What is GDPR
The GDPR is a European Union (EU) privacy law that will affect businesses around the world when it becomes enforceable on May 25, 2018. It regulates how any organization that is subject to the Regulation treats or uses the personal data of people located in the EU. Personal data is any piece of data that, used alone or with other data, could identify a person. If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you'll need to comply with the GDPR.
You can read about the full text of the GDPR here or a summary here.
GDPR Compliance and Scope
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who 1) market their products to people in the EU or who 1) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
Our Commitment to Comply with the GDPR
We are fully committed to upholding the privacy and rights of our customers and their end users. The push notification technology by default does not imply direct personal user data, but it can identify a particular browser instance. We have improved anonymity within our analytics tools. We’re also working on interfaces that will allow you to address requests from your customers related to their rights for accessing any personal data that might stored in your Push Monkey account.
Opt-in and Consent for Website Push Notifications
Unlike e-mails or phone numbers, push notifications are a direct channel that serve a narrower purpose of enabling communication between website and website visitor that subscribed for push notifications. The message is clearly conveyed in our Custom Permission Dialog.
Our customers, as the data controllers, must implement their integration with the Push Monkey platform with the legally appropriate level of consent enabled. Since consent under the GDPR must be freely given by an affirmative act that is specific, informed and unambiguous, if consent is the basis for lawful processing, a separate opt-in notice and consent for each specific channel is required. Also, the individual has to be able to easily withdraw their consent at any time.
Legitimate interest is another basis for lawful processing under the GDPR. If you process personal data based on a legitimate business interest, then you need to balance those business interests against the right of the EU individual to not have you process their personal data.
Data Processing Addendum (DPA)
As Push Monkey is a Data Processor, our customers should have a Data Processing Addendum with us. We have a GDPR-compliant DPA that our customers can sign upon request. Amongst other things, our DPA includes a list of of sub-processors for personal data, detailing our breach notification procedures, SLA’s and our governance measures. If you are a Push Monkey customer, please contact us at support@getpushmonkey.com or contact your Account Manager for a copy of your DPA.
Updated Privacy Policy
Our updated policy outlines our commitment to maintaining the privacy of our customers’ personal data. It also explains what we have done to make sure our customers’ personal data is secure and how the stored data is used. Please read it here.
The Rights of Data of End Users and Our Customer (Data Subjects)
Our customers and their end-users can request access, correct, and modify their personal data stored on Push Monkey. End users can also contact us at support@getpushmonkey.com if they would like to access, correct, or remove their personal data. As a Processor, we will forward these requests to the relevant customers and help them respond.
FAQ
The General Data Protection Regulation (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on handling data.
The GDPR regulates the processing of a data subject’s personal data in the European Union including its collection, storage and transfer or use. The GDPR gives data subjects more rights and control over their data by regulating how you should handle and store any personal data they collect.
The GDPR grants 8 fundamental rights to data subjects. These are:
-
Right to be informed - Entities must be transparent in how they are using personal data and must inform data subjects of this.
-
Right of access - Data subjects will have the right to know what personal data is held about them and how it is processed.
-
Right of rectification - Where reasonably possible, data subjects will be entitled to have personal data rectified/edited if they feel that it is inaccurate or incomplete.
-
Right to erasure - This is also sometimes referred to as 'the right to be forgotten', Here, data subjects have the right to have their personal data permanently deleted upon their request and they do not have to provide a reason for the request.
-
Right to restrict processing - Data subjects have the right to block processing of their personal data.
-
Right to data portability - Where reasonably possible, data subjects have the right to retain and reuse their personal data for their own purpose.
-
Right to object - In certain circumstances, data subjects are entitled to object to their personal data being used. This includes, if personal data is used for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
The provisions of the GDPR apply to any entity that processes personal data of individuals in the European Union (EU), including tracking their online activities, regardless of whether the entity has a physical presence in the EU.
Yes! If you are an entity outside the EU, you should still be aware of the GDPR and comply with it if you process personal data of individuals in the EU.
Yes! If you are an entity outside the EU, you should still be aware of the GDPR and comply with it if you process personal data of individuals in the EU.
Yes! If you collect personal data, you need to comply.
Lack of compliance can result in fines of up to 4% of annual global turnover or €20 Million (whichever is largest) for breaching GDPR.
A Data Controller represents the entity that determines the purposes, conditions and means of the processing of personal data. The Data Processor is the entity which processes personal data on behalf of the controller.
In your entity’s relationship with Push Monkey, you are the Data Controller of your end user’s personal data (assuming you are capturing some) and Push Monkey is the Data Processor.
If you are an entity based in the EU, or collect data from data subjects in the EU you should sign a Data Processing agreement with Push Monkey. Please request this DPA at support@getpushmonkey.com. We will countersign it and provide you with a fully executed downloadable copy via email within 2 business days.
Always check with you own legal counsel before signing the agreement!
If you have any questions about its contents simply email support@getpushmonkey.com.
It is possible that a form on your website uses a GET method which on submission pushes the inputs from the form as URL parameters in a new page. For example, if you have a contact form that asks for a name, email and phone number, you could end up with a URL such as:
https://www.yourcompany.com/thanks?name=person&email=person@domain.com&phone=012345678
Because this is a new page it will be recorded in Push Monkey as a pageview containing the URL and the parameters.
This breaks Push Monkey's terms and causes GDPR compliance issues. You should remove the URL parameters by changing the form to use a POST method or finding an alternative solution.
Custom Events and Attributes are available to our customers and offer the potential for powerful Push Monkey data segmentation options. Developers can insert contextual relevant data into the Push Monkey Javascript code.
The key here is to stick to Push Monkey terms of not storing personally identifiable data. Organisations may see the value in using data from authenticated (logged-in) users within Push Monkey. But if this includes data such as names, emails, phone numbers or postcodes then you are breaking Push Monkey’s terms and you have problems with GDPR compliance.
No - this isn’t required. The agreement needs to be signed by the entity which effectively entered into the Terms of Service with Push Monkey, being the Data Controller.
The agreement needs to be entered into with the entity which effectively entered into the Terms of Service with Push Monkey, being the Data Controller.
Yes - Click here to see a sample English version of wording you can include in your Privacy Policy. Please note that it is a very generic statement and might need to be tailored to fit your particular use of our service. We also recommend that you work with your own counsel to make sure that it addresses any concerns your business and customers might have.
Disclaimer: We are here to help - but Push Monkey does not provide legal advice. This material has been prepared for informational purposes only, and it is not intended to provide, and should not be relied on for legal or compliance advice. For specific advice on how you are to comply with the GDPR, you should consult your own legal advisor.