What is GDPR?

The General Data Protection Regulation (also known as Regulation 2016/679 or “GDPR”) is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area (EEA). Though it was drafted and passed by the European Union (EU), it imposes data protection obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

What is personal data?

Personal data is any information that relates to an individual who can be directly or indirectly identified. Different pieces of information, which are collected together, can lead to the identification of a particular person, and also constitute personal data.

Personal data that has been de-identified, encrypted, or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.

There are some examples of the personal data:

  • a name and surname;
  • an address;
  • an email address;
  • an ID card number;
  • location data;
  • an IP address;
  • cookie identifiers;
  • the advertising identifier of the phone.

What does it mean to process data?

Definition of Data Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. If you do something with data in the way mentioned above — you are processing data.

What is the difference between a Data Processor and a Data Controller?

A data controller refers to an organization, institution, or individual that sets the standards and rules for personal data processing. In practice, that means that a data controller is responsible for determining how and why data is going to be used by an organization. Most often, a data controller is a person or organization that actually gathers data and then dictates how it will be used.

This is in contrast to a data processor. According to GDPR, a data processor is an organization, institution, or individual that implements the standards for data processing established by the data controller. Typically, a data processor is a party that processes data at the direction and discretion of a data controller. A data processor does not own any of the data they process and is not in control of it. This means that a data processor cannot change the meaning of the data, direct how the data is used, and is bound by the instructions.

There are some check questions to understand the difference between data controller and data processor functions:

The Data Controller decides the following things:

  • the organization that collects the data in the first instance and has the legal basis for doing so;
  • what the personal data is to be used for;
  • whether to disclose the data and, if so, to whom;
  • whether subject access and other individuals’ rights apply or whether there are exemptions;
  • how long to retain the data or whether to amend the data in a way that is not routine.

The Data Processor decides the following things:

  • the methods used for personal data collection and storage;
  • how the data is secured;
  • the means used to transfer personal data from one organization to another;
  • how personal data is retrieved;
  • the method for ensuring a retention schedule is adhered to;
  • how personal data is deleted.

What are the GDPR Conditions for Processing Personal Data?

Article 6 of the GDPR lists the several conditions (also known as basis) under which it’s legal to process personal data:

  1. Consent. Consent means that the data subject has given explicit consent for a personal data processing activity for one or more specific purposes. The notion of purpose is key here. If the data subject, also known as a natural person, gives consent to processing without knowing the specific purpose(s) in full and in an easy-to-understand way, then consent is not a legal ground for processing as it must be freely given, specific, informed, and unambiguous. Moreover, consent cannot be bundled. So, for each data processing activity within one broader operation, the general rule is that separate consent is required for each activity.
  2. Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. An organization can rely on this lawful basis if it needs to process someone’s personal data to deliver a contractual service to them or because they have asked the organization to do something before entering into a contract (e.g., provide a quote).
  3. It is necessary to process data to comply with a legal obligation. If the controller has a legal duty for which particular personal data needs to be processed, then processing is permitted. This compliance with a legal obligation for which processing is needed and to which the controller is subject isn’t new either.
  4. It is necessary to process the data to save somebody’s life. This basis is also known as “vital interest”. In this case, the natural person doesn’t need to be a data subject; it can also be another natural person. It’s, of course, not up to the controller to define what a vital interest is. This basis is more about life-threatening circumstances where there is no other legal ground for processing, but where not processing personal data would essentially mean that someone would die if the processor doesn’t take action and thereby need to know a few things about the natural person who is in danger.
  5. Processing is necessary to perform a task in the public interest or to carry out some official function. An organization can rely on this lawful basis if it needs to process personal data ‘in the exercise of official authority’. This covers public functions and powers that are set out in law, or to perform a specific task in the public interest that is set out in law.
  6. The controller has a legitimate interest in processing someone’s personal data. The processing of personal data in this context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with an individual. In such cases, the processing of personal data can be justified on the grounds of legitimate interest. For example, a processor has a legitimate interest when the processing takes place within a client relationship, for direct marketing purposes, to prevent fraud, or to ensure the network and information security of IT systems.

How does consent work under the GDPR?

