the US. Transfers from the EEA, UK and Switzerland to our US subsidiary, monday.com, Inc., are made primarily in reliance on such certification under this Framework.
monday.com ensures that any transfers of personal data subject to the GDPR or Swiss Federal Act on Data Protection, to a country that was not recognised by the European Commission, the UK Secretary of State and the FDPIC (as applicable), as affording an “adequate” level of data protection to personal data, is governed by appropriate contractual safeguards. In such circumstances, we rely on, and build into our relevant agreements, the SCCs which can be found here and here. In addition to the protections provided by the SCCs, we supplement our contractual obligations with additional safeguards aimed at strengthening the rights and freedoms of data subjects beyond those granted by the SCCs, and have additional clauses in our contracts with customers and vendors that aim to protect customer personal data from being transferred in the event of governmental requests to surveil or otherwise gain access to such data.
If you have any questions concerning monday.com’s privacy program and our compliance with the GDPR, please feel free to contact our Data Protection Officer & Privacy Team at dpo@monday.com.