What is GDPR
The GDPR is a European Union (EU) privacy law that will affect businesses around the world when it becomes enforceable on May 25, 2018. It regulates how any organization that is subject to the Regulation treats or uses the personal data of people located in the EU. Personal data is any piece of data that, used alone or with other data, could identify a person. If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR.
You can read about the full text of the GDPR here.
GDPR Compliance and Scope
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who 1) market their products to people in the EU or who 1) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
Our Commitment to Comply with the GDPR
We are fully committed to upholding the privacy and rights of our customers and their end users. The push notification technology by default does not imply direct personal user data, but it can identify a particular browser instance. We have improved anonymity within our analytics tools. We’re also working on interfaces that will allow you to address requests from your customers related to their rights for accessing any personal data that might stored in your ChirpyWeb account.
Opt-in and Consent for Website Push Notifications
Unlike e-mails or phone numbers, push notifications are a direct channel that serve a narrower purpose of enabling communication between website and website visitor that subscribed for push notifications. The message is clearly conveyed in our Custom Permission Dialog.
Our customers, as the data controllers, must implement their integration with the ChirpyWeb platform with the legally appropriate level of consent enabled. Since consent under the GDPR must be freely given by an affirmative act that is specific, informed and unambiguous, if consent is the basis for lawful processing, a separate opt-in notice and consent for each specific channel is required. Also, the individual has to be able to easily withdraw their consent at any time.
Legitimate interest is another basis for lawful processing under the GDPR. If you process personal data based on a legitimate business interest, then you need to balance those business interests against the right of the EU individual to not have you process their personal data.
Data Processing Addendum (DPA)
As ChirpyWeb is a Data Processor, our customers should have a Data Processing Addendum with us. We have a GDPR-compliant DPA that our customers can sign upon request. Amongst other things, our DPA includes a list of sub-processors for personal data, detailing our breach notification procedures, SLA’s and our governance measures. If you are a ChirpyWeb customer, please contact us at [email protected]
Our updated policy outlines our commitment to maintaining the privacy of our customers’ personal data. It also explains what we have done to make sure our customers’ personal data is secure and how the stored data is used. Please read it here.
The Rights of Data of End Users and Our Customer (Data Subjects)
Our customers and their end-users can request access, correct, and modify their personal data stored on Push Monkey. End users can also contact us at [email protected] if they would like to access, correct, or remove their personal data. As a Processor, we will forward these requests to the relevant customers and help them respond.