Does the EU GDPR apply to RapidRatings?
When RapidRatings provides services to its clients, the contracting RapidRatings party is its American established and operated entity.
In accordance with Article 3 of the EU GDPR, an organization is within the territorial scope of the regulation where the organization is established in the European Economic Area (EEA) or the organization offers goods or services to natural persons in the EEA or monitors the behavior of natural persons in the EEA. By reason of the contracting entity of RapidRatings (i) not being established in EEA; and (ii) not offer or providing services to natural persons in the EEA or monitoring the behaviour of natural persons in the EEA (RapidRatings offers and provides services to corporate entities - i.e. business-to-business service offering, not a business-to-consumer service offering), it is not directly subject to the EU GDPR.
As a result, where a RapidRatings client is also not subject to the EU GDPR, it is not necessary to include EU GDPR specific data processing terms in the applicable data processing agreement.
However, where a RapidRatings client is subject to the EU GDPR, RapidRatings will be subject to the EU GDPR to the extent that it is provided for in the relevant data processing agreement that contains EU GDPR Article 28(3) contact assurance provisions.
The RapidRatings group of companies maintains data privacy and protection standards consistent with the requirements of the EU GDPR. Therefore, RapidRatings can satisfy relevant EU GDPR data processing obligations and related contract terms when providing services to clients that are within the territorial scope of the EU GDPR (including European Commission issued standard contractual clauses for the export of personal data from the EEA to a third country - https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en).
RapidRatings does have an affiliate entity located in Europe which is subject to the EU GDPR by reason of its establishment there. However, this entity does not contract with clients.
Does the UK GDPR apply to RapidRatings?
When RapidRatings provides services to its clients, the contracting RapidRatings party is an American established and operated entity.
In accordance with Article 3 of the UK’s [General Data Protection Regulation] UK GDPR, an organization is within the territorial scope of the regulation where the organization is established in the United Kingdom (UK) or the organization offers goods or services to natural persons in the United Kingdom or monitors the behavior of natural persons in the UK. By reason of the contracting entity of RapidRatings (i) not being established in the UK; and (ii) not offer or providing services to natural persons in UK or monitoring the behaviour of natural persons in the UK (RapidRatings offers and provides services to corporate entities - i.e. business-to-business service offering, not a business-to-consumer service offering), it is not directly subject to the UK GDPR.
As a result, where a RapidRatings client is also not subject to the UK GDPR, it is not necessary to include UK GDPR specific data processing terms in the applicable data processing agreement.
However, where a RapidRatings client is subject to the UK GDPR, RapidRatings will be subject to the UK GDPR to the extent that it is provided for in the relevant data processing agreement that contains UK GDPR Article 28(3) contact assurance provisions.
The RapidRatings group of companies maintains data privacy and protection standards consistent with the requirements of the UK GDPR. Therefore, RapidRatings can satisfy relevant UK GDPR data processing obligations and related contract terms when providing services to clients that are within the territorial scope of the UK GDPR (including the UK’s Information Commissioner’s Office issued international data transfer agreement and addendum for the export of personal data from the UK to a third country - https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/).
Does RapidRatings classify itself as a data controller or data processor when processing client personal data?
“Data controller” and “data processor” are important concepts in understanding an organization’s responsibility under privacy laws that recognize these classifications (including but not limited to the EU GDPR and the UK GDPR).
Put simply, a data controller determines the purposes and means (the “why” and the “how”) of a particular processing activity and a data processor processes personal data on behalf of the data controller.
Each client of RapidRatings is invariably identified as a data controller. Depending on the data processing scenario, RapidRatings may be a data controller (separate and independent to the client), a data processor or both.
When RapidRatings processes personal data on behalf of a client for the purpose of contacting and engaging with that client’s counterparties (third parties), the particular personal data shared by the client with RapidRatings (comprising of third party point of contact information) is processed by RapidRatings acting in a data processor capacity. This data processing arrangement exists when a client is merely acting in an introducer role (i.e. introducing RapidRatings to third parties for the purposes of RapidRatings conducting certain activities with them for the benefit of the client.
