GDPR statement of compliance by Spex Asia

The use of personal data by big companies is a hot topic right now, not only in Europe, but the rest of the world as well, in order to prevent abuse and enhance the security of that data. The European General Data Protection Regulation – GDPR, which will take effect on May 25, 2018 is aiming to do exactly that – regulate how personal data of individuals in EU territory gets collected and used. It defines what personal data is – being literally everything – name, email, username, address, phone number, financial data, age, behavioural data and more, and obliges everyone who collects and processes such data of EU individuals, no matter where that company or person is located around the world, to act in accordance with this regulation.

Spex Asia looks forward to the regulation being enforced. We believe the GDPR is good for users and good for the overall security of the Internet and we have always been acting in line with its main principles.

Spex Asia Getting Ready For The GDPR

In compliance with the GDPR, an outsourcing company like Spex Asia has two responsibilities – to protect the data we receive from our clients and the data we collect on behalf of our client (such as name, job title, email, company details, phone number). We have to guarantee that we collect, store and work with our clients’ data in a legitimate way and that our clients are informed how exactly we do that. On the other hand, we have to provide sufficient guarantees and undoubted transparency as processor on the way we store the data our clients host on our servers on behalf of their clients.

Even though Spex Asia has always been acting in accordance with the principles of the GDPR, we have implemented some additional processes with the letter and spirit of the law. So here is a list of the things we have gone through and why they matter.

  1. Terms Of Service And Privacy Policy Updates

The GDPR says we have to inform clients what data we collect about them and legitimize how we use it afterwards.

As per the GDPR requirements, our new Privacy Policy will fully describe why and how we collect and process personal information and any client, existing or new, would be able to validate that we handle this information carefully and sensibly.

  1. Internal Procedures And Access-Control Enhancements

Given that we have been very strict and clear about data protection and data confidentiality since we began operations in 2015, all our data handling operations are set up in order to upkeep those standards. What we are doing in line with the GDPR is enhancing the security levels and adding new procedures where it is required by the new regulation. For example, we are strengthening our personnel training and extending our confidentiality agreements. We enhance our security and incident management procedures as well and we make sure only those people have access to data who indeed need to access it.

  1. Right To Be Forgotten

Under the GDPR every client could request “to be forgotten”, meaning all their data has to be deleted and never used again, except in certain circumstances, which may include having to keep processing your personal information to comply with a legal obligation. We have implemented a process that allows clients to request to be taken out our clients’ entire data base.

  1. Assign Data Privacy Officer

The GDPR says we need to assign a Data Privacy Officer to make sure we are compliant with the regulations and handle complaints. We have assigned a DPO and we educate all team members who will be able to assist with inquiries and data protection issues.


Daniel Malkiewicz – Director Spex Asia Pte. Ltd.