First, a little background information: The General Data Protection Regulation is the EU’s new data privacy law. It takes effect on May 25, 2018, and while it’s being implemented by the European Union, it applies not only to companies based in the EU but also to those that have customers and contacts in the EU.
The following is not legal advice (because we are not lawyers) nor is it a complete guide to GDPR. It’s not even legally binding (our terms and conditions are). However, it may give some insight in GDPR-related issues when it comes to third-party tools, and about Unless in particular.
Controllers versus processors
As an Unless customer, you eventually implement the Unless script on your website. In GDPR-speak, this means that your website is the “controller”. Third-party plugins are called “processors”. Common processors are for example Google Analytics, Mixpanel, Intercom, or any other third-party plug-in or service that collects data on your behalf - including Unless.
Your obligation as a controller
For your website visitors in the European Union, you will have to make sure that the following is arranged on your website.
- As the “controller”, you have the legal responsibility to make sure that your visitors can explicitly give their okay to you for your data collection and even profiling efforts if applicable. Think of it as an “extra large cookie-warning”.
- Your customers should be able to get access to their data in all "processors", but also their data in your own database.
- To ensure data portability, this data must be offered in machine-readable format.
- For each of your "processors" a customer should be able to decide to delete his or her personal data.
There are quite a few organizational things that your company needs to address as well. For more information, we recommend The Guide to the GDPR.
Our promise to you
We will make sure that as a processor, we are compliant with GDPR.
- If any of your customers requests their data, we will respond with the data we have on this specific person in a machine-readable format.
- If any of your customers wishes to execute their right to be forgotten, we will delete all his or her data that we have in our data storage.
For the time being, these requests can be forwarded to email@example.com. We will then take appropriate action.