The notice states that EU, UK, and California users are provided with specific data subject rights including access, deletion, correction, and portability, with request mechanisms described in the notice and linked sub-notices.
This analysis describes what Smartsheet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the data subject rights framework applicable to EU, UK, and California users, determining the procedural mechanisms and timelines through which users may exercise rights under GDPR, UK GDPR, and CCPA, and the obligations Smartsheet bears in responding to those requests.
Interpretive note: The specific procedural mechanisms and timelines for data subject rights requests are described in linked sub-notices rather than the main notice text, so the full operational detail cannot be confirmed from the main document alone.
The updated privacy policy states that only Smartsheet's U.S.-based affiliates participate in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework. Previously, the policy referenced participation by Smartsheet and its affiliates without geographic qualification. This narrowed scope may affect the data transfer mechanisms available for processing personal data from EU, UK, and Swiss users if non-U.S. affiliates are involved in data handling. The policy does not explicitly describe alternative transfer mechanisms for non-U.S. affiliates.
View change record →Detailed CCPA/CPRA and GDPR rights provisions were consolidated and replaced with a generic reference to the layered privacy notice structure that purportedly describes these rights separately.
View full change record →Under these terms, EU, UK, and California users may submit requests to access, delete, correct, or port their personal data through mechanisms described in the notice, with Smartsheet obligated to respond within timeframes established by applicable law. Users in other jurisdictions may have more limited statutory rights depending on local law.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
Depending on your location, you may have certain rights regarding your personal data, including the right to access, correct, delete, or port your data. EU and UK users may also have the right to object to or restrict certain processing. California residents may have the right to know, delete, corre...
Monitoring
Smartsheet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"The Smartsheet Privacy Notice ("Privacy Notice") consists of this page and the specific notices which describe how we collect, use, and share personal data and explain your related rights and choices.— Excerpt from Smartsheet's Smartsheet Privacy Policy
1. REGULATORY LANDSCAPE: Data subject rights are established under GDPR Articles 15 through 22 for EU and EEA users, UK GDPR equivalents for UK users, and CCPA and CPRA for California residents. Enforcement authorities include EU data protection authorities, the UK ICO, and the California Privacy Protection Agency. Response timelines are specified by applicable law (30 days under GDPR, 45 days under CCPA with possible extensions) and must be operationally implemented. 2. GOVERNANCE EXPOSURE: Medium. Failure to respond to data subject rights requests within legally mandated timelines is a documented source of regulatory action under GDPR. Compliance teams should verify that intake, routing, and fulfilment workflows are operationally functional for all applicable request types across both controller and processor scenarios. 3. JURISDICTION FLAGS: EU and EEA users have the broadest rights under GDPR. California residents have statutory rights under CCPA and CPRA including opt-out of sale and sharing. Additional US state privacy laws in Virginia, Colorado, Connecticut, and other jurisdictions may create similar rights obligations for Smartsheet depending on the user population served. 4. CONTRACT AND VENDOR IMPLICATIONS: Where Smartsheet acts as a data processor for enterprise customers, data subject rights requests directed to Smartsheet may need to be routed to the relevant enterprise customer controller. Enterprise agreements should specify the workflow for handling such requests, including timelines and responsibilities. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the operational intake and fulfilment process for data subject rights requests, confirm that requests submitted through all disclosed channels (web form, email) are captured and tracked, verify that response timelines meet applicable legal requirements, and document the process for requests that fall within the processor scenario where the enterprise customer is the controller.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the data subject rights framework applicable to EU, UK, and California users, determining the procedural mechanisms and timelines through which users may exercise rights under GDPR, UK GDPR, and CCPA, and the obligations Smartsheet bears in responding to those requests.
Under these terms, EU, UK, and California users may submit requests to access, delete, correct, or port their personal data through mechanisms described in the notice, with Smartsheet obligated to respond within timeframes established by applicable law. Users in other jurisdictions may have more limited statutory rights depending on local law.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Smartsheet.