Prefinery & the GDPR
Last revised: February 6, 2018
In keeping with our ongoing commitment to privacy and security, Prefinery will be ready for the GDPR before May 25, 2018, when the law goes into effect.
What is GDPR?
The General Data Protection Act (GDPR) is being introduced by the European Union to regulate how personal data can be processed. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data.
The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC (the "Directive"), which has been the basis of European data protection law since 1995.
When does it come into effect?
The GDPR was adopted in April 2016, but will officially be enforceable beginning on May 25, 2018.
Who does it affect?
The scope of the GDPR is very broad. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data of EU citizens. The latter is the GDPR's introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors.
What is "Privacy Shield" and how is that related to GDPR?
The Privacy Shield, as stated at https://www.privacyshield.gov/welcome is a privacy framework "designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce."
It is important for third party data processors in the US to be Privacy Shield compliant. GDPR permits data transfers to countries that have been deemed to have adequate data protection laws. The US's privacy protection laws generally do not meet the standards; being certified under Privacy Shield is a means for a company to contractually agree to meet applicable privacy regulations.
Prefinery has self-certified to both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield regime, and lawfully transfers EU/EEA personal data to the U.S. pursuant to our Privacy Shield Certification. It should be noted that Privacy Shield certified companies like Prefinery will automatically be agreeing to GDPR as of May 25, 2018 through such certification.
What is considered "personal data"?
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Personal data will now include not only data that is commonly considered to be personal in nature (e.g., email addresses, names, physical addresses, social security numbers), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. This means that, for Prefinery customers, at least a majority of the information that you collect about your end-users will be considered personal data under the GDPR. It's also important to note that even personal data that has been "pseudonymized" can be considered personal data if the pseudonym can be linked to any particular individual.
Sensitive personal data, such as health information or information that reveals a person's racial or ethnic origin, will require even greater protection. You should not store data of this nature within your Prefinery account.
What does it mean to "process" data?
Per the GDPR, processing is "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR. This means, for example, that if any of your Prefinery projects contains the email address, name, or other personal data of any EU citizen, then you are processing EU personal data under the GDPR.
Who is the "controller" and who is the "processor"?
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in.
Data controllers are companies that supply goods or services to EU residents, or that track or monitor EU residents and decide why and how data is collected and processed.
Data processors are vendors or businesses that process data on behalf of data controllers. As a customer data platform, Prefinery is considered a data processor. We will be ready for the GDPR as both a data controller and when acting as a data processor on your behalf.
In the context of the Prefinery application and our related services, in the majority of circumstances, as one of our customers, you are acting as the data controller. Our customers, for example, decide what information from their end-users is uploaded or transferred into their Prefinery account and direct Prefinery, through our application or API, to send emails to certain end-users. Prefinery is acting as a processor by performing these and other services for our customers.
As a data controller, you retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities). Additionally, you are required to only work with compliant data processors.
How is the GDPR different from the Directive? How are obligations changing?
While the GDPR preserves many principles established by the Directive, it introduces several important and ambitious changes. Here are a few that we believe are particularly relevant to Prefinery and our customers:
- Expansion of scope: As mentioned above, the GDPR applies to all organizations established in the EU or processing data of EU citizens, thus introducing the concept of extraterritoriality, and broadening the scope of EU data protection law well beyond the borders of just the EU.
- Expansion of definitions of personal and sensitive data, as described above.
Expansion of individual rights: EU citizens will have several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. You must ensure that you can accommodate these rights if you are processing the personal data of EU citizens.
- Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
- Right to object: An individual may prohibit certain data uses.
- Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
- Right of access: Individuals have the right to know what data about them is being processed and how.
- Right of portability: Individuals may request that personal data held by one organization be transported to another.
Stricter consent requirements: Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR's strict new requirements. You will need to obtain consent from your end-users for every usage of their personal data, unless you can rely on a separate legal basis, such as those found in number 5 below. The surest route to compliance is to obtain explicit consent. Keep in mind that:
- Consent must be specific to distinct purposes.
- Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
- Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
Stricter processing requirements: Individuals have the right to receive "fair and transparent" information about the processing of their personal data, including:
- Contact details for the data controller, which we will explain in more detail below.
