GDPR: The EU Data Protection Law
Learn about obligations under the GDPR, and how WebinarJam/EverWebinar is designed to help you achieve GDPR compliance.
Overview
WebinarJam/EverWebinar has always made security and privacy among its highest priorities. That's why we've committed not only to provide tools to facilitate your compliance with the GDPR but to educate you on your responsibilities as a business owner. As the GDPR's scope is broad, and the potential penalties for noncompliance are large, we've ensured that our tools are available to all of our customers, at no additional cost.
This page will outline some of the key GDPR principles and terms and present how they apply to your use of WebinarJam/EverWebinar. Please review this carefully and share it with your privacy team with the legal documents listed below.
Disclaimer: This guide is not and should not be considered legal advice. Please consult a legal professional for details on how the GDPR may impact your business, and what you need for compliance.
General Data Protection Regulation (“GDPR”)
The GDPR is a unified regulation that supersedes and universalizes previous privacy laws in Europe, offering citizens and residents of the European Union (EU) greater transparency and controls over how their personal data is used by others. The GDPR requires the compliance of businesses which transact in Europe, or which facilitate transaction in Europe.
Controllers and Processors
There are two key roles defined in the GDPR with respect to personal data: Controller and Processor. The Controller is the business -- you. As a customer of WebinarJam/EverWebinar, you operate as the Controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed in a lawful manner pursuant to the GDPR and that you are using processors, such as WebinarJam/EverWebinar, that are committed to handling the data in a compliant manner.
WebinarJam/EverWebinar is considered a Processor. We act on the instructions of the Controller (you), which come in the form of WebinarJam/EverWebinar, or external (API) requests. Like Controllers, Processors have an obligation to explain what they do with personal data. However, as a Processor, we rely on you, the Controller of the data and our customer, to ensure that there is a lawful basis for processing.
Processors may, in the performance of their service, use other third parties in the processing of personal data. These entities are known as sub-processors. For example, WebinarJam/EverWebinar leverage cloud infrastructure providers like Amazon Web Services, Rackspace, as well as other online services like SendGrid or Pusher.
With the implementation of the GDPR, we’re updating our privacy policy and End User License Agreements to include data processing sections that ensure that any business that requires a GDPR-compliant processor can use WebinarJam/EverWebinar.
Processing of Personal Data
In order to process personal data, you need a lawful basis for processing. There are several methods to establish a lawful basis for GDPR compliance, but the most likely mechanisms you will rely on when communicating with your customers and leads are one of the following:
1. Consent – Much of the GDPR revolves around the concept that your leads and customers have consented to you collecting their personal data, to you using (e.g. processing) their data, or to receiving communications. According to the ICO, the following criteria must be met to show valid consent:11.
A. Consent must be freely given. This means giving people genuine, ongoing choice and control over how you use their data.
B. Consent should be obvious and require positive action to opt-in. Consent requests must be prominent, unbundled from other terms and conditions, concise, user-friendly, and easy to understand.
C. Consent must specifically cover the data Controller’s name, the purposes of the processing, and the types of the processing activity.
D. Explicit consent must be expressly confirmed in words, rather than by any other positive action.
E. There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
In short, under the GDPR (and it's a good idea in general), consent must be obtained by a “clear affirmative act”. In contrast to ‘clear affirmative acts’ pre-checked boxes or implicit consent are inadequate to establish consent.
If you are relying on consent as the lawful basis for processing data, the GDPR requires recorded evidence that consent has been given. You thus need, in your business, the ability to record proper consent for each customer and lead. When you enable the GDPR functionality in WebinarJam/EverWebinar, you have the ability to obtain your lead's consent at the point of opt-in, and that consent will be registered as a tag associated with that lead.
Note: WebinarJam/EverWebinar cannot control what you do with leads in an automated, API environment. You will need to ensure that when WebinarJam/EverWebinar is acting as a sub-processor, that you use your main processor's to ensure you are compliant with the GDPR. (If your main processor is not GDPR compliant, that could be difficult.)
