Legal
GDPR
MHSB is committed to protecting the privacy and rights of individuals in the European Economic Area. This page explains how we comply with the General Data Protection Regulation (GDPR) and how we protect the rights of EU data subjects.
Last updated: March 26, 2026
Our Commitment to GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations that process the personal data of individuals in the European Economic Area (EEA). Although MHSB is based in the United States, we recognize the importance of GDPR and are committed to upholding its principles when we process the personal data of EEA residents.
We have implemented policies, procedures, and technical measures to ensure that personal data is processed lawfully, fairly, and transparently. Our commitment extends to every phase of our engagement with clients, from initial contact through project completion and ongoing support.
Data Controller Information
For the purposes of GDPR, the data controller responsible for the personal data collected through this website and in connection with our services is:
- Company: MHSB
- Address: 815 Edwards Road, Suite 69, Greenville, SC 29615, United States
- Email: info@mhsbsolutions.com
- Phone: (864) 448-6974
When MHSB processes personal data on behalf of a client (for example, during a Lawmatics CRM implementation or data migration), the client acts as the data controller and MHSB acts as a data processor. In such cases, processing is governed by a data processing agreement between MHSB and the client.
Lawful Bases for Processing
Under GDPR, we must have a lawful basis for processing personal data. Depending on the context, we rely on the following lawful bases:
- Contractual Necessity: We process personal data when it is necessary to perform a contract with you or to take steps at your request before entering into a contract. This includes processing data to deliver our Lawmatics implementation services, respond to service inquiries, and manage client engagements.
- Legitimate Interests: We process personal data when it is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. Examples include improving our services, analyzing website usage, ensuring network security, and communicating with prospective clients.
- Consent: Where required, we obtain your explicit consent before processing personal data. This applies to activities such as subscribing to our newsletter or opting into marketing communications. You may withdraw consent at any time by contacting us or using the unsubscribe link in our emails.
- Legal Obligation: We process personal data when it is necessary to comply with a legal obligation, such as tax reporting, record-keeping requirements, or responding to lawful government requests.
Data Subject Rights
If you are an individual in the EEA, GDPR provides you with the following rights regarding your personal data. We are committed to honoring these rights promptly and transparently:
- Right of Access: You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed. We will provide this information in a commonly used electronic format within thirty (30) days of your request.
- Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data. If we have shared the data with third parties, we will notify them of the correction where feasible.
- Right to Erasure: You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, you withdraw consent, or the data has been unlawfully processed. Certain exceptions apply, such as when retention is required by law or for the establishment, exercise, or defense of legal claims.
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller without hindrance, where processing is based on consent or contractual necessity and is carried out by automated means.
- Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests. While processing is restricted, we will store the data but not process it further without your consent, except for legal claims or the protection of another person's rights.
- Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose immediately. For objections based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.
To exercise any of these rights, please contact us using the information provided in the Contact section below. We may ask you to verify your identity before processing your request.
International Transfers
As MHSB is based in the United States, personal data collected from individuals in the EEA may be transferred to and processed in the United States, where data protection laws may differ from those in the EEA. We take appropriate measures to ensure that such transfers comply with GDPR requirements, including:
- Relying on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data to countries that have not received an adequacy decision.
- Implementing supplementary technical and organizational measures where necessary to ensure an adequate level of protection.
- Ensuring that any third-party service providers who receive personal data from the EEA are bound by appropriate data protection obligations.
Data Processing Agreements
When MHSB acts as a data processor on behalf of a client, we enter into a Data Processing Agreement (DPA) that meets the requirements of GDPR Article 28. Our DPAs include provisions addressing:
- The subject matter, duration, nature, and purpose of the processing.
- The categories of personal data and data subjects involved.
- The obligations and rights of the data controller.
- Confidentiality obligations for personnel authorized to process personal data.
- Technical and organizational measures to ensure appropriate security.
- Conditions for engaging sub-processors, including prior written authorization.
- Assistance with data subject rights requests and security incident notifications.
- Data deletion or return upon termination of the processing relationship.
If you are a client and require a DPA for your engagement with MHSB, please contact us at info@mhsbsolutions.com.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including compliance with legal, accounting, or reporting requirements. Our retention periods are determined based on:
- The nature and sensitivity of the personal data.
- The potential risk of harm from unauthorized use or disclosure.
- The purposes for which we process the data and whether those purposes can be achieved through other means.
- Applicable legal, regulatory, or contractual retention requirements.
When personal data is no longer required, it is securely deleted or anonymized in accordance with our data handling practices. For data processed on behalf of clients in a data processor capacity, retention is governed by the terms of the applicable Data Processing Agreement.
Supervisory Authority
If you are located in the EEA and believe that our processing of your personal data does not comply with GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can address your concerns directly.
Contact Us for GDPR Requests
To exercise your data subject rights, request a Data Processing Agreement, or ask questions about our GDPR compliance practices, contact us at:
- Email: info@mhsbsolutions.com
- Phone: (864) 448-6974
- Mail: MHSB, 815 Edwards Road, Suite 69, Greenville, SC 29615, United States
We aim to respond to all GDPR-related requests within thirty (30) days of receipt. If a request is particularly complex or we receive a large number of requests, we may extend this period by an additional sixty (60) days, in which case we will notify you of the extension and the reasons for it. You can also reach us through our contact page.