This GDPR Statement describes how Emburse, Inc. and its affiliates (collectively “Emburse” or “we” or “us”), comply with the 2016/679 General Data Protection Regulation (GDPR)
For the purposes of this GDPR Statement, Emburse shall act as:
- Data Processor when providing services to our Clients, as applicable to the services contracted;
- Data Controller for employees and prospective employees, Human Resources Data;
- Data Controller for Marketing Data; and
- Data Controller as described in our Privacy Statement
This document is not a binding agreement and it is only intended for informational purposes.
1. What is GDPR?
The European Economic Area (EEA) adopted the EU General Data Protection Regulation (GDPR) (2016/679) in 2016. The primary objective of the GDPR is to enhance individual’s control and rights over their Personal Data and to simplify the regulatory environment for international business. As a result, the GDPR has strengthened and unified data protections for all individuals within the EEA and EU citizens currently outside the Union.
2. What Does Personal Data Mean?
The GDPR defines Personal Data as any information relating to an identified or identifiable natural person (Data Subject). A Data Subject is identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics.
3. Additional Terms
The following terms should have the same meaning as described in the GDPR:
- Personal Data
- Controller
- Processor
- Sub-Processor
- Data Privacy Impact Assessment (DPIA)
- Standard Contractual Clauses (SCCs)
- Data Processing Agreement (DPA)
- Data Protection Officer (DPO)
- Personal Data Breach
4. Emburse GDPR Compliance Actions to Date
Emburse is committed to protect the privacy and security of Personal Data, including Client Personal Data.
Emburse has implemented a very robust set of policies, procedures, and protocols in order to ensure that Personal Data remains protected. We have demonstrated compliance with rigorous third-party security frameworks and standards including ISO 27001:2013, ISO 27701, PCI DSS Level 1, and SSAE18 SOC 1 Type II.
Our legal and privacy teams have taken additional steps to ensure GDPR compliance, including:
- Whenever appropriate, entering into Data Processing Agreements and Standard Contractual Clauses with our Sub-Processors. These agreements allow Emburse to receive and transfer Personal Data without any disruption to our services. They also contractually bind our Sub-Processors to Emburse’s high privacy and security standards.
- Emburse has a robust Third-Party Vendor Management program, and we frequently use it to assess all third parties for continued compliance with their security, privacy, and confidentiality commitments.
- Appointing a Data Protection Officer (DPO) to oversee compliance
- Conducting a full Data Protection Impact Assessment (DPIA) of our products and services
- Constantly updating our Incident Response and Personal Data Breach Notification Policy to ensure maintained compliance
- Implementing business processes to ensure any requests from Data Subjects are forwarded to the Client, when applicable
In addition to these specific objectives, we will continue to monitor guidelines for GDPR compliance published by regulatory bodies to ensure we maintain compliance as regulations evolve.
Emburse as a Data Processor
Emburse complies with applicable Data Protection Laws. Over the years, we have demonstrated our commitment by consistently exceeding industry standards. We only process Personal Data as directed by our Clients and/or as required by Data Protection Laws. We have a privacy-conscious culture and we welcome any regulation that gives us the opportunity to strengthen our practices even further.
In the course of offering our application software, and at the Client’s request, Emburse processes Client Personal Data. Emburse may need to collect additional Personal Data to provide services. In those cases, the Client remains the Controller of the collected Client Personal Data.
The Client should address Data Subjects’ questions or concerns in those cases. We are not responsible for the privacy or security practices of an administrator's organization, which may be different from ours.
For example, administrators are able to:
- Require the account holder to reset account passwords
- Restrict, suspend or terminate the account holder’s access to Emburse services and account access
- Access information in and about the account holder account
- Access or retain information stored as part of the account holder’s account
In some cases, administrators may also:
- Change the email address associated with the account
- Change the account holder’s information, including profile information
- Restrict the ability to edit, restrict, modify or delete information.
Even if the services are not administered by an organization at the time, if an account holder uses a work email address to access the services, then the account holder’s employer may assert administrative control over the account and use of the services at their discretion. Account holders are encouraged to contact their employer for more information about their policies.
