SaneBox’s Preparation for GDPR Compliance

What is the GDPR?


The General Data Protection Regulation (GDPR) is a comprehensive European data privacy law that imposes a new set of obligations on companies that process EU residents’ personal information. The law provides individuals greater transparency and control of how their personal information is processed, used, and stored. The GDPR becomes effective on May 25, 2018 and applies to all businesses that process and hold the personal data of individuals who are located inside the European Union. The GDPR also applies to organizations that offer goods or services to EU individuals, or that monitor these individuals’ behavior.


DISCLAIMER: While this article aims to give useful guidance to SaneBox customers regarding SaneBox and the GDPR, it cannot be used as legal advice.

Helping Our Customers to Comply with the GDPR


SaneBox recognizes that data protection is integral to our customers’ core values and business operations. As a data processor entrusted with handling personal data on behalf of our customers, we are committed to enabling our clients to fulfill their obligations under the GDPR by ensuring our own compliance with the law. SaneBox has been preparing for months to become fully compliant with the GDPR. Below you will find an overview of the steps SaneBox has taken to achieve compliance with the GDPR.

Data Minimization


Data minimization is one of the important privacy principles provided in the GDPR. It requires that businesses limit personal data collection, storage, and use to the minimum of what is necessary for the purpose or objective. Therefore, the SaneBox application only collects and processes data that is essential for the purposes of providing the SaneBox service. By applying Privacy by Design, our systems are designed to read and process only the header information and not the actual text contained within the bodies of your emails. This allows SaneBox to continue to deliver the same smart, simple and flexible email management solution without invading SaneBox users’ privacy.

Upgrading Contractual Relationships with SaneBox Customers


Article 28 of the GDPR dictates that a data processor can only process personal data on documented instructions of a data controller. To ensure that SaneBox is obligated to process personal data within the limits of the GDPR, SaneBox has developed a Data Processing Addendum (DPA) that all SaneBox business customers regulated by the GDPR will be able to sign before May 25, 2018. By signing the DPA, our customers will be confident that the data processed by SaneBox on their behalf will be handled in compliance with the GDPR.

Implementation of GDPR-Compliant Terms with Sub-Processors


In order to deliver the services to our customers, we use certain third parties service providers (known as “subprocessors”) such as hosting providers who in turn must comply with the GDPR. We have made sure that we have appropriate contractual measures in place so that data will be handled by these subprocessors based on our customers’ instructions and the law. Additionally, we require our subprocessors to implement strong technical and organizational measures to maintain a high level of data security.

Technical and Organizational Measures


One of the other important steps in our GDPR compliance journey has been a comprehensive review of the existing data security practices around our services and the implementation of even stronger security measures to ensure that the data processed on behalf of our customers is well-protected and in line with the requirements of the GDPR.

Data Subject Rights


SaneBox appreciates that our business clients must respect the rights of the data subjects listed in Chapter III of the GDPR. The functionalities embedded in our application enable SaneBox customers to handle requests relating to the restriction of personal data, rectification, access, and erasure in an easy and efficient manner. In fact, SaneBox users can comply most of these rights in the account settings of the SaneBox application.

SaneBox’s Article 27 Representative


Article 27 of the GDPR requires SaneBox to appoint an EU Representative who will act as a point of contact with EU data protection authorities and data subjects. SaneBox has appointed VeraSafe as its Article 27 EU Representative.


To make an inquiry on a matter related to the processing of personal data, please contact VeraSafe using this contact form:
Alternatively, VeraSafe can be contacted at:


Matthew Joseph
Zahradníčkova 1220/20A
Prague 15000
Czech Republic


VeraSafe Ireland Ltd
Unit 3D
North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P

SaneBox Customers’ Compliance with the GDPR


It is worth mentioning that SaneBox’s compliance with the GDPR will not automatically make our business customers’ processing activities GDPR compliant. Therefore, each of our GDPR-regulated business customers must review their existing data protection controls and processes and take necessary measures to ensure that they meet their obligations laid down in the GDPR.


If you have any questions about how GDPR affects your SaneBox account – please reach out to us directly at