There are strict rules about consent from a data subject to process their information:

  • Consent must be “freely given, specific, informed, and unambiguous.”
  • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
  • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. It is not possible to simply change the legal basis of the processing to one of the other justifications.
  • Need to keep documentary evidence of consent.

What are individual rights under the GDPR?

GDPR provides the following rights to the individuals:

  1. The right to be informed (individuals have the right to be informed about how companies collect and use their personal data, how long they plan to keep that data, and who they’ll share it with);
  2. The right of access (individuals have the right to know exactly what information companies have collected, how they’re storing and processing that data, and what they’re going to do with it);
  3. The right to rectification (individuals have the right to have incomplete data completed and incorrect data corrected);
  4. The right to erasure (individuals have the right to have personal data permanently deleted. This is also known as the “right to be forgotten”);
  5. The right to restrict processing (if individuals can’t require that data controllers erase their personal information, they can restrict the ability of data controllers to process that data);
  6. The right to data portability (individuals have the right to obtain and reuse their personal data for their own purposes across different services);
  7. The right to object (individuals have the right to object to the processing of their personal data in certain circumstances);
  8. Rights in relation to automated decision-making and profiling (individuals have the right to demand human intervention, rather than having important decisions made by algorithms).

What are the Seven GDPR Principles?

There are Seven key data protection and accountability principles according to the GDPR:

  1. Lawfulness, fairness, and transparency — processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation — must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. Data minimization — should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy — must keep personal data accurate and up to date.
  5. Storage limitation — may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability — the data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Does the GDPR require the personal data of EU residents to stay in the EU?

The GDPR doesn’t have a direct restriction for the personal data of EU residents to stay in the EU only. However, EU Data Protection works on principle “GDPR stays with the data”, meaning that the rules protecting personal data continue to apply regardless of where the data lands. This principle also applies when personal data is transferred to a country that is not a member of the EU.

Processing by Ajax

Does Ajax process my personal data?

Yes, Ajax could process your personal data. There are 4 main scenarios when we may deal with your data:

  1. through our security devices (such as Hub or others);
  2. through our mobile apps (such as Ajax Security System and Ajax PRO: Tool for Engineers) and desktop apps (we call those our Products or Services);
  3. if you visit the website
  4. within the framework of business cooperation between you and Ajax (whether you are a direct or indirect Partner or Subcontractor of Ajax)

What types of my data could be processed by Ajax?

Ajax may process different types of data, depending on the scenario of the interaction with you.

Through our security devices, we may process:

  • Information about your Hub (such as its model and serial number, network information, including IP address, device activity logs, historic and current device configuration, and its location).
  • Environmental data from Ajax’s devices, such as temperature, noise level, or motion data.

While using our Products or Services, we may process:

  • Information about you (such as name, surname, email, phone number, and your account picture).
  • Information that you share with us from the phonebook of your device when you invite users to the Product (such as email or phone number of a person whom you invite to the Product).
  • Unique identifiers for our Services (such as your username and password).
  • Unique identifiers of the users you have connected to the Product, such as the username, the role of the user in the Product, and his/her email address; information about your mobile and desktop devices, such as the device type, operating system, and system language.
  • Location-based data to provide you with reminders to arm/disarm the system if you activate the Geofence function in our app.
  • For Android and iOS users, SMS with the authorization code required during account registration or changes.
  • Information about your use of our Products and Services (such as requests from the app to our server).

If you visit our website, we may process:

  • The information you provide while filling in the forms, which may contain your personal data and contact details.
  • Cookie identifiers (through GDPR-compliant tool).
  • Your IP address to define the country of your location.

In case of business cooperation, we may process:

  • Personal and contact details of business representatives (Name, position, email, and phone number).

What is the purpose and legal basis of the processing?

