Follow

General Data Privacy Regulation ("GDPR") FAQ

General Data Privacy Regulation (“GDPR”) FAQ

Please note that the below FAQ is only meant as a helpful guide and while some sections have been copied from the regulation this is not meant to be an exhaustive listing of obligations or requirements under GDPR, nor is the below legal advice. Please consult with your legal team to understand the implications of GDPR to your business.  

List of Questions Covered (click the below link to skip to the appropriate section)

What is GDPR?

Does GDPR apply to my business?

What are my responsibilities as a Controller?

Who is Responsible for Obtaining Consent?

How Does the Provision of WhatCounts Services Fit Into GDPR?

What is Automated Decision Making and How Does That Relate to WhatCounts?

What is a Data Processing Agreement (“DPA”)?

Why Do I need to sign the DPA?

Does WhatCounts Provide any Opt-In Templates?

How Can we Determine if a Customer or Subscriber Resides in the EU?

 

What is GDPR?

GDPR is the European Union’s new data privacy regulations that go into effect May 25, 2018.  Under GDPR, Companies who collect data (“Controller”) and companies who process data (“Processor”) are required to implement processes and safeguards to protect and transfer the personal data of European Citizens (“data subjects”).   Personal data per GDPR is defined as follows:

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); and identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Does GDPR apply to my business?

Article 3 of the regulation defines territorial scope.  Article 3 states the following:

  1. This regulation applies to the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the Union, regardless of whether the processing takes place in the Union or not.

  2. This regulation applies to the processing of personal data of data subjects who are in the Union by a Controller or Processor not established in the Union, where processing activities are related to:

    1. Offering of goods and services, irrespective of whether a payment of the data subject is required, to such data subject in the Union; or

    2. The monitoring of their behavior as far as their behavior takes place within the Union.  

  3. This Regulation applies to the processing of personal data by a Controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Plain English: The regulations apply to data subjects and their activities in the Union or Member States.

 

What are my responsibilities as a Controller?

Article 5 and Article 24 under GDPR defines a Controller’s obligations in response to personal data:

  1. Processed lawfully and in a transparent manner (refer to Article 6 for more information).

  2. Collected for a specific, explicit, and legitimate purpose and not processed in a manner that is incompatible with those purposes.

  3. Adequate, relevant and limited to what is necessary in relation to the purpose for which it was processed (‘data minimisation’).

  4. Accurate, and where necessary, kept up to date; every reasonable step must be taken to ensure personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).

  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidence’)

GDPR provides a Data Subject certain rights in regards to their data:

  1. Right of Access (Article 15) - The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and the following information:

    1. Purpose of processing

    2. Categories of personal data

    3. The recipients or categories of recipients to whom the personal data have been or will be disclosed

    4. The envisaged period for which the personal data will be stored and the criteria used to determine that period

    5. The existence of the right to request from the Controller rectification or erasure of personal data

    6. The right to lodge a compliance with a supervisory authority

    7. Where personal data are no collected from the data subject, any available information as to their source.

    8. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.  

    9. Where personal data has been transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards.

  2. Right to Rectification (Article 16) - The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her.  The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement

  3. Right to Erasure (‘Right to be Forgotten’) (Article 17) - The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:

    1. The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    2. The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no legal grounds for processing;

    3. The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for processing, or the data subject objects ot the processing pursuant to ARticle 21(2)

    4. The personal data have been unlawfully processed;

    5. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject

    6. The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

  4. Right to restriction of Processing (Article 18) - The data subject shall have the right to obtain from the Controller restrictions of processing where (1) accuracy is contested by the data subject, (2) the processing is unlawful, (3) the Controller no longer needs the personal data for purposes of processing, (4) The data subject has objected to the processing.

  5. Right to data portability (Article 20) - The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided where: (1) processing is based on consent, (2) the processing is carried out by automated means.  

  6. Right to Object (Article 21) - The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling and direct marketing.  

Communication obligation (Article 19)The Controller shall be required to communicate any rectification or erasure of personal data or restriction of processing to each recipient whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

Note on processing of special categories of personal data:  Processing of personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited, unless explicit consent for processing the specific category of data is given or the data has been manifestly made public by the data subject.

 

Who is Responsible for Obtaining Consent?

You, as the Controller, are responsible for obtaining consent. GDPR covers several items related to procuring consent in Article 7-10:

  1. Consent shall be clearly distinguishable from other matters, in an intelligent and easy to read form, using clear and plain language, and freely given (consent requiring an action on the part of the data subject).

