Restream has made commercially reasonable efforts to provide detailed overview of our GDPR compliance and how Restream supports your business to operate within the confines of this regulation. Especially when it comes to customer data and its verification through the Restream Live Video Streaming Service. But it is still advised to engage services of a legal counsel to have a better understanding of GDPR compliance and the liabilities that come along with it for your organization. The following compliance guide is the practices, procedures and upgrades introduced in the internal working of Restream to make its services GDPR complaint.
Here is a summary of GDPR sections that are applicable to users of Restream services.
GDPR requires Restream to forget and delete the user data when requested by the user. Restream has taken steps to provide full control to the end-users about their data that they have submitted for identity verification for login. This can be deleted via their account settings or contacting a Customer Service Representative via chat or email.
Restream Plan for GDPR Compliance
Restream Users and Enterprise partners should feel confident that we are both knowledgeable and compliant with General Data Protection Regulation (GDPR) that are under our control. This directive set by the European Union, a legislation that set forth guidelines regarding how information is collected and how it is processed and used.
The GDPR legislation was formed to harmonize data privacy laws across Europe. Empowering all EU citizen’s data privacy in the process, and to reshape how organizations approach data privacy in a secure and transparent manner.
At Restream, we deploy commercially reasonable efforts to assist our users, businesses and our clients. To help them understand, what the GDPR means for their businesses and to assist them in establishing a compliant process of their own. Considering that aspect, we have made great improvements to our Restream platform to ensure that we stand at par with the critical components of GDPR measures.
The Restream Process:
Let us say that Daniel Streamer is a potential customer and lives in France. He is called the Data Subject, and the service provider, is called the Controller of his data. Since Restream is verifying the credentials of Daniel, then that makes Restream, the Processor.
How Daniel might interact with Restream:
- An Enterprise Ecommerce partner integrates Restream with their online business/portal/app
- Daniel approaches the Online Business and is redirected to a landing page where Restream Verification is carried out.
- Or Daniel goes directly to Restream.io and enters relevant credentials (email Address and password)
- Restream uses STRIPE for payment collections, so Restream does NOT retain any Credit or Debit card info.
- Restream does NOT collect Date of Birth, Physical Address, Social Security Numbers or other overly sensitive PII (Personal Identifiable Information).
- Based on the results of a verification of Daniels username and password only, he is Verified or Not Verified to use the Restream service.
All the above stated steps gather user data from the Data Subject on behalf of
User Data means any data, content, code, video, images, or other materials of any type that User uploads, submits or otherwise transmits to or through Services. User will retain all right, title, and interest in and to User Data in the form provided to restream.io. Restream stores data on industry secured servers located in EEA zone, and are monitored. Subject to the terms of this Agreement, you hereby grant to Restream a non-exclusive, worldwide, royalty-free right to:
(a) collect, use, copy, store, and transmit User Data (Video, Graphics), in each case solely to the extent necessary to provide the applicable Services to Client
(b) Client hereby grants to Restream all necessary rights to use, reproduce, modify, create derivative works from, distribute, perform, transmit and display the User solely to the extent necessary to provide the Services which will include the right for Restream to grant equivalent rights to its service providers that perform services that form part of or are otherwise used to perform the Services.
Access to Data
User Data Collected by Restream
You may instruct us to provide you with any personal information we hold about you; Restream only collects the following information (mostly nonapplicable to GDPR):
- ip address
- password (hash encrypted)
- email address
- timezone created_at time
- stripe_id for Restream to verify payment was made for accessing the service
In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt out of the use of your personal information for Restream marketing purposes. Restream DOES NOT SELL any user data.
We may use your personal data for the purposes of automated decision-making in relation to our live video stream service. This automated decision-making will involve checking the info provided by you and matching that with the identity information provided by you.
Restream employs simple user named accounts, email address and password only. Unless otherwise stated in the Standard Agreement, the Verifications parameters include:
- User Name
- Email address
- Customized Service parameters (Paid Plans)
Users Individual Rights Request
The GDPR enhances the rights of individuals in several ways.