After contact is made with a third party, an independent relationship between RapidRatings and that third party is created which amounts to a new data controller (third party) - data processor (RapidRatings) relationship being established. Separate to the service arrangement between the client and RapidRatings, the third party may decide to share its personal data with RapidRatings for additional purposes that are particular to that third party and its counterparties.
Does the CCPA apply to RapidRatings?
The Californian Consumer Privacy Act CCPA (as amended since 1 January 2023 by the Californian Privacy Rights Act (CPRA))(together, the “CCPA”) can apply to any organization that “does business” in California. Although the CCPA does not clarify what “doing business” means, the California Attorney General has stated that this phrase should be interpreted “according to the plain language of the words and other Californian law”. Based on this statement, any organization that “does business” in California does at least one of the following:
- Engages in transactions with California residents (natural persons) for a financial benefit (e.g. offering goods or services)
- Hires California residents as employees or contractors
- Pays (or is subject to paying) California state taxes
Where an organization is found to be a for-profit “doing business” in California that collects California consumers’ personal information , it will be subject to the CCPA if at least one of the following thresholds are met:
- Annual gross revenues in the preceding calendar year in excess of $25 million dollars;
- Annually buy, sell, receive or share for commercial purposes the personal information of more than 100,000 Californian consumers, households or devices’ or
- Derive at least 50% of annual revenue from selling or sharing consumers’ personal information.
By reason of the contracting entity of RapidRatings not “doing business” in California (RapidRatings offers and provides services to corporate entities - i.e. business-to-business service offering, not offering services to Californian consumers), it is not directly subject to the CCPA.
As a result, where a RapidRatings client is also not subject to the CCPA, it is not necessary to include CCPA specific written contractual requirements in the applicable data processing agreement.
However, where a RapidRatings client is subject to the CCPA, RapidRatings will be subject to the CCPA to the extent that it is provided for in the relevant data processing agreement that contains CCPA (California Civil Code) Sections 1798.100(d) and 1798.140(ag) written contractual requirements for the business-service provider relationship.
RapidRatings can satisfy relevant CCPA data processing obligations and related written contractual requirements when providing services to clients that are subject to the CCPA.
Similar to the EU GDPR and the UK GDPR, does the CCPA rely on the concepts of “data controller” and “data processor”?
The CCPA does not rely the concepts of “data controller” and “data processor” but instead refers to “businesses” and “service providers” which have similar but not identical meanings.
As previously mentioned, RapidRatings does not identify itself as being a “business” for the purposes of the CCPA and so does not come within the direct scope of the privacy law in its own right. Where a client is a “business” and relies on RapidRatings to provide services to the client which involves the use of “personal information” (as defined by the CCPA), RapidRatings may, in that context, be recognized as a “service provider”.
However, not all vendors of services are considered “service providers” under the CCPA. In addition to an organization processing personal information “on behalf of a business”, the entity must be subject to a written contract that prohibits it from retaining, using or disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract”. Where the terms of the services agreement in place between a client and RapidRatings necessarily provides for the retention of personal information beyond termination, allows the use of personal information (in any form) for its own purpose, or allows the vendor to make decisions about the disclosure or personal information, the definition of “service provider” under the CCPA (as amended by the CPRA) would not be met.
Does RapidRatings “sell” personal information (as defined by the CCPA)?
We do not “sell” (as defined by the CCPA) our client’s personal information. We do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration.
We may share aggregated and/or anonymized information obtained as part of the delivery of our services to clients (which is not considered personal information under the CCPA) with third parties to help us develop and improve our services and provide our clients with more relevant content and service offerings as detailed in our client agreements.
Does RapidRatings process or control personal data relating to children? Is RapidRatings subject to the US Children’s Online Privacy Protection Act (COPPA)?
Our services and this website are not intended for children under the age of 16, and we do not knowingly collect information from children under the age of 16.