  • All the data we receive through our security devices or while you are using our Products or Services is processed only to provide you with requested security services. This means that we process all such data to perform a contractwe have with you. Also, this means that we do not collect any data that is not specifically needed for us to provide you with such services.
  • If you decide to subscribe to our newsletter, we will send you emails with some information about us and our latest updates. We are relying on your consent which you provide by confirming your subscription. Also, we’ll personalize these emails based on the information we have about you, so they are more relevant and more useful for you.
  • If you have shared operations logs from your app, in case you had some issues, we will process those to solve your technical problem and to make our Products and Services better. We process those based on our legitimate interest to make our market offerings more competitive.
  • We use the data that you share with us from the phonebook of your device when you invite users to the Product (such as the email or phone number of a person that you invite to the Product) to send the invitation to those persons only.

Where is information stored?

All types of data that Ajax may collect from you are stored on the cloud storage located in Ireland, Germany and France (inside the EEA); the choice of where to store the data (in Ireland, Germany and France) is subject to the AWS infrastructure availability.

For how long is information stored?

All data is stored for the entire duration of the customer relationship, except for the memory of push notifications, which is limited to 500 transactions. For PRO Desktop Account event log, the duration of event notifications storage is 2 years. However, some types of data (such as representatives name, position, and contact information mentioned in contracts) may be stored longer than the period of cooperation to fulfill our legal obligations.

Type of data

Purpose of processing

Legal basis

Storage period

Information about Hub (model and serial number network information, including device activity logs, historic and current device configuration, location)

To perform proper functioning of Hub, devices, and apps

Contract, in case of service support — legitimate interest

Entire duration of the customer relationship or until erased as requested/performed by the user.

Backups up to 12 months

Unique identifiers (username and password)

User authorization


Entire duration of the customer relationship or until erased as requested/performed by the user.

Backups up to 12 months

Location-based data

To perform proper functioning of Hub, devices, and apps

Contract and/or legitimate interest

Entire duration of the customer relationship or until erased as requested/performed by the user.

Backups up to 12 months

Information about use of our Products and Services (such as requests from app to server)

To perform proper functioning of Hub, devices, and apps


Entire duration of the customer relationship or until erased as requested/performed by the user.

Backups up to 12 months

The information provided by filling the forms, which may contain personal data and contact details

Communication, service of product delivery, marketing promotions


Entire duration of the customer relationship or until erased as requested/performed by the user.

Backups up to 12 months

IP address

To perform proper functioning of Hub, devices, and apps

Contract or Consent

Entire duration of the customer relationship or until erased as requested/performed by the user.

Backups up to 12 months

Name, surname, and contact information

To perform proper functioning of Hub, devices, and apps


Entire duration of the customer relationship or until erased as requested/performed by the user.

Backups up to 12 months

Images taken through Ajax devices

To perform proper functioning of Hub, devices, and apps


-Mobile app — Media files retention period for the User and PRO accounts is 2 years. Photos might be deleted earlier along with the associated events if the event limitation in the mobile app (500 events) is reached.

-Ajax PRO Desktop (company account) — depends on settings (from 7 days up to 2 years).

-Ajax Translator doesn’t store the images; however, the links are active for 7 days from the moment of their generation

Who has access to the system and information on Ajax’s end?

Ajax follows availability minimization and least-privileges principles in data access. Thus, access to the data may be granted to Ajax employees responsible for supporting the process of the services and project provision only. When Ajax personnel gain access to data, their equipment is protected by encryption and other tools as required by the highest technical market standards. All employees have signed an NDA in place and conduct a data protection assessment annually. All the actions of the personnel are logged, and the logs are automatically checked in real time. In case of suspicion of excessive access, we restrict access and immediately start investigating the case. Nevertheless, we kindly point out that Ajax never accesses the data without a valid legal basis for such access. In some cases, Ajax may be directed by a user (at his/her own risk) to grant access to the user's data to third-party providers assigned by the user (security companies, installers) via mobile or desktop apps. In such cases, the user’s chosen companies will also have access to the data the user wants to be transferred.

What is Ajax doing to comply with global data protection laws? How does Ajax demonstrate compliance with the GDPR?

To comply with international data protection laws, Ajax employs a significant number of measures, mechanisms, and procedures. For example, Ajax applies the principles of data processing limitation (privacy by design & by default), data minimization, access control, data processing policies (storage, processing, deletion policies, etc.). As part of the data transfers, Ajax uses various measures, including organizational and technical measures and Standard Contractual Clauses. You can find more information about this in the Data Transfer section.

