GDPR - Superset

Superset and GDPR

India currently does not have a data protection law enforced. However, to maintain the highest standards of data security and privacy for its users, Superset complies with all GDPR principles, for its users in India, EU and other countries.


What is Superset's take on GDPR?

At the onset, GDPR may look intimidating making it harder for marketers to access user information. However, it also provides marketers with an opportunity to reconnect with their audience and strengthen the brand-consumer relationship. Take the opportunity to inform users of the data you collect and how you use them, make them aware of their rights which can be reassuring and builds trust.

How does GDPR apply to Superset?

When it comes to using of our platform by Superset clients, universities and employers are the controllers and Superset is a processor — and that means that Superset will follow the instructions of its clients when it comes to the processing of personal data on their behalf. However, Superset is the controller when it comes to personal data that it collects from student users, its employees and from EU citizens who visit the Superset website or have their data collected in other ways through our marketing programs.

Superset's commitment to data security and privacy?

At Superset, we believe in “security by design,” meaning that we have built security into the core of our product and have made it a key focus area since day one. Superset’s security by design committee meets on a regular basis to review, discuss and implement privacy principles in the design and development of the features, functionalities, and operations of the Superset. Superset’s security by design committee includes manager level employees from product, engineering and operations organizations together with Superset's privacy and security teams.

How we enable our customers to be GDPR compliant?

As a data processor, Superset is focused on automating—as much as is technically feasible—the ability of its clients to comply with the rights of EU citizens and other users. For instance, Superset has already updated its platform so that clients can respond to requests of individual data subjects. Superset already provides a way for the customers to export the user data. If required, clients can raise a support ticket to delete the customer data on demand.

Rights of Users

Under GDPR citizens of EU have right to consent, reject, erase, and control personal information companies collect for business purposes. In general, it provides users with more freedom and control over what information they share with companies and how companies can make use of it.

  • Right to be informed

    What does this mean?

    The GDPR throws emphasis on how data controllers handle user personal data. Under GDPR, data subjects need to be made well aware of how brands collect, store, and process critical customer data.

    Superset recommendation Under GDPR, Superset customers, as Data Controllers must facilitate mechanisms that enable Data Subjects to understand how their personal data is being collected and processed. Many Data Controllers fulfill this obligation by means of a Privacy notice on their website. Data Controllers are also required to ensure easy access to the privacy policy by the users of products and services. Additionally, your Privacy Policy should also disclose that you may share personal data with third parties who may process that personal data on your behalf, and provide sufficient disclosure about that processing so that the Data Subject is informed about what you and your Data Processors will be doing with personal data.

  • Right to Access

    What does this mean?

    The data subject under GDPR has the right to:
    Confirmation that their data is being processed; Access to their personal data; and Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see GDPR Article 15).

    How is Superset compliant with this right?

    As a data processor, Superset has established mechanisms that help customers, as data controllers, access specific information about data subjects. Superset customers can download data for particular users based on any user identifier. Superset dashboard users with Admin and Manager access can download user data directly from the dashboard.

  • Right to Rectification

    What does this mean?

    Data subjects, under GDPR, are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible.

    How is Superset compliant with this right?

    Superset customers can update the user data of specific users in Superset by using one of our data import APIs. These are by default enabled for all clients and can be used whenever an end user requests for their information to be updated.

  • Right to Erasure

    What does this mean?

    The Right to Erasure, also known as the ‘right to be forgotten’ allows users to have their data removed from specific systems used for processing or holding their data. As a Superset customer, your end users can request you to erase their personal data.

    How is Superset compliant with this right?

    To help Superset customers delete personal data of users from Superset database, we recommend the below two solutions -

    1. An Erase API is available which erases the personal data of specific users entirely from within Superset. Please note that deleting the data does not automatically stop processing additional data that Superset receives for a given user.

    2. Alternatively, you can ask your end users to delete their account on Superset

    Deleting a user from the Superset platform will permanently remove the user profile for that particular user. This includes all personal data as mentioned under GDPR guidelines.

  • Right to Restriction of Processing

    What does this mean?

    Data Subjects have the right to ‘block’ or suppress processing of specific subsets of their personal data in the event of inaccurate or improperly obtained data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.

    How is Superset compliant with this right?

    Superset provides an option to every user under their profile, where they can opt-out of specific kinds of data processing by Superset.

  • Right to Data Portability

    What does this mean?

    The right to data portability allows individuals to obtain and reuse their personal data for their purposes across different services.

    How is Superset compliant with this right?

    Similar to Right to Access, Superset customers can easily download data of specific users based on any user identifier. Superset dashboard users with Admin and Manager access can download user data directly from the dashboard.