Sign In Get Started
GDPR Compliance
Table Of Contents
  1. Overview of GDPR Compliance
  2. Does GDPR Apply to Laywork?
  3. Our Commitment to GDPR Principles
  4. 1. Data Mapping and Inventory
  5. 2. Lawful Basis for Processing
  6. 3. Transparent Privacy Notice
  7. 4. Data Subject Rights
  8. 5. Data Security Measures
  9. 6. Data Breach Notification
  10. 7. Data Protection Officer (DPO)
  11. 8. Third-Party Processors
  12. 9. Data Transfers Outside the EU
  13. 10. Accountability and Documentation
  14. Privacy Notice Snippet
  15. Data Processing Agreement (DPA)
  16. Cookie Policy Snippet

Overview of GDPR Compliance

At Laywork, we’re committed to protecting the personal data of our users and their clients in line with the General Data Protection Regulation (GDPR), effective since May 25, 2018. The GDPR is a comprehensive EU regulation that governs how organizations collect, process, and store personal data of individuals within the European Union (EU) or European Economic Area (EEA), regardless of where the organization is based. As a CRM software provider at laywork.com, operated by Laywork Limited, we process personal data on behalf of our users (data controllers) as a data processor. This page outlines our approach to GDPR compliance, ensuring transparency, security, and respect for data subject rights.

Does GDPR Apply to Laywork?

Yes, GDPR applies to Laywork because:

  • We offer CRM services to businesses, some of which may operate in the EU/EEA or manage data of EU/EEA residents.
  • Our users upload personal data (e.g., client names, emails) into our Service, which we process on their behalf.
  • Even as a company potentially based outside the EU, GDPR’s extraterritorial scope (Article 3) applies if we handle EU residents’ data.

Non-compliance can result in fines up to €20 million or 4% of our annual global turnover (whichever is greater), alongside reputational damage. Thus, GDPR compliance is a priority for us and our users.

Our Commitment to GDPR Principles

We adhere to the seven key GDPR principles (Article 5):

  1. Lawfulness, Fairness, and Transparency: We process data only with a lawful basis (e.g., contract or consent) and inform users clearly about data use.
  2. Purpose Limitation: Data is processed solely for CRM purposes as defined by our users.
  3. Data Minimization: We collect only what’s necessary for the Service to function.
  4. Accuracy: We encourage users to keep data accurate and provide tools to update it.
  5. Storage Limitation: Data is retained only as long as needed, with options for users to delete it.
  6. Integrity and Confidentiality: We secure data with encryption and robust measures.
  7. Accountability: We document our processes and demonstrate compliance.

Steps to Ensure GDPR Compliance

Here’s how Laywork ensures GDPR compliance, with actionable steps for our team and users:

1. Data Mapping and Inventory

  • What We Do: We maintain a record of all personal data processed (e.g., user account details, client data uploaded to the CRM), including data types, sources, and purposes (Article 30).
  • User Action: Map your data flows within Laywork to identify what client data you process and why (e.g., contact details for sales tracking).

2. Lawful Basis for Processing

  • What We Do: Our lawful basis is the performance of a contract (Article 6(1)(b))—providing CRM services to you. We also rely on legitimate interests (Article 6(1)(f)) for analytics to improve the Service, ensuring it doesn’t override data subjects’ rights.
  • User Action: Ensure you have a lawful basis (e.g., consent or contract) for the client data you upload. Document this in your privacy notices.

3. Transparent Privacy Notice

  • What We Do: Our Privacy Policy (available at laywork.com/privacy) explains what data we collect (e.g., email, IP address), how we use it (e.g., account management, support), who we share it with (e.g., subprocessors), and user rights (Articles 12-14).
  • User Action: Create a GDPR-compliant privacy notice for your clients, detailing how you use Laywork to process their data.

4. Data Subject Rights

  • What We Do: We support your ability to honor data subject requests (Articles 15-22), such as access, rectification, erasure (“right to be forgotten”), restriction, portability, and objection. Contact us at [email] to process these requests on your behalf.
  • User Action: Respond to client requests within one month (Article 12(3)). Use Laywork’s export or delete features to comply.

5. Data Security Measures

  • What We Do: We implement technical and organizational measures (Article 32), including encryption, secure servers, and access controls, to protect data at rest and in transit.
  • User Action: Secure your account with strong passwords and enable two-factor authentication (if available).

6. Data Breach Notification

  • What We Do: If a breach occurs affecting personal data, we notify affected users (controllers) within 72 hours (Article 33) and assist in reporting to supervisory authorities if required (Article 34).
  • User Action: Report breaches to your local data protection authority (e.g., ICO in the UK) and inform affected clients if there’s a high risk to their rights.

7. Data Protection Officer (DPO)

  • What We Do: If our processing requires it (Article 37), we appoint a DPO to oversee GDPR compliance. Contact them at [email].
  • User Action: Appoint a DPO if your business processes large-scale sensitive data (e.g., health info) via Laywork.

8. Third-Party Processors

  • What We Do: We use subprocessors (e.g., hosting providers) only with GDPR-compliant agreements (Article 28). A list is in our Data Processing Agreement (DPA).
  • User Action: Ensure your subprocessors (including Laywork) have GDPR-compliant contracts.

9. Data Transfers Outside the EU

  • What We Do: For transfers outside the EU/EEA (e.g., to servers in the US), we use Standard Contractual Clauses (SCCs) or rely on adequacy decisions (Article 45-46).
  • User Action: Verify your data transfers comply with GDPR, using SCCs if needed.

10. Accountability and Documentation

  • What We Do: We maintain records of processing activities, conduct regular audits, and train staff on GDPR compliance (Article 24).
  • User Action: Keep records of your CRM data processing and review them periodically.

Laywork GDPR Policies

Privacy Notice Snippet

What Data We Collect: When you use Laywork, we collect your name, email, and company details for account setup, plus client data you upload (e.g., names, emails) for CRM functions.
How We Use It: To provide and improve the Service, send support updates, and analyze usage (anonymized).
Who We Share It With: Subprocessors (listed in our DPA) and, if required, legal authorities.
Your Rights: Access, correct, delete, or restrict your data by contacting [email].
See full Privacy Policy at laywork.com/privacy.

Data Processing Agreement (DPA)

Our DPA, available upon request at [email], outlines:

  • Our role as a processor and your role as a controller.
  • Obligations for data security, breach notification, and subject rights support.
  • Subprocessor details and international transfer mechanisms (e.g., SCCs).

Cookie Policy Snippet

We use cookies for essential functions (e.g., login), performance (e.g., analytics), and functionality (e.g., preferences). Manage them via your browser or our consent tool at laywork.com. See our full Cookie Policy above.

Contact Us

For GDPR inquiries, reach us at:

Last Updated: March 1, 2025