If you are in the EU or UK, you have the right to see, correct, delete, and move your personal data, and to object to certain uses of it. You can also complain to your national data protection authority if you believe your rights have been violated.
This analysis describes what Smartsheet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These rights are enforceable under GDPR and UK GDPR, and Smartsheet's acknowledgment of them means EEA and UK users have formal legal mechanisms to challenge or limit data processing, including the right to file complaints with national regulators.
The updated privacy policy states that only Smartsheet's U.S.-based affiliates participate in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework. Previously, the policy referenced participation by Smartsheet and its affiliates without geographic qualification. This narrowed scope may affect the data transfer mechanisms available for processing personal data from EU, UK, and Swiss users if non-U.S. affiliates are involved in data handling. The policy does not explicitly describe alternative transfer mechanisms for non-U.S. affiliates.
View change record →EU and UK users can formally request access to, deletion of, or a copy of their personal data, and can object to Smartsheet processing their data based on legitimate interests, including for marketing purposes; these rights are exercisable through Smartsheet's privacy request form.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Monitoring
Smartsheet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the EEA or UK, you may have the following rights under applicable data protection law: the right to access your personal data; the right to rectify inaccurate personal data; the right to erasure of your personal data; the right to restrict processing of your personal data; the right to data portability; the right to object to processing based on legitimate interests; and the right to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your relevant supervisory authority.— Excerpt from Smartsheet's Smartsheet Privacy Policy
(1) REGULATORY LANDSCAPE: This provision is governed by GDPR (Regulation 2016/679) and UK GDPR. Enforcement authorities are EU national data protection authorities and the UK Information Commissioner's Office. The rights enumerated correspond to GDPR Articles 15 through 21. Smartsheet's role as data controller for website and marketing data means it bears direct GDPR obligations for those processing activities; its role as processor for service data means enterprise customers bear controller obligations for that data. (2) GOVERNANCE EXPOSURE: Medium. The enumeration of GDPR rights is standard for a GDPR-covered controller. Compliance exposure arises from the operational adequacy of Smartsheet's rights response processes, including response timelines (one month under GDPR), identity verification procedures, and the handling of complex requests such as portability for service data where Smartsheet acts as processor. (3) JURISDICTION FLAGS: Applies to EEA member state residents and UK residents. Organizations headquartered in the EU or UK that use Smartsheet must ensure their DPA with Smartsheet addresses the controller's obligation to facilitate data subject rights requests that relate to processor-held data. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in the EU and UK should ensure their Smartsheet DPA includes provisions requiring Smartsheet to assist with data subject rights requests as required by GDPR Article 28(3)(e). Without this, customers may face difficulty fulfilling their own GDPR obligations when employees submit rights requests. (5) COMPLIANCE CONSIDERATIONS: EU and UK users should exercise their right to object to processing based on legitimate interests if they wish to limit marketing or analytics data use. Legal teams should confirm Smartsheet's DPA obligations for assisting with data subject rights and document their own procedures for handling requests redirected from Smartsheet for service data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These rights are enforceable under GDPR and UK GDPR, and Smartsheet's acknowledgment of them means EEA and UK users have formal legal mechanisms to challenge or limit data processing, including the right to file complaints with national regulators.
EU and UK users can formally request access to, deletion of, or a copy of their personal data, and can object to Smartsheet processing their data based on legitimate interests, including for marketing purposes; these rights are exercisable through Smartsheet's privacy request form.
ConductAtlas has identified this type of provision across 5 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Smartsheet.