2. Contract – In addition to consent, another lawful basis for processing data is if the processing of personal data is necessary for the performance of a contract. Password reset, billing notifications, and onboarding communication would likely fall under this lawful basis. In other words, if its a customer who transacts with you, there are certain processing tasks that must be undertaken for you to provide the service. Likewise, to keeps its commitments under its EULA and provide service to you, WebinarJam/EverWebinar has to perform certain processing.
How WebinarJam/EverWebinar Uses Personal Data
WebinarJam/EverWebinar is committed to full transparency in the handling and processing of your customers’ personal data that you control. The User Data WebinarJam/EverWebinar collects the following: Name, Email, Phone, Address, Country and IP.
WebinarJam/EverWebinar tracks the following activities: page visits, webinar registration and attendance, purchases and attendance duration.
Data is stored or deleted at the Controllers' request. When a Controller ceases to be an active WebinarJam/EverWebinar customer, their accumulated data is deleted after an arbitrary period of time.
Data Subject Rights
Under the GDPR, EU data subjects are certain rights regarding their data.
These include:
The Right to Data Portability and the Right to Access:
WebinarJam/EverWebinar offers tools to let you answer customer queries about what data you have collected through WebinarJam/EverWebinar and what's been done with it. Keep in mind, if you have collected personal data outside of WebinarJam/EverWebinar, WebinarJam/EverWebinar has no knowledge or ability to answer queries regarding such data.
The Right to be Forgotten and The Right to Restriction of Processing
Have a lead or customer who wants their personal data out of your database? No problem! You can delete that contact from any webinar he/she might have subscribed to.
Unless otherwise required by law, in the event that WebinarJam/EverWebinar receives any type of request from a data subject, we will engage the respective customer within seven days to respond to the data subject request.
Data Processing Addendum
Our data processing addendum (DPA) to our End-User Licensing Agreement formalizes many of the details described on this site in specific legal language. As part of the EULA, the DPA will govern the terms by which WebinarJam/EverWebinar, as a data processor, processes data on behalf of its customers (who are typically data controllers) in accordance with Article 28 of the GDPR.
These include:
- sub-processors engaged in delivering our services
- countries through which the data is passed (cross-border protocol)
- security measures are undertaken to ensure that your data is kept private
- breach notification protocol
FREQUENTLY ASKED QUESTIONS
Does the GDPR impact businesses outside of the EU?
In many cases, yes. Even businesses that are not based in the EU are considered to be subject to the GDPR if they are collecting personal data on EU residents. Enforcement of the GDPR outside of the EU will be by EU authorities and it remains to be seen how aggressive they will be. Consult your own legal counsel but it is widely accepted that companies that collect personal data from EU residents will be subject to the requirements of the GDPR.
Does the GDPR require data to be stored in the EU?
The GDPR does not require that data processing (including storage of data) be limited to the EU. WebinarJam/EverWebinar's Data Processing Addendum includes the EU Model Clauses, which is also a valid mechanism for the lawful transfer of data between the EU and the US.
How does the GDPR impact personal data collected before May 25th? Will I need to get consent for all of my leads again?
The GDPR applies to all personal data, even if it was collected before May 25, 2018. As your business is preparing for the implementation of the GDPR, you should make sure you can properly audit the consent records for the EU-residing members of your email list, or that you can obtain and record evidence of consent going forward.
Do you have a Privacy Policy
Yes! It contains information on our policies and efforts to comply with all applicable regulations and to guarantee the privacy of your data. It can be found here.
Do you have a Data Processing Policy?
Yes! Our Data Processing Addendum to our EULA contains the details of our data processing and how we work with Controllers and Subprocessors to comply with the applicable regulations and to ensure the privacy of your data. You can obtain a copy of the WebinarJam/EverWebinar DPA by making a written request by email to our Data Protection Officer.
Who is WebinarJam/EverWebinar's Data Protection Officer (DPO)?
- DPO: Robert Smith
- Email address: legal@genesisdigital.co
In accordance with Article 38 of the GDPR, members of the public may contact the DPO with regard to issues related to processing of their personal data and to exercise their rights under the GDPR – for example, to object to the processing of their data in cases where the data controller (i.e., WebinarJam/EverWebinar's customer) does not provide an adequate response.
Questions?
Feel free to reach out to us by emailing us at legal@genesisdigital.co with any questions you may have.
Last updated on January 20, 2020.