Access and Privileges
User can request access to the personal data they have shared with Restream about their account. Personal data is anything identifiable, like his name and email address. If they requests access, Restream (as the processor) will provide a copy of the data, in most cases in machine-readable format (e.g. CSV or XLS).
A client can seek access to their data by asking Restream of what they require at firstname.lastname@example.org. We at Restream believe to be at legal and moral obligation to facilitate any manner of an individual rights request.
In the manner same as accessing information, user can request Restream to modify their personal data, if it is inaccurate, incomplete or requires any sort modification or amendment.
The GDPR requires that a company be able to accommodate modification requests, as and when required.
Under the GDPR, users have the right to request that Restream delete all personal data it has collected from them. GDPR requires Restream to permanently remove users contact from their database, including verification results, all personal information, saved images/video, form submission data and credit card data.
In a GDPR compliant manner, a client can seek to have their data deleted by querying Restream at email@example.com. The Data protection officer at Restream will respond back within a 30-day period.
DATA PROCESSING AGREEMENT
Restream Inc. provides Restream Live Video Streaming Services for EU based enterprises that can provide accounts for employees and other individuals. According to the GDPR such process requires the implementation of data processing agreement ( “DPA” ) and, in case of international transfers, standard contractual clauses ( “SCC” or “UK SCC” ) between the Processor and the Controller. Annex A of this DPA forms the SCC or UK SCC between Controller and Processor.
This DPA and SCC applies to the extent where data is regarded as personal data by EU General Data Protection Regulation (EU) 2016/679 (GDPR). Restream Inc. representative in terms of GDPR is Restream Estonia OÜ, the legal entity established in Estonia, address Telliskivi tn 60a/8, 10412, registry code 16183126.
The client hereby instructs Restream Inc. to process the data as described in this DPA.
Client ( “Data Controller” or “Controller” ) and Restream ( “Data Processor” or “Processor” )
3. PERSONAL DATA
3.1. The personal data of individuals transferred by the Controller to the Processor during the implementation of Restream Live Video Streaming Services.
3.2. No biometrics or other type of special categories of data is processed to provide Restream Live Video Streaming Services.
3.3. Categories and Purposes of Data Processing:
3.3.1. Enterprises (Controllers) can create multiple accounts for employees and other individuals. During the sign up of the accounts, the Controller transfer to Processor usernames and email addresses. Any other personal data (ip address, password hash encrypted, timezone created_at time, google_token, blog_posts_read, stripe_id for Restream to verify payment was made for accessing the service, selected_language, two_factor_auth) is created automatically during the sign-up process and is not, therefore, part of this DPA.
3.3.2. Video stream and screenshot images are never stored or captured by the Processor unless the Client requests otherwise. In the latter situation, the content is stored for 30 days period. Therefore the Processor does not by default process any personal data attached to the video content.
This DPA covers Restream’s Live Video Streaming Services provided by the Processor.
5. CONTROLLER OBLIGATIONS
5.1. Controller is responsible for having valid legal grounds for the use of employees or individuals data while importing data subjects’ personal data to Processor.
5.2. Controller is responsible for sufficient notifications and transparency in place for data subjects to be informed of the use of Restream Live Video Streaming Services.
6. PROCESSOR OBLIGATIONS
6.1. Processor processes Controller’s data only for the purpose of providing, supporting and improving Processor’s services, using appropriate technical and organizational security measures. Processor will not use or process the Controller’s data for any other purpose
6.2. Processor ensures that its employees and any sub-processors are required to comply with and acknowledge and respect the confidentiality of the Controller’s data.
6.3. If Processor intends to engage sub-processors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Sub-processors, Processor will enter into contractual arrangements with such sub-processors binding them to provide the same level of data protection, and information security to that provided for herein.
6.4. Processor obtains the prior written consent of Controller to such subcontracting, such consent to not be unreasonably withheld if parties have agreed upon. The consent shall not be required for those Sub-processors (service providers) listed in Annex of this DPA (this Annex may be provided on the Processor’s website).
