Artbrain is GDPR ready
At Artbrain, nothing is more important to us than the success of our customers and the protection of their personal data.
Last updated on December 14, 2020
Artbrain and the GDPR
With customers in Europe, the UK & the US, Artbrain adheres to the General Data Protection Regulation (GDPR). The GDPR expands the privacy rights granted to European individuals and requires certain companies that process the personal data of European individuals to comply with a new set of regulations. In particular, the GDPR may apply to companies that process the personal data of European individuals and have a presence in the EU (e.g. offices or establishments) and to companies that do not have any presence in the EU but target the European market (e.g. by offering goods or services to the European market) or monitor the behavior of European individuals. We’re here to help our customers in their efforts to comply with the GDPR.
What is GDPR?
In 2016, the European Union (EU) approved a new privacy regulation called the General Data Protection Regulation is commonly known as the GDPR. The aim of GDPR is to provide consistent guidance on privacy and data protection and respect for the personal data of EU individuals and meet certain territorial requirements. GDPR replaces the previous EU privacy directive of 1995 and introduces some interesting concepts and changes to the preceding privacy and data protection regime.
When are these regulations starting to be enforced?
All companies collecting or processing the personal data of EU individuals must be GDPR compliant by May 25, 2018.
Controllers and Processors
The GDPR defines and distinguishes between two types of parties and responsibilities when it comes to collecting and processing personal data: data controllers and data processors. A data controller determines the purposes and ways that personal data is processed, while a data processor is a party that processes data on behalf of the controller. That means that the controller could be any company or organization. A processor could be a SaaS, IT, or other company that is actually processing the data on behalf of the controller. Artbrain is a Data Processor. Artbrain customers (the auction houses and galleries who use Artbrain) are Data Controllers. The controller is responsible to make sure that all processors with whom it deals will be GDPR compliant and the processors themselves must keep records of their processing activities.
What steps were taken by Artbrain following the GDPR requirements?
We welcome the arrival of GDPR and view the regulations as raising the bar for data protection, security, and compliance. We will continue to be committed to our customers and users to help them comply with the GDPR while using Artbrain as their data processor.
We worked with our engineering, product, security, and legal teams to make both our product and our legal terms in line with the GDPR and will continue to ensure they keep in line continuously.
As part of Artbrain's GDPR readiness project we’ve taken the following steps:
Reviewed and strengthened our security infrastructure and practices, data encryption in transit and at rest, backup, logs, and security alerts.
A risk assessment and data mapping process were made to make sure any data that may be stored or processed is processed and managed according to the GDPR instructions.
We delete or anonymize the analytics data of users after the user’s deletion
We’ve made sure we have the appropriate contractual terms in place, to perform our role as a data processor for our customers while complying with the GDPR.
We’ve put in place all the internal procedures, processes and controls and recurring training sessions for the team, to ensure our on-going compliance with the GDPR
Performed security and privacy assessments to our sub-processors to ensure they are all complying with the GDPR requirements.
We’ve developed and we’re making available these days product features that allow the organization to deal with data deletion:
Delete users profile: Admin can now delete users’ personal data from the system (in their own initiative or as per user’s request), this will allow the organization to meet the GDPR requirements. This will delete the user name, phone, email, address, title, social network references, and other customer fields if provided. Deleting a user will not delete the insights derived from the user interaction with the system (such as dashboard calculations, etc.).
We’ll continue to monitor the guidance around GDPR compliance and will ensure that our product and processes are complying with those guidance when they become effective.
Does Artbrain offer a Data Processing Agreement (DPA)?
Yes. You can view our Data Processing Agreement/addendum (DPA) online. If you need a signed copy of the DPA, you can download it, send a signed copy to and we’ll provide you a countersigned copy.
Does the GDPR prevent a company from storing data outside of the EU?
There’s a common misconception in the market about GDPR and cross-border transfers, particularly to the US. For those of you who’ve been following, in October of 2015, the European Court of Justice nullified the Safe Harbor framework. This was essentially an aggregation of guidelines that rendered the measures undertaken by an American recipient of data as “adequate” under EU law. After this nullification, joint EU and US governmental authorities introduced the Privacy Shield framework which strengthened the requirements on US data recipients if they wanted their measures to be deemed as “adequate” by the EU authorities. GDPR doesn’t actually change this, and the Privacy Shield framework continues to serve as the agreed-upon framework for the transfer of personal data from the EU to the US.
At Artbrain, we store our data with Amazon Web Service (AWS), which is “Privacy Shield” certified and has data centers in the US and the EU. Our customers in the US and in the EU don’t have to concern themselves over whether their data is stored in the EU or in the US, as we and they would remain compliant under GDPR irrespective of the location in which the data is stored. However, we will provide the option to store the data in the EEA should a European controller require this explicitly. Like Artbrain, AWS has announced that it is GDPR ready.