- Purpose of the data: This should be as specific ("purpose limitation") and minimized ("data minimization") as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible ("storage limitation").
- Legal basis: You cannot process personal data just because you want to. You must have a "legal basis" for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization's "legitimate interest."
There are many other principles and requirements introduced by the GDPR, so it is important to review the GDPR in its entirety to ensure that you have a full understanding of its requirements and how they may apply to you.
Does the GDPR say anything about cross-border data transfers?
Yes, the GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. The GDPR's provisions regarding cross-border data transfers, however, do not radically differ from the provisions in place under the Directive. The GDPR, like the Directive, does not contain any specific requirement that the personal data of EU citizens be stored only in EU member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside the EU, identifying a number of different legal grounds that organizations can rely on to perform cross-border data transfers.
One legal ground for transferring personal data set out in the GDPR is an "adequacy decision." An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organization where it is being transferred. The Privacy Shield framework constitutes one such example of an adequacy decision. Prefinery participates in and has certified its compliance to the Privacy Shield framework, and we are committed to treating all personal data received from EU member countries in accordance with the Privacy Shield framework's applicable principles.
What does this mean for you? Generally speaking, it means we expect that Prefinery's EU customers will be able to continue to rely on Prefinery's Privacy Shield certification in order to transfer their lawfully obtained personal data to Prefinery under the GDPR.
Do you need to comply with the GDPR?
You should consult with legal and other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however, if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you. Even if all that you are doing is collecting or storing email addresses, if those email addresses belong to EU citizens, the GDPR likely applies to you.
What happens if you do not comply?
Non-compliance with the GDPR can result in enormous financial penalties. Sanctions for non-compliance can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher.
Will Prefinery comply with the GDPR?
Prefinery is excited about the GDPR and the strong data privacy and security principles that it emphasizes, many of which Prefinery instituted long before the GDPR was enacted. At Prefinery, we believe that the GDPR is an important milestone in the data privacy landscape, and we are committed to achieving compliance with the GDPR on or before May 25, 2018.
As part of Prefinery's GDPR preparation we are reviewing (and updating where necessary) all of our internal processes, procedures, data systems, and documentation to ensure that we are ready when the GDPR goes into effect. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our customers. We are, among other things:
- Updating our Data Processing Agreement to meet the requirements of the GDPR in order to permit you to continue to lawfully transfer EU personal data to Prefinery and permit Prefinery to continue to lawfully receive and process that data;
- Updating our third-party vendor contracts to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data;
- Analyzing all of our current features to determine whether any improvements or additions can be made to make them more efficient for those customers and users subject to the GDPR;
- Evaluating potential new GDPR-friendly features to add to our application.
In addition, we will be prepared to address any requests made by our customers related to their expanded individual rights under the GDPR:
- Right to be forgotten: You may terminate your Prefinery account at any time, in which case we will permanently delete your account and all data associated with it.
- Right of portability: We will export your account data to a third party at any time upon your request.
How can Prefinery assist in your GDPR compliance efforts?
Prefinery can help you promptly respond to requests from your end-users pursuant to their expanded individual rights under the GDPR.
- Right to be forgotten: You may delete individual end-users upon their request at any time. In addition, as described below, individual end-users may contact Prefinery directly to request deletion of their data from individual Prefinery customers' accounts or across multiple Prefinery customers' accounts. It is important to remember that Prefinery projects work independently of each other, and deleting a end-user from one project does not ensure that same email address will also be deleted from other projects where it may be present.
- Right of portability: You may export any of your projects, or selected end-users within any project, at any time by accessing your Prefinery account.
You must lawfully obtain and process email addresses and other personal data from your end-users.
The personal data of your end-users may be collected and transferred to Prefinery via pop-up and embedded forms made available in our application and designed by you. Additionally, personal data of your end-users may be transfered by you to Prefinery via API.
- You should carefully design any forms to make sure that language is clear, specific, and covers all possible reasons for using the information being solicited. Be very specific about the intended use of the information you are collecting.
- While the information you collect via these forms is presumably being transferred to Prefinery, it is your responsibility to ensure that you obtain consent from your customers and contacts to send their information to Prefinery for processing, so you should ensure that all of your pop-up windows, forms, etc. include language that provides this consent.
- We suggest selecting double opt-in for sign-ups. Note that this may not be the default setting.