  2. The data subject will have the right to withdraw their consent at any time…”it should be as easy to withdraw consent as it is to give it.”

  3. For consent for those under 16 years old, parental consent is required.  Refer to Article 8 for more information.

 

How Does the Provision of WhatCounts Services Fit Into GDPR?

In the context of your relationship with WhatCounts, you are the Controller, as you collect the data on your customers, and WhatCounts is the Processor, as you provide that data to us to make predictions, create segments, and automate campaigns.  Article 28 under GDPR covers the obligations of a Processor, which are:

  1. We have to continue to make sure your customers’ personally identifiable information (“PII”) is safe, secure, and reportable. We will maintain an audit trail for our customers of how we’ve processed the data entrusted to us.

  2. We can’t engage another company to process our customer’s PII, unless we get their permission first.

  3. We take your personal data seriously and can only process it within the terms of our Agreement and under obligations of confidentiality.

 

What is Automated Decision Making and How Does That Relate to WhatCounts?

‘Profiling’ is defined under GDPR as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

WhatCount’s Services (as defined per the Terms of Use) apply data science to order data, behavioral and tracking data, and other custom data as provided by the Controller to predict, segment, and analyze information to best help Controllers send relevant and targeted communication.  The Data Processing Agreement between us defines how we process based on the instructions you, as the Controller, provide to us in the Data Processing Agreement.

 

What is a Data Processing Agreement (“DPA”)?

Below are some of the important sections (paraphrased) to get you acquainted with the language and scope of the DPA:  

  1. The DPA defines the relationship between you, the “Data Controller,” and us, the “Data Processor,” and provides the framework for how we utilize personal data from EU data subjects.

    • Plain English: As the Controller, you make decisions about what data you make available to us and what we do with the data.  You take responsibility for the quality and accuracy of the data, and you are responsible for getting your customer’s consent to collect their data and give it to us to use. As the Processor, we take responsibility for protecting the data you make available to us and using it only according to your instructions and for the purposes defined in the Agreement between us.

  2. The DPA documents the Controller’s instructions on how the Processor uses the data in accordance with the existing Agreement between the parties.

    • Plain English: This allows us to provide the services you partnered with us to receive and lets you know that we can’t do anything with the data without your direction.

  3. The DPA covers how the Processor will assist the Controller in handling the data subject’s request to restrict, erase, rectify, or access their data.

    • Plain English: The data subject request is between you and your customers. Once you receive a request and give us instructions, through the approved channels, to access, edit, or remove, we will confirm that we have complied with your instructions.

  4. The DPA defines how personal data of data subjects are transferred, if necessary, outside of the European economic area.  

    • Plain English: We, the Processor, have to notify you, the Controller, and get approval from you in the event we transfer personal data of an EU data subject outside of the EEA and provides frameworks, such as the EU-US Privacy Shield, for a given transfer.

  5. The DPA covers the appointment and notification process of 3rd party sub-processors.

    • Plain English: If we outsource any portion of our service that interacts with EU data subjects’ personal data, we need to notify you and obtain your approval.

  6. The DPA defines how the processor shall maintain or implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data. It also covers notification and obligations for when a data breach occurs.

    • Plain English: It’s our job to ensure proper security over the personal data we process and to notify you if a breach of security occurs surrounding the personal data.

 

Why Do I need to sign the DPA?

As the Controller of personal data you are responsible for the collection and processing of that data.  To ensure that the data related to data subjects is processed according to GDPR, the DPA is created to 1) provide us instructions to only process the data in accordance with the regulations, 2) inform how we are to transfer the data, 3) ensure we have proper technical safeguards in place, 4) give a clear understanding of how to process the rights of a data subject in our relationship.  It’s a safe bet to sign the document even if it doesn’t currently apply to your business as it is often challenging to determine whether a customer of yours opens an email, purchases, or browses your website from the European economic area.The DPA is in line with the Terms of Use all WhatCounts clients already agreed to. Our Clients are responsible for the data collection including customer opt-in before making them available to us through datafeed, API, or plugin. We securely process the data and then create the communication requests to our Client's ESP or omnichannel partner.

Does WhatCounts Provide any Opt-in Templates?

Many companies are sending opt-in emails (we're one of them). We are not able to provide a template.

 

How Can we Determine if a Customer or Subscriber Resides in the EU?

Nobody in the industry has a way to do this reliably. GDPR applies to anyone who is in the EU.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk