As a data company, we believe it’s important that we provide a general overview on Waylay and the GDPR that is written in plain English and is as free from legalese as a text talking about a legal document can be. Important obligatory note: this text is for information purposes only and can not be considered legal advice or legally binding in any way or form.

On May 25th, 2018, the European Union’s new data protection regulation, the General Data Protection Regulation (GDPR) enters into force. In our borderless digital world, this piece of legislation is an important update and will impact any business handling data that can be used to personally identify EU residents, which in GDPR terminology are called “data subjects”.


As an Internet of Things company, when thinking about handling personal data there is already a useful distinction to be made between industrial and consumer IoT use cases.

For industrial applications, Waylay primarily handles machine data for customers. In most cases, this data and its associated metadata cannot be linked to individuals and hence does not classify as personally identifiable data.

GDPR will have greater impact on consumer IoT use cases, where our customers’ end users are private persons and where IoT applications will almost always require handling personal data and where device data can be associated with individuals.

Irrespective of the nature of the application, industrial or consumer, and regardless of whether it’s pure machine data or explicit human user data that we handle, Waylay is committed to going the extra mile in protecting data subjects. This article provides an overview of the data-related roles and responsibilities when you’ve chosen Waylay as your IoT orchestration platform and will explain Waylay’s efforts to live up to the values and requirements of the GDPR.


GDPR makes a clear and important distinction between two types of responsibility levels of organisations handling personal data of EU data subjects: the responsibilities of the data controller and those of the data processor.

Simply put, in our case, Waylay acts as data controller when it comes to personal data of you as our customer and as a data processor when it comes to personal data of your end users that you manage using the Waylay application.


Waylay has the capability to persistently store sensor data in resources 1 and associate metadata with that. In some cases, you may decide to associate an individual person’s name and/or other personal data with the metadata, in which case the corresponding resources and their metadata is data that can personally identify natural persons. This is considered data from your data subjects, and you are considered the data controller for this personal data. In our Terms of Use and Privacy Policy, we refer to this data as Personal Data. Personal Data is part of the overall Customer Data that you supply to the Waylay platform.

Using the Waylay application to manage data about your customers means that you have engaged Waylay as a data processor to carry out certain processing activities on your behalf.

According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article).

This is where our Terms of Use and Privacy Policy come in.

These two documents also serve as your data processing contract, setting out the instructions that you are giving to Waylay with regard to processing the personal data you control and establishing the rights and responsibilities of both parties, unless there is a specific data processing contract in place with more detailed instructions. Waylay will only process your Customer Data based on your instructions as the data controller.

[1 — It is also possible to persistently store other time series data e.g. weather forecast data retrieved via an API service on the Internet.]


Waylay acts as the data controller for the personal data we collect about you and/or the users that manage the Waylay application, the user/admin of the Waylay application and admin console. Examples of such information include your name, email address, phone number, credit card info, etc.

Collecting and processing this data is necessary for us to perform our contract with you (GDPR Article 6(1)(b)) and to to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.

As the controller for your personal data, Waylay is committed to respect all your rights under the GDPR. If you have any questions or feedback, please reach out to our Data Protection Officer by email at [email protected].


One topic that often comes up with customers is data transfers to third-party processors – any other company other than Waylay, that we transfer your personal data to or the personal data of the users that you manage through the Waylay application. Some of these suppliers may be based outside of the EEA. We are keeping a full up-to-date list of sub-processors (regardless of where they are based) in our Terms of Use to be fully transparent about these transfers as well as the country in which these sub-processors process the data. For sub-processors located outside of the EEA, we make sure that our third-party service providers have either certified under the EU-US Privacy Shield framework or signed the EU Commission’s standard contractual clauses for data transfers with us.


As a company founded and headquartered in Europe, Waylay has been closely following the updates on EU data privacy regulations and is very familiar with the implications that the new EU General Data Protection Regulation has for businesses worldwide.

We take the privacy needs of Waylay users and of their customers very seriously and, as such, have implemented — and will continue to improve — technical and organizational measures in line with the GDPR to safeguard the personal data processed by Waylay.

We have put all processes in place to make sure you can always access and control your data

Ownership over your own personal data is a fundamental concept promoted by the GDPR, which Waylay fully supports and stands by. This is why for data where we act as data controller we have made sure to have the proper processes in place to respond to your request as a data subject to delete, modify, or transfer your data. You will always be in charge of what personal data we collect, store and process and we make sure that you always have a handy and clear way of submitting personal-data requests.

An important thing to stress here is that we have no direct relationship with your customers so we do not process any such requests from them. It is your responsibility to make sure you have all the processes in place for such requests coming from data subjects for whom you act as data controller.

We maintain updated data documentation, train our staff and impose confidentiality agreements

Our Terms of Use Terms and Privacy Policy are constantly being revised to increase transparency and to make sure the documents meet GDPR requirements. As these are the basis for our relationship for you, it is very important for us to comprehensively and openly explain our commitments and your rights in these documents.

It is important to note here that all Waylay employees and team members are bound by strict confidentiality agreements and extensive training efforts are made within the company so that the GDPR compliant processes we’ve put in place are followed. Sessions on data privacy and security are an integral part of our onboarding process and each department receives training that is tailored to their work involving personal data.


We hope that this article was useful to understand where all parties involved stand when it comes to handling personal data of EU data subjects when using the Waylay application. If you have any questions with regard to any of the above, you’re welcome to reach out to us at [email protected] and we’ll do our best to help out.

We believe that a new era of handling personal data begins with the GDPR coming into force and that data companies such as Waylay will have a prime role not only in ensuring legal, transparent and ethical use of personal data but also in contributing to making our software-driven future world a safer place for all.