The ability of your end-users to withdraw consent or change preferences should be easily accessible.
- An "unsubscribe" option is automatically included in the footer of every email sent through Prefinery. This allows any recipient to easily unsubscribe from your Prefinery project, thereby helping you comply with your GDPR obligations when a end-user withdraws his or her consent to receive emails.
- Make sure that you are frequently updating any information stored within your Prefinery account that relates to your end-users, such as name and contact information, when requested to do so by a end-user.
- You should also ensure that you are keeping accurate records, especially of your end-users' consent permitting you to send them emails, store and use their personal data, and any other processing activities which you are undertaking. Prefinery can help you obtain proof of consent and will store a record of your end-users' consent in your Prefinery account. When you use a Prefinery signup form to add end-users to your account, Prefinery records the email address, IP address, and timestamp associated with every end-user who completes and submits the form, providing you with easy-to-access proof of consent.
- Keep in mind that any consent you obtain from your end-users must comply with the GDPR requirements, irrespective of when that consent was obtained. However, Recital 171 of the GDPR indicates that you may continue to rely on any existing consent which meets the GDPR standards for consent. This means that it is not necessary to re-request consent from your end-users when the GDPR goes into effect so long as you met all of the requirements of the GDPR when you initially obtained consent. We recommend consulting with local counsel to determine if consents obtained prior to the GDPR comply with its requirements, or whether you should instead contact your end-users to re-request consent in accordance with the GDPR requirements, or rely on a different lawful basis for your processing under the GDPR.
You should review any Prefinery integrations or add-ons that you are using (or plan to use), and any terms associated with those, to ensure that you have adequately disclosed potential data processing activities associated with your use of those services to your end-users. For example:
- FullContact, Inc. ("FullContact"): Prefinery uses third-party services provided by FullContact to enable you to retrieve publicly-available information about end-users including without limitation social media information, profile information, gender, company, job titles, photos, physical addresses, and website URLs based on end-users' email addresses. You may opt out of having end-users' email addresses sent to FullContact by disabling the "Magic Profiles" feature from the Project Settings page within your Prefinery account.
- MaxMind, Inc. ("MaxMind"): Prefinery uses third-party services provided by MaxMind to enable you to retrieve publicly-available location information about end-users including city, state/region, postal code and country based on an end-users' IP addresses. You may opt out of having end-users' IP addresses sent to MaxMind by disabling the "IP Address Geolocation" feature from the Project Settings page within your Prefinery account.
- Wildbit, LLC ("Postmark"): Prefinery does not own or operate its own e-mail servers but instead uses third-party services provided by Postmark to process and deliver all e-mail. You may opt-out of sending personal data to Postmark by configuring Prefinery to use a Custom SMTP Server from the Project Settings page within your Prefinery account.
- The Rocket Science Group, LLC ("MailChimp"): You may opt-out of sending personal data to MailChimp by not enabling the MailChimp integration from within your Prefinery account. This integration is disabled by default.
- Zapier, Inc. ("Zapier"): You may opt-out of sending personal data to Zapier by not enabling the Zapier integration from within your Prefinery account. This integration is disabled by default.
- Stripe Payments Europe, Ltd. ("Stripe"): You may opt-out of sending personal data to Stripe by not enabling the Stripe integration from within your Prefinery account. This integration is disabled by default.
- You should review the privacy statement and practices applicable to your organization and ensure that they provide proper notice that the personal data of your end-users will be transferred to Prefinery and processed by Prefinery. For example, you may want to consider updating your privacy statement to include language that specifically identifies Prefinery as one of your processors and delineates the applicable processing activities performed by Prefinery, such as the collection (e.g., via sign-up forms) and storage of personal data (e.g., within your Prefinery account in order to allow you to create and use distribution lists and send transactional email messages), and the transfer of personal data to certain Prefinery sub-processors.
If you have specific questions about the GDPR and your use of Prefinery, you can email firstname.lastname@example.org.
DISCLAIMER: The above FAQ is meant as a general set of questions and answers and is not advice and cannot be relied upon for any legal purpose. You must consult your own professional advisors for your specific facts and circumstances before taking, or refraining from taking, any particular course of conduct. The above FAQ is not an amendment or supplement to any agreement between Prefinery and you.