6.5. Processor will inform Controller if Processor becomes aware of any legally binding request for disclosure of Controller’s data by a law enforcement authority unless Processor is otherwise forbidden by law to inform Controller.
6.6. Any complaint or request (in particular, requests for access to, rectification or blocking of Controller’s data) received directly from data subjects of Controller, Processor will not respond to any such request without Controller’s prior written authorization.
6.7. Processor will provide reasonable assistance to Controller regarding the investigation of personal data breaches and the notification to the supervisory authority and Controller's data subjects regarding such personal data breaches.
6.8. Processor will provide reasonable assistance to Controller where appropriate, for the preparation of data protection impact assessments and, where necessary, carrying out consultations with any supervisory authority.
6.9. Processor will maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Controller’s data to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction.
6.10. Processor will notify Controller of any personal data breach by Processor, its sub-processors, or any other third parties acting on Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a breach.
6.11. If Processor is required by Data Protection Requirements to process any Controller Personal Data for a reason other than providing the services described in the Service Terms and Conditions, Processor will inform Controller of this requirement in advance of any Processing, unless Processor is legally prohibited from informing Controller of such Processing (e.g., as a result of secrecy requirements that may exist under applicable laws).
7.1. Processor shall have no liability to the extent that a claim has arisen due to any act or omission not attributable to the Processor.
7.2. Processor shall be liable for damage caused in the course of processing if it has not complied with the requirements of the applicable legislation specifically addressed to the Processor, or if it has not complied with or acted against the lawful instructions of the Controller by this DPA.
7.3. If the processing is determined by the Processor, then the Processor shall be considered as a data controller in respect of that processing and be liable for infringements under the applicable laws.
7.4. Any person who has suffered material or non-material damage as a result of an infringement of this DPA shall have the right to receive compensation from the Controller or Processor for the damage suffered.
7.5. Controller involved in processing shall be liable for the damage caused by processing which infringes this DPA. Processor shall be liable for the damage caused by processing only where it has not complied with obligations of this DPA specifically directed to Processor or where it has acted outside or contrary to lawful instructions of the Controller.
7.6. Controller or Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
7.7. Where both Controller and Processor are responsible for any damage caused by processing, they shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
7.8. Where a Controller or Processor has paid full compensation for the damage suffered, it shall be entitled to claim back from the other liable party involved in the same processing that part of the compensation corresponding to their part of the responsibility for the damage.
8. DATA RETURN AND DELETION
The parties agree that on the termination of the data processing services or upon Controller’s reasonable request, Processor shall, and shall cause any sub-processors to, at the choice of Controller, return all the Controller personal data and copies of such data to Controller or securely destroy them and demonstrate to the satisfaction of Controller that it has taken such measures unless data protection requirements prevent Processor from returning or destroying all or part of the Controller personal data disclosed. In such a case, Processor agrees to preserve the confidentiality of the Controller personal data retained by it and that it will only actively process such Controller Personal Data after such date in order to comply with applicable laws.
This DPA shall remain in effect as long as Processor carries out personal data processing on behalf of the Controller or until the termination of the service agreement.
10. DISPUTE RESOLUTION
Disputes arising from or related to this DPA shall be resolved through negotiations. In case of failure of negotiations, disputes will be settled in Harju County Court on the basis of legislation in force in the Republic of Estonia.
STANDARD CONTRACTUAL CLAUSES
Client and Restream acknowledges that to the personal data transfer from EU/EEA to USA or UK to USA, the full text of EU Standard Contractual Clauses (“SCC”) or UK Standard Contractual Clauses (“UK SCC”) apply to such processing. The full text of the SCC is available here.
This Annex serves as reference between Restream Data Processing Agreement, (“DPA”) (provided to the Clients by default while using Restream Inc. services) and SCC on Clauses where additional information needs to be provided.
Restream Inc. representative in terms of GDPR and SCC is Restream Estonia OÜ, the legal entity established in Estonia, address Telliskivi tn 60a/8, 10412, registry code 16183126.
