GDPR: The EU Data Protection Law
Updated 4 December, 2019
StealthEnomics™ has always made security and privacy among its highest priorities. That’s why we’ve committed not only to provide tools to facilitate your compliance with the GDPR, but to educate you on your responsibilities as a business owner. As the GDPR’s scope is broad, and the potential penalties for noncompliance are large, we’ve ensured that our tools are available to all of our customers, at no additional cost.
This page will outline some of the key GDPR principles and terms and present how they apply to your use of StealthEnomics™. Please review this carefully and share it with your privacy team with the legal documents listed below.
Disclaimer: This guide is not and should not be considered legal advice. Please consult a legal professional for details on how the GDPR may impact your business, and what you need for compliance.
SECTION 1 – GENERAL DATA PROTECTOIN REGULATION (“GDPR”)
The GDPR is a unified regulation that supersedes and universalizes previous privacy laws in Europe, offering citizens and residents of the European Union (EU) greater transparency and controls over how their personal data is used by others. The GDPR requires the compliance of businesses which transact in Europe, or which facilitate transaction in Europe.
SECTION 2 – CONTROLLERS AND PROCESSORS
There are two key roles defined in the GDPR with respect to personal data: Controller and Processor. The Controller is the business — you. As a customer of StealthEnomics™, you operate as the Controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed in a lawful manner pursuant to the GDPR and that you are using processors, such as StealthEnomics™, that are committed to handling the data in a compliant manner.
StealthEnomics™ is considered a Processor. We act on the instructions of the Controller (you), which come in the form of external (API) requests. Like Controllers, Processors have an obligation to explain what they do with personal data. However, as a Processor, we rely on you, the Controller of the data and our customer, to ensure that there is a lawful basis for processing.
Processors may, in the performance of their service, use other third-parties in the processing of personal data. These entities are known as sub-processors.
SECTION 3 – PROCESSING OF PERSONAL DATA
In order to process personal data, you need a lawful basis for processing. There are several methods to establish a lawful basis for GDPR compliance, but the most likely mechanisms you will rely on when communicating with your customers and leads is one of the following:
1. Consent – Much of the GDPR revolves around the concept that your leads and customers have consented to you collecting their personal data, to you using (e.g. processing) their data, or to receiving communications. According to the ICO, the following criteria must be met to show valid consent:11.
A. Consent must be freely given. This means giving people genuine, ongoing choice and control over how you use their data.
B. Consent should be obvious and require positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise, user-friendly, and easy to understand.
C. Consent must specifically cover the data Controller’s name, the purposes of the processing, and the types of processing activity.
D. Explicit consent must be expressly confirmed in words, rather than by any other positive action.
E. There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
In short, under the GDPR (and it’s a good idea in general), consent must be obtained by a “clear affirmative act”. In contrast to ‘clear affirmative acts’ pre-checked boxes or implicit consent are inadequate to establish consent.
If you are relying on consent as the lawful basis for processing data, the GDPR requires recorded evidence that consent has been given. You thus need in your business the ability to record proper consent for each customer and lead. When you enable the GDPR functionality in StealthEnomics™, you have the ability to obtain your lead’s consent at the point of opt-in, and that consent will be registered as a tag associated with that lead.
2. Contract – In addition to consent, another lawful basis for processing data is if the processing of personal data is necessary for the performance of a contract. Password reset, billing notifications, and onboarding communication would likely fall under this lawful basis. In other words, if its a customer who transacts with you, there are certain processing tasks that must be undertaken for your to provide the service. Likewise, to keeps its commitments under its EULA and provide service to you, StealthEnomics™ has to perform certain processing.