The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
The full text of the GDPR can be found here.
Data and privacy-related policies
We have a number of policies in place that will ensure that all data that is stored and processed by Ambassify is handled with the biggest concern. Below you find a list of policies that we have in place.
- Record retention and destruction policy
- Data Retention
- Incident Response
- Data Protection
- Breach Policy
- System Access
Our primary supervisory authority is the GBA.
For privacy replated questions you can contact our DPO at [email protected].
What actions have Ambassify done to be GDPR compliant?
Obtain and process the personal data fairly
All imported member data needs to explicitly confirmed by the importer that the imported data is collected in a fair manner. We also keep a log of these actions, so that if there would be issues with certain personal data, we as Data Processor(Ambassify) can let you as a Data Controller know who was responsible for the initial import of that specific data.
Besides the import, managers are also able to collect personal data through our form challenge. We have a predefined consent checkbox available in our form builder that will make it easy to collect new/update data in a GDPR compliant way.
Keep it only for one or more specified and lawful purposes
The personal data that is imported by the Data Controller will only be used by the Data Controller themselves to run their advocacy program via Ambassify.
Process it only in ways compatible with the purposes for which it was given to you initially
You as a Data Controller determines how we process the Data Subjects by setting up campaigns or doing specific actions. The single purpose of us processing your Data Subjects is to provide you with an advocacy platform.
Keep personal data safe and secure
All personal data is stored in a encrypted database with restricted access.
Keep personal data accurate and up-to-date
It’s up to Data Controllers to keep the personal data of their members database up to date. Ambassify as Data Processor provides the needed tools for this. Managers can use our import tool to batch update member data or they can also use our form campaign to let members update their own information.
Ensure that personal data is adequate, relevant and not excessive
The amount of data collected and relevancy is completely determined by you as Data Controller. Ambassify will ask no additional personal data from members besides the data that you as a Data Controller specify you want to collect.
Retain personal data no longer than is necessary for the specified purpose or purposes
We do not retain personal data that is no longer needed for the operations and actions you as a Data Controller want to do with your members. If you as a customer do decide to cancel your Ambassify license we will follow our data retention policy to ensure all collected data is removed from our servers in a timely manner.
Give a copy of his/her personal data to any individual, on request.
Each Data Subject(member) has the option to request an overview of his personal data that we keep in our database. To request personal data, members can use our Request Personal Data form. As a Data Processor we will forward the request to the responsible Data Controller.
Right to be forgotten
Each Data Subject(member) has the right to be forgotten. If a member requests so, all account data and related data needs to be removed from the platform. To request account deletion, members can use our Request For Deletion form. As a Data Processor we will forward the request to the responsible Data Controller.
Is a member import into Ambassify GDPR compliant?
If the personal data that you are importing into Ambassify is rightfully collected and all users in the export opted-in your advocacy program or marketing program you are good to go. In case you are not sure you can still use a flow that we are using for some of our large clients in the banking sector where data privacy is key. They set up an advocacy subscription form campaign on a landing page via the Ambassify platform and mail the URL of the landing page to all the potential advocates. Everyone that fills in the form will give explicit consent to be part of the advocacy program which will give you 100% guarantee that you are compliant with GDPR.
Does Brexit affect the ruling of GDPR?
No. GDPR comes into effect before the UK officially leaves the European Union on March, 29th 2019. An equivalent set of data protection regulations need to be in place to continue trading with the EU.
Do we need double opt-in to use Ambassify?
The GDPR doesn’t mention double opt-in as mandatory.
Does GDPR also count for people living outside the EU?
As long as you are working with Data Subjects (members) that are EU citizen you need to comply with the GDPR no matter where your company is situated. The term EU citizen is, however, a vague term like explained in this article.