“DPA” means Data Processing Agreement between Client as data Controller and Restream Inc. as data Processor
“EC” means the European Commission
“EEA” means the European Economic Area
“SCC” means 2021 Standard Contractual Clauses approved by the European Commission in decision 2021/914.
“UK SCC” means:
(a) Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”), and
(b) Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC (“UK Controller to Controller SCCs”).
2. Cross Border Data Transfer Mechanism.
2.1 UK SCC. The parties agree that the UK SCC will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK SCC, the UK SCC will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) The UK Controller to Processor SCCs will apply where Restream is processing Client Content. The illustrative indemnification clause will not apply. Section 3 of this DPA serves as Appendix I of the UK Controller to Processor SCCs. Section 6.9 of this DPA serves as Appendix II of the UK Controller to Processor SCCs.
(b) The UK Controller to Controller SCCs will apply where Restream is processing Client Account Data or Client Usage Data. In Clause II(h) of the UK Controller to Controller SCCs, Restream will process personal data in accordance with the data processing principles set forth in Annex A of the UK Controller to Controller SCCs. The illustrative commercial clause will not apply. Section 3 of this DPA serves as Annex B of the UK Controller to Controller SCCs. Personal data transferred under these clauses may only be disclosed to the following categories of recipients: (i) Restream’s employees, agents, affiliates, advisors, and independent contractors with a reasonable business purpose for processing such personal data; (ii) Restream vendors that, in their performance of their obligations to Restream, must process such personal data acting on behalf of and according to instructions from Restream; and (iii) any person (natural or legal) or organization to whom Restream may be required by applicable law or regulation to disclose personal data, including law enforcement authorities and central and local government authorities.
2.2 SCC. The parties agree that the SCC will apply to personal data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that not recognized by the EC (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the EEA that are subject to the SCC, the SCC will be deemed entered into (and incorporated into this Annex by this reference) and completed as follows:
(a) Module One (Controller to Controller) of the SCC will apply where (i) Restream is processing Client Account Data and (ii) Client is a controller of Client Usage Data and Restream is processing Client Usage Data.
(b) Module Two (Controller to Processor) of the SCC will apply where Client is a controller of Client Content and Restream is processing Client Content.
(e) For each Module, where applicable:
(i) in Clause 7 of the SCC, the optional docking clause will not apply;
(ii) in Clause 9 of the SCC, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 6.4 of the DPA;
(iii) in Clause 11 of the SCC, the optional language will not apply;
(iv) in Clause 17 (Option 1), the SCC will be governed by Estonian law;
(v) in Clause 18(b) of the SCC, disputes will be resolved before the courts of Estonia;
(vi) in Annex I, Part A of the SCC:
Data Exporter: Client
Contact details: The email address(es) designated by Client in Client’s account via its notification preferences.
Data Exporter Role: The Data Exporter’s role is set forth in Section 4 of the DPA.
Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these SCC incorporated herein, including their Annexes, as of the Effective Date of the DPA.
Data Importer: Restream
Contact details: firstname.lastname@example.org
Data Importer Role: The Data Importer’s role is set forth in Section 3 of the DPA.
Signature and Date: By entering into the DPA, Data Importer is deemed to have signed these SCC, incorporated herein, including their Annexes, as of the Effective Date of the DPA.
(vii) in Annex I, Part B of the SCC:
The categories of data subjects are described in Section 3.3 of the DPA.
The sensitive data transferred is described in Section 3.2 of the DPA.
The frequency of the transfer is a continuous basis for the duration of the DPA.
The nature of the processing is described in Section 3 of the DPA.
The purpose of the processing is described in Section 3.3 of the DPA.
The period for which the personal data will be retained is described in Section 8 of the DPA.
For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at Section 6.2, 6.3, 6.4 of the DPA.
(viii) in Annex I, Part C of the SCC: the Estonian Data Protection Inspectorate will be the competent supervisory authority.
(ix) Schedule 6.9 of the DPA serves as Annex II of the SCC.
3. Juristiction Specific Terms. United Kingdom:
3.1 References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
3.2 When Restream engages a sub-processor under Section 6 of this DPA, it will:
(a) require any appointed sub-processor to protect the Client Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.