How can I exercise my privacy rights?

For exercising your privacy rights (to delete, object or be informed about your personal data, to restrict processing, etc.) you can contact us by the email

Data Transfer

Who may Ajax share my data with? What types of data may be shared and in what cases?

Generally, we can share your personal data only when needed to provide you with requested services. Such data may be disclosed to our vendors and service providers, who provide certain services for our Products and Services to function. This includes data hosting, technical support, communication, etc. We make sure that such providers treat it as protective as we do.

We can share your contact details (such as cell phone number, nickname, and email) with physical security service providers if you request us to do so by selecting such a provider in our app. Please note that such service providers will become data controllers on their own, responsible for your personal data. Despite the fact that we choose reputable partners to offer in our app, we recommend checking their privacy policies before requesting us to transfer your data to selected companies.

For certain needs, Ajax may use the services of third-party sub-processors outside the EEA. Such needs may include data hosting, technical communication for registration, installation, and other organizational activities via email or telephone.

Ajax puts its best efforts to ensure that such transfers are made in compliance with all applicable data protection laws. Thus, Ajax has signed DPAs with all sub-processors (including SCCs in case of cross-border data transfers), as well as additional supplementary measures taking place in data transfers and processing. All Ajax sub-processors have their own privacy policies and other privacy-related documents, which are reviewed by Ajax professionals to ensure compliance on a regular basis.

List of the Ajax approved sub-processors:

What are Standard Contractual Clauses?

Standard contractual clauses (SCCs) are standardized and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law. They can be incorporated by controllers and processors into their contractual arrangements with other parties, such as commercial partners. The clauses can be used on a voluntary basis to demonstrate compliance with data protection requirements, requiring a binding contractual commitment to abide by them. The European Commission has the power to adopt SCCs (1) regarding the relationship between controllers and processors and (2) for the transfer of personal data to countries outside of the EEA.

What are Supplementary Measures?

Supplementary measures are specially implemented technical and organizational procedures that are used to achieve an effective level of assurance on the transferred data equivalent to processing the data within the EEA.

Ajax implemented, including but not limited to, the following organizational measures:

  • regular awareness training and examination of Ajax employees;
  • automated system for real-time monitoring of breaches and vulnerabilities;
  • ongoing logging of all processes;
  • regular custom inspection and validation of Ajax system concerning vulnerabilities.

Ajax implemented, including but not limited to, the following technical measures:

  • Measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, app servers, and related hardware), where personal data are processed, including establishing security areas, restriction of access paths, establishing access authorizations for employees and third parties, door locking (electric door openers, etc.).
  • Measures to prevent data processing systems from being used by unauthorized persons, including user identification and authentication procedures, ID/password security procedures, encryption of archived data media.
  • Measures to ensure that persons entitled to use a data processing system gain access only to such personal data in accordance with their access rights, and that personal data cannot be read, copied, modified, or deleted without authorization, including internal policies and procedures, control authorization schemes, differentiated access rights (profiles, roles, transactions, and objects), monitoring and logging of accesses, disciplinary action against employees who access personal data without authorization.
  • Measures to ensure that personal data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, including encryption, logging, transport security. All personal data are encrypted with SHA256 algorithm at rest and are subject to transfer via HTTPS with SHA128 and TLS 1.2 encryption.
  • Measures to monitor whether data have been entered, changed, or removed (deleted), and by whom, from data processing systems, including logging and reporting systems, audit trails, and documentation.
  • Measures to ensure that personal data are protected against accidental destruction or loss (physical/logical), including backup procedures, uninterruptible power supply (UPS), remote storage, antivirus/firewall systems, disaster recovery plan, business sustainability plan.
  • Measures to ensure that personal data collected for different purposes can be processed separately, including separation of databases, limitation of use, segregation of functions (production/testing).

What is a Transfer Impact Assessment?

A Transfer Impact Assessment (TIA) is an analysis performed by a data controller or by a data processor of the security implications of a personal data transfer to countries outside the EU/EEA, or that benefit from an adequacy decision.