Emburse as a Controller
Human Resources Personal Data
1. Candidates
If a candidate resides in the European Economic Area and is interested in employment with Emburse, they will need to provide certain information that may include Personal Data. We use this information for the purpose of processing their employment application and to reach out about future career opportunities.
All applications must be submitted through our website by visiting our “Careers” link.
As part of the application process, candidates will need to consent to us collecting their Personal Data and contacting them. As a Data Subject you have the right to deny consent. However, if a candidate denies consent we will be unable to process the application and consider them for employment.
A limited number of Emburse employees will have access to the candidate’s Personal Data. Some of the teams and/or employees with access to candidate Personal Data Emburse, include but are not limited to, Human Resources, the hiring leader, individuals with whom the candidate will need to interview with, etc.
Candidate Personal Data is shared on a need-to-know basis. Emburse employees with access to Personal Data must undergo GDPR-specific training. In addition to Emburse, a limited number of third-party providers who are under contract with Chrome River may also have access to Personal Data. We ensure that any such provider has data protection levels equivalent (or higher) to those offered by Emburse.
If a candidate is selected for a position, Emburse and the candidate will execute any agreement(s) required in the candidate’s country of residence. Such agreement(s) shall comply with applicable Data Protection Laws, including GDPR.
2. Employees
Employees will be provided with an Employee Privacy Notice outlining their rights and remedies. Employees will also be provided with information and supporting documentation related to their status as an Emburse employee and a Data Subject under the GDPR.
Marketing Personal Data
Emburse collects and processes Personal Data for its own business purposes, such as sales and marketing activities. In these cases, Emburse is considered the Controller. Data Subjects may subscribe to marketing communications, subscription is voluntary. Data Subjects also have the right to opt-out at any time from marketing communications. However, Data Subjects will still receive communications that are necessary for Emburse to provide services to them or their employer.
Emburse may receive Personal Data collected from affiliates and third party vendors, consultants, and other service providers that help us run our sales and marketing activities. Third parties may be, for example, lead generation providers, opt-in list providers, data aggregators, and industry and association event organizers.
These third parties provide services such as:
- Email delivery, postal delivery
- Collecting business information and Personal Data about you on our behalf
- Event or campaign registration and management
- Information technology and related infrastructure services
- Data analysis and insight
- Auditing
We also collect data through tracking technologies. This data may be considered Personal Data under applicable Data Protection Laws.
Data Subjects may find additional information about our collection practices (including tracking technologies) in our Privacy Statement. Our Privacy Statement also provides information about opt-out mechanisms. Additional questions may also be submitted by emailing privacy@emburse.com.
Website Personal Data
We collect and process Personal Data whenever a Data Subject accesses, uses, and/or interacts with us. For example, when they:
- Complete and submit of online forms
- Registrate at Emburse sponsored and other forms for events, webinars, and webinars recordings
- Complete lead cards at Emburse sponsored events
- Download information from the Emburse website
- Request information about our businesses and partners
- Subscribe to Emburse communications
- Share their business card, badge attendance scanning, and other information you provide when you attend an Emburse hosted event or visit an Emburse booth at a trade show or industry or association event
- Communicate with us through our online chat, contact forms, etc.
- Subscribe to Emburse marketing communications
- Complete Emburse questionnaires and surveys
- Participate in Emburse sponsored sweepstakes and contests
Data Subjects may find additional information about our collection and processing practices in our Privacy Statement. Questions may also be submitted by emailing privacy@emburse.com.
Data Subject Rights
Data Subjects enjoy the following rights under the GDPR:
- Right to be informed
- Right to access
- Right to rectification
- Right to be forgotten/Right to erasure
- Right to data portability
- Right to restrict processing
- Right to withdraw consent
- Right to object
- Right to object to automated processing
- Some of these rights are not absolute and are subject to exceptions.
If a Data Subject would like to exercise any of the above rights, they should reach out to us via email to privacy@emburse.com. Emburse will take the necessary steps to verify the Data Subject’s identity and review their request under the applicable Data Protection Law.
For further information about Data Subject rights, please see our Privacy Statement.
Contact Information
For further questions about Emburse’s GDPR compliance please contact us.
Company Name: Emburse, Inc.
Address: 320 Cumberland Avenue, Portland, ME 04101 USA
Email: privacy@emburse.com