The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. It will take effect from May 25th, 2018.
At Frizbit, we’ve been working hard to prepare for GDPR, to ensure that we fulfill its obligations and maintain our transparency about communications with your users and how we use data. Under EU law, Frizbit is the Data Processor and our customers (you) are the Data Controllers. Frizbit will provide its customers with functionalities and guidance to help you become compliant as a Data Controller.
Here’s an overview of GDPR, and how we are prepared for it at Frizbit:
What’s GDPR?
The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law. GDPR was adopted in April 2016 by the EU Parliament and will be effective on May 25, 2018. It will replace existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It will be a single set of rules which govern the processing and monitoring of the data of EU citizens.
For more details and the legal source by the EU and the translations in different European languages, you can read the source European Parliament on General Data Protection Regulation 4.5.2016 L 119/1
Does it affect me?
Yes, most likely.
The scope of GDPR is any processing of Personal Data from EU data subjects.
This means increased Territorial Scope (extra-territorial applicability). Indeed, GDPR applies to all organizations processing the personal data of data subjects residing in the European Union, regardless of the company’s location. In other words, a company based outside of the EU but processing personal data of EU residents will be required to abide by GDPR.
Failure to comply with the GDPR could result in heavy fines: up to €20 million or 4% of worldwide revenue.
How is Frizbit prepared for GDPR?
- Handling Data Subject Access Requests
The GDPR grants broad rights to individuals with regard to their personal information and who has access to it. The GDPR, therefore, provides individuals (known as “data subjects”) with the “right to be forgotten.” In practice, this means organizations must now comply with a data subject’s request for access to his/her personal information in order to correct, delete, or retrieve such information. As a data processor for our customers, we have defined processes that will allow us to assist our customers in complying with these data subject requests.
First, as the main channel of Frizbit is web push notifications, technical opting-out process is managed on the browser end. All data subjects who are subscribed for web push notifications can opt-out easily on the settings of their own browsers on their own devices.
Second, Frizbit can help you meet your data portability requirements for GDPR. We have developed permanent deletion and export-all procedures for your end user data. You are able to retrieve or delete a specific property for a unique user or all of the data for a distinct user id. User data export and deletion requests will be handled by our compliance team via sending an e-mail to the compliance@frizbit.com
Third, among other obligations, GDPR limits the time period in which an organization may retain data to “no longer than is necessary for the purposes for which the personal data are processed.” We’ve updated our customer data retention period to a default period of two years for event data.
- Updating Terms of Use, Privacy Policy:
Article 28 of the GDPR requires data controllers to have a written document detailing the obligations with respect to the processing of personal data.
We have also modified our Terms of Use and Privacy Policy to incorporate a GDPR compliant Data Processing Agreement. Our updated data processing agreement shares our privacy commitments and sets out the terms for Frizbit and our customers to meet GDPR requirements. This is available for customers who purchased a subscription to sign upon request.
- Appointing a Data Protection Officer
We have a dedicated Data Protection Officer to help you with any requests or questions you have about your data. You can reach out to us by emailing compliance@frizbit.com.
- Vendor Obligations and Subcontractors
We’ve reviewed all our vendors, finding out about their GDPR plans and verifying the GDPR readiness and making sure they are compliant.
- Reviewing New Security Measures
Security is a priority for us. We have regular external audits, pentests and bug bounties. We’ve reviewed our internal access design to ensure the right people have access to the right level of customer data.
Reminders
As Frizbit, we are ready for the GDPR as a data processor. But, you are the data controller of your users. We kindly remind you that if you have any users who are EU residents and if you’d like to remain GDPR compliant, you need to update your own Privacy Policy to respect what kind of personal information you collect from your users and what you do with this information.
Regarding Frizbit, we use cookies to be able to track, control and manage the push notification preference of your visitors and we also collect and process some other visitor data for you to be able to send segmented and personalized push notifications. We recommend you update your Privacy Policy to include this collection and usage, unless you already have them in place.
Questions?
Feel free to reach out to us at compliance@frizbit.com, if you have any questions about GDPR.