EU's GDPR and Asana


#1

Hi,
I’m using Asana to manage my tasks in educational administration. Until now, I have forwarded emails from students into Asana. The new EU GDPR directive does not allow us to save data about persons for more than a certain time.
This means that I have to delete information about persons that I have already sent to Asana (completed tasks), and I need to know what happens with deleted data. It would also be very useful with a better search tool to find the tasks that contain personal information.
What have you planned to do about this? GDPR is soon here, and you don’t seem to have taken the necessary steps to deliver an updated, legal service. I hope I am wrong, as I heavily rely on my Asana account. Can you please inform us? I think there should be much more information about this on your security info page.


#2

Hi @Sigrun_Eng,

I recommend that you visit this blog post about Asana and GDPR.

https://blog.asana.com/2018/04/asana-gdpr/

Please let us know if you have follow up questions.

Best,
Alexis


#3

hi! I’ve read this and your other articles on the GDPR. You mention you offer data processing agreements and Model Contractual Clauses – however you don’t specify how to get these. what would be the best way to go about this?

Best,
Martin


#4

I am with Martin… how do I get a Data Processing Agreement with you?
Also, I can’t find where to mark myself as data processor with deletion power.


#5

Ditto. We would also like to request this, but it appears to be difficult to contact you directly to ask. Please let us know how to enter into the DPA.


#6

Here is another one interested in the DPA. At least in the german version (https://asana.com/de/security-statement) of the text it only says that we can make an agreement, not how.
Cheers, Bastian


#7

Hello all, same here.
All I got was:

“Our Data Processing Addendum is a document that we provide to our premium and enterprise customers for whom we serve as a “Data Processor” under the GDPR and with whom we have entered into a Master Services Agreement (“MSA”).”

It would be nice to know if non-premium customers get the same protection afforded to premium customers, or if ensuring GDPR compliance forces users to get a premium account.

Cheers!


#8

Actually the support just answered that they do not provide GDPR contracts for free customers. However, isn’t it required if they offer the service in the EU?


#9

Well, if you are using ASANA within EU borders or in conjunction with data from EU citizens, you’ll in my opinion need such an agreement. If they don’t offer it, you cannot use this tool.
In the German version of the Statement, they even say it is required by law https://asana.com/de/security-statement#gdpr


#10

So if you are a paying customer, you can send them your request via mail and they’ll send you a signed DPA within a few hours. If you’re a free customer it looks like you’re out of luck (see answers below)… :-1:


#11

Hello all. This is very confusing.
I got this email from Asana:

"Thanks for your patience while I confirmed your great question with our Legal Team.
In this instance, the terms governing your use of our platform and Asana’s obligations regarding the use and protection of any data uploaded to the platform (regardless of who the data belongs to) are set out in the Terms of Use, Privacy Policy and Acceptable Use policy.

In November 2017, we went through the exercise of updating our privacy policy to align to any applicable GDPR requirements – the choice to remain a free user or upgrade to a paid account has no bearing on whether a user is GDPR compliant.
Please don’t hesitate to let us know if you have any additional questions."

Martin_Prechelmacher, where did you get your info that paying customers get the DPA by asking via mail? Thank you!