3.3 Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
3.4 Client acknowledges that Restream, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Client Usage Data. If a regulatory authority requires Restream to notify impacted data subjects with whom Restream does not have a direct relationship (e.g., Client’s end users), Restream will notify Client of this requirement. Client will provide reasonable assistance to Restream to notify the impacted data subjects.
4. Local laws affecting compliance with the clause
The following clauses apply to the data stored by Restream as data Processor which means that only the content up to 30 days period is considered.
4.1. The Parties warrant that they have no reason to believe that the laws in the United States applicable to the processing of the personal data by Restream, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent Restream from fulfilling its obligations under these clauses. This is based on the understanding that laws that respect the essence of the fundamental rights and freedoms do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the clauses.
4.2. The parties declare that they have taken due account in particular of the following elements: (i) the specific circumstances of the transfer, including the content and duration of the contract; the scale and regularity of transfers; the length of the processing chain, the number of actors involved and the transmission channels used; the type of recipient; the purpose of processing; the nature of the personal data transferred; any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred; (ii) the laws of the United States, including those requiring to disclose data to public authorities or authorizing access by such authorities, as well as the applicable limitations and safeguards; (iii) any safeguards in addition to those under these clauses, including the technical and organizational measures applied during transmission and to the processing of the personal data in the United States.
4.3. Restream warrants that it has made best efforts to provide the Client with relevant information and agrees that it will continue to cooperate with the Client in ensuring compliance with these clauses. The parties agree to document the assessment and make it available to the competent supervisory authority upon request.
4.4. Restream agrees to promptly notify the Client if, after having agreed to these clauses and for the duration of the DPA, it has reason to believe that it is or has become subject to laws not in line with the requirements, including following a change of the laws the United States a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements under paragraph 3.1.
4.5. If the Client otherwise has reason to believe that Restream can no longer fulfil its obligations under the clauses, the Client shall promptly identify appropriate measures (such as, for instance, technical or organizational measures to ensure security and confidentiality) to be adopted by the Client and / or Restream to address the situation, if appropriate in consultation with the competent supervisory authority. If the Client decides to continue the transfer, based on its assessment that these additional measures will allow Restream to fulfill its obligations under the clauses, the Client shall forward the notification to the competent supervisory authority together with an explanation, including a description of the measures taken. The Client shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the Client shall inform the competent supervisory authority and shall be entitled to terminate the DPA.
5. Obligations of the Processor in case of government access requests
5.1. Restream agrees to promptly notify the Client and, where possible, the data subject (if necessary with the help of the Client) if it: (i) receives a legally binding request by a public authority under the laws of the country of the United States for disclosure of personal data transferred pursuant to these clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these clauses in accordance with the laws of the United States; such notification shall include all information available to Restream.
5.2. If Restream is prohibited from notifying the Client and / or the data subject, Restream agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information and as soon as possible. Restream agrees to document its best efforts in order to be able to demonstrate them upon request of the Client.
5.3. To the extent permissible under the laws of the United States, Restream agrees to provide to the Client, in regular intervals for the duration of the DPA, the greatest possible amount of relevant information on the requests received (in particular, number of requests, type of data requested, requesting authority or authorities, whether requests have been challenged and the outcome of such challenges, etc.).
5.4. Restream agrees to preserve the information for the duration of the DPA and make it available to the competent supervisory authority upon request.
5.5. Clauses 4.1 to 4.3 are notwithstanding the obligation of Restream to promptly inform the Client where it is unable to comply with these clauses.
6. Review of legality and data minimization
6.1. Restream agrees to review, under the laws of the United States, the legality of the request for disclosure, notably whether it remains within the powers granted to the requesting public authority and to challenge the request if it concludes that there are grounds under the laws of the United States to do so. When challenging a request, Restream shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules.
6.2. Restream agrees to document its legal assessment as well as any challenge to the request for disclosure and, to the extent permissible under the laws of the United States, make it available to the Client. It shall also make it available to the competent supervisory authority upon request.
6.3. Restream agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.