Mettl's GDPR Readiness

Our Commitment to Ensure Complete Transparency and Build Trust

What is GDPR?

The European Union has taken monumental steps towards ensuring the fundamental right to privacy for all EU residents through the General Data Protection Regulation (GDPR) which comes into effect from May 25, 2018. The GDPR empowers EU residents by placing them in control of their personal information and upholding strict protocols for organizations who collect and process this information.

Whom does it impact?

Any organization - whether private business or public authority, irrespective of the location - that collects, stores or shares personal data of EU residents will need to comply with the GDPR in the interest of preserving fundamental rights of EU residents. Non-compliance could lead to heavy fines. This affects businesses that deal directly with the personal details of EU residents (data controllers) or those that process the data on behalf of other businesses (data processors).

What Mettl has done for GDPR readiness?

Transparency and trust are Mettl’s core values and we are committed to our customer’s data privacy and security. The GDPR aligns with this vision and we have improved our existing systems and processes for GDPR compliance.

With a clear mandate and business priority from our management team, Mettl has formed a dedicated cross-functional Compliance Team which has defined our GDPR roadmap. As of 25th May 2018, we are GDPR compliant and we continue to further improve our systems and processes in this regard.

Here’s some brief information about our approach to GDPR compliance:

Organizational Readiness


• Management driven cross-functional Compliance Team leading the initiative for GDPR compliance

• Updated our Privacy Policy

• EU-compliant contractual protection for data transfers outside EU

• Policies and processes to enable Data Subject Rights

• Data Breach Management systems and processes with a clearly defined turn-around time and escalation matrix for any data breaches


• Detailed data inventory of data in-flows and out-flows in our system

• Enable explicit consent, consent management and withdrawal

• Access controls and rights

• Strengthen our data encryption and anonymization practices

• Privacy by design and default principles to ensure new projects and processes are in alignment with our commitment to data privacy and security

Tonmoy Shingal
Tonmoy Shingal
Co-Founder & COO,Mettl

Asset 32-8

We at Mettl, see GDPR as an opportunity to reinforce our values of transparency and customer focus. It is these values which are driving us to build robust systems to ensure our customer's data privacy and build trust.

Asset 32-8


What is personal data or Personally Identifiable Information (PII)?

Any data identifying with a living, distinguished or identifiable individual constitutes personal data. It can be anything from a name, a photograph, an email address, bank details, medicinal data or an IP address.

What is the difference between a data controller and processor?

A controller is the entity that decides the reasons, conditions and methods for processing of personal data, while the processor is an entity which actually stores and processes personal data on behalf of the controller. Both 'Controllers' and 'Processors' of information need to comply with the GDPR.

What will happen if a business is not GDPR compliant?

GDPR with its objective to expand the data privacy rights of individuals in various imperative ways, subjects both data controllers and processors that fail to comply with the GDPR requirements to potentially heavy fines.

Does the GDPR require EU resident’s data to stay in the EU?

No, the GDPR does not require EU individual information to remain in the EU, nor does it put any new confinements on exchange of personal data outside the EU.
Data Transfers from the EU to outside can be legitimized through various means including:
· EU-US Privacy Shield
· Model or Contractual clauses
· Binding Corporate Rules (BCR)