At monday.com, our Customers\u2019 success and the protection of their data is very important to us. With customers all over the world, we are committed to supporting our Customers\u2019 compliance with local privacy and data protection laws.<\/p>\r\n
As an organization offering services to, and processing the personal data of, individuals in the European Economic Area (EEA), Switzerland and the United Kingdom (UK), monday.com has developed a robust privacy program designed to support compliance with the requirements of European data protection laws, including the General Data Protection Regulation (GDPR).<\/p>\r\n
Following Brexit, the GDPR was incorporated into local UK law, creating what is known as the \u201cUK GDPR\u201d. Currently, the UK GDPR contains similar requirements to the EU GDPR. When we refer to \u201cthe GDPR\u201d we are referring both to the EU GDPR and to the UK GDPR.<\/p>\r\n
Roles and Responsibilities<\/strong><\/p>\r\n The GDPR defines two central roles for the processing of personal data: the \u201cData Controller\u201d and \u201cData Processor\u201d.<\/p>\r\n For a more detailed breakdown of these roles and our obligations, please refer to our\u00a0Terms of Service<\/a>,\u00a0Privacy Policy<\/a>\u00a0and\u00a0Data Processing Addendum.<\/a><\/p>\r\n What steps has<\/strong> monday.com <\/strong>taken to support compliance <\/strong>with GDPR<\/strong> requirements?<\/strong><\/p>\r\n At monday.com, we regularly monitor and review our practices to support compliance with GDPR requirements, including:<\/p>\r\n Data transfers subject to the GDPR<\/strong><\/p>\r\n Various monday.com subsidiaries are located in jurisdictions considered as affording an \u201cadequate\u201d level of protection for personal data by the relevant decision-makers in the EEA, UK and Switzerland, respectively. Accordingly, transfers of personal data between these regions and to subsidiaries in Israel, Japan and Brazil (from EEA only), are done in reliance on this \u201cadequacy\u201d status as a lawful transfer mechanism, without the need for additional safeguards.<\/p>\r\n monday.com\u2019s US subsidiary, monday.com, Inc., has been certified under the US Department of Commerce\u2019s Data Privacy Framework (DPF) to receive data transfers from the EEA, UK or Switzerland to the US. Transfers from the EEA, UK and Switzerland to our US subsidiary, monday.com, Inc., are made primarily in reliance on such certification under this Framework.<\/p>\r\n To the extent we transfer personal data originating from the EEA, the UK, Switzerland to countries that have not been recognized as offering an adequate level of data protection by the relevant competent authority, we rely on, and build into our relevant agreements, appropriate trans-border data transfer mechanisms as established under applicable law, such as the standard contractual clauses (which can be found\u00a0here<\/a>\u00a0and\u00a0here<\/a>). In addition to the protections provided by the SCCs, we supplement our contractual obligations with additional safeguards aimed at strengthening the rights and freedoms of data subjects beyond those granted by the SCCs, and have additional clauses in our contracts with Customers and vendors that aim to protect Customer personal data from being transferred in the event of governmental requests to surveil or otherwise gain access to such data.<\/p>\r\n We also conduct Transfer Impact Assessments (TIAs) to supplement our reliance on SCCs and the Data Privacy Framework, ensuring that the legal protections of the EEA\/UK follow the data regardless of its physical location.<\/p>\r\n\r\n
monday.com\u2019s Customers are generally the Controllers of personal data submitted to the platform (e.g., via boards, workdocs, or CRM items).
monday.com acts as a Controller in some contexts, for example, over Customer account and billing information, technical usage data, and website visitor and lead information, as further described in our Privacy Policy<\/a>.
<\/li>\r\n\r\n
\r\n
\r\n