The purpose of this Q&A is to provide guidance on how to comply with the GDPR when using Engage. We want to assist you in understanding how such legislation might affect you as a Voyado customer.

Please note however that Voyado is not a law firm specializing in data security legislation and that we do not offer legal advice. We recommend that you always refer to a qualified legal source to advise whether you are compliant in any given situation.

The information below presumes that you are using Engage correctly and in accordance with our documentation.

General information regarding the GDPR

This section answers general questions regarding the GDPR, what you need to do to comply, what the privacy policy needs to include, which data you may transfer and how long etc.

Is Engage GDPR compliant?

Yes, if you use it correctly. As a customer, you are the data controller, and you need to make sure that all requirements for the processing of personal data you enter into the service are fulfilled.

What do I need to do to comply with the GDPR when using Engage?
Since we are not the data controller, we can unfortunately not provide a comprehensive answer on what a specific customer needs to do to fulfill all requirements under the GDPR, but in general, the following actions are necessary:
  • Ensure that you have a legal basis under the GDPR for all personal data processing activities and that you do not process personal data which is regarded as “sensitive” under the GDPR, or personal data which is otherwise unnecessary, not relevant, inaccurate, or too old.

  • Ensure that you have obtained consent when necessary, for example for direct marketing. Make sure that you have a correct “consent-process” with for example, “tick-in boxes” with explicit consents for explicit purposes and that you do not use pre-filled “tick-in boxes” as further described under the section “Consent” below.

  • Ensure that your privacy policy discloses that you share customer data with third parties (including subcontractors) to perform services on your behalf. Keep in mind that Voyado uses sub-processors as specified in our Data Processing Agreement and that you also need to disclose that personal data is shared with these. For more information on what your privacy policy should include, please see the answer below.

  • Ensure that you have set retention periods for all personal data and that personal data is not stored longer than necessary.
What should a privacy policy include?
Your privacy policy should include, among other things, the following information:
  • The legal basis for all processing activities you perform using the individual’s personal data.

  • What personal data is being collected and how the data is processed and used.

  • Retention periods, namely, for how long different categories of data is saved.

  • You need to explicitly name the third parties you share the personal data with and its purpose, for example, subcontractors such as Voyado for the purpose of providing the individuals with newsletters, etc.

  • A disclosure that the personal data will be processed outside of the EEA and the legal bases for such processing under the GDPR (usually the standard contractual clauses) and the technical and organizational measures you undertake to protect the personal data.

  • We further recommend including a specific section on direct marketing which explains the type of emails, text messages, or other ways of contact, the right to unsubscribe at any time and unsubscribe methods.
    Remember to list all processing activities, even those which are less obvious, such as the processing of personal data by logging whether an email has been opened and the links that were clicked on, how you track this, and that this personal data is collected for analysis purposes and to adapt email content to individual reader preferences.
    The processing activities conducted by Voyado are listed in the instruction to the Data Processing Agreement between us, and we also recommend discussing this with your IT-team to make sure that all activities are listed.
Can we transfer any kind of personal data to Engage?
No, technically you can, but it is not allowed. Special categories of personal data, as defined by article 9 in the GDPR, require extraordinary measures and it's therefore not allowed to process such data in Engage unless you have a very specific security arrangement agreed with us.

Special categories of personal data include, for example, data on political or religious views or data concerning health, sexual preferences, or ethnicity. Please note that you are responsible for ensuring that no such personal data is entered into Engage.
How “old” can the personal data we use be?
The GDPR does not allow for the processing of personal data which is no longer relevant or necessary. There must further be set retention periods for all personal data and you cannot keep personal data that is simply “nice to have”.
The GDPR does not state what retention periods are suitable, ultimately you need to decide this through an assessment of what is reasonable and fair for each category of personal data and perhaps by looking at guidance from the supervising authority and their precedent decisions.
It is probably not allowed to keep personal data for marketing purposes for longer than a couple of years unless you can prove that the individual is still “active”, e.g. making purchases, etc. Old contacts shall be deleted from Engage. Prior to deleting them, you may send an email informing them that unless they provide new consent, they will be removed from the newsletter/loyalty club, etc. Do not forget to inform of the retention periods in your privacy policy.

Legal bases

In order to process personal data, you need a legal base. This section deals with which legal basis could be applicable.

What legal basis should I refer to regarding the processing of personal data for receipt of newsletters?

Since newsletters usually involve direct marketing you should use consent received in accordance with Art. 6 (1) (a) GDPR for newsletter registration and for sending direct marketing via emails and text messages. You should use different “tick-in boxes” for different contact methods.

According to § 19 of the Swedish marketing act (2008:486) you are also entitled to send direct marketing to an email address obtained in connection with the sale of goods if (i) the individual has not objected against this, (ii) you have given the individual the opportunity to object when collecting the personal data and (iii) the direct marketing concerns your own similar goods.

There are similar terms in the European marketing acts but please check your local marketing legislation if you operate outside of Sweden. Note that marketing legislation is usually applicable regardless of where your office is registered if you directly market to individuals in the applicable country. For information on how to receive valid consent, please see below under “consent”.

Do I need a legal basis to send an order confirmation and collect delivery details?
All processing of personal data requires a legal basis. For order confirmations and delivery details, however, you do not need explicit consent, you can instead use the legal basis “processing is necessary for the performance of a contract” according to article 6 (b) GDPR.

Personal data which you are required to store due to legislation can be processed under Article 6 (c) “legal obligation” in the GDPR for as long as you are required to keep records under your local law.


The GDPR sets up requirements for how a consent process must be designed, which information must be provided, who may consent etc. This section deals which such questions.

What are the legal requirements for sufficient consent?
Consent needs to be specific, informed, and unambiguous in all aspects. We recommend that you use a “tick-in box” (which may not be prefilled!) for the opt-in and make sure that the text next to the box includes the specific purpose the individual is agreeing to, for example:

“I agree to receive newsletters with marketing material from [XAB] and that [XAB] may process my personal data for this purpose and as further described in the *Privacy Policy [link]*. I understand that I can unsubscribe from the newsletter at any time by using the unsubscribe link in the email or by contacting [XAB] directly.”

Although still very common, general consents are not valid under the GDPR. You can for example not obtain consent for all different purposes listed in a privacy policy. Before submitting their consent, you need to inform the individual of their right to revoke consent at any time.

Information on how and the methods for unsubscribing can either be provided directly or elaborated in a reference to the privacy policy. Whenever you send out direct marketing, you need to include an unsubscribe link.
Do we need a double opt-in if the individual has registered in a physical store?
A double opt-in is not explicitly required by the GDPR. However, it must be possible to provide evidence that the person to whom the email address belongs, i.e., the person who has authority to use the email address, was the person who registered and not someone else.

A double opt-in provides a feasible means of collecting this evidence and we, therefore, recommend that where email addresses have been received via an offline source, they are promptly followed up with a confirmation email with a registration link.

This is usually also the only efficient way to provide the individual with your privacy policy and all information that is required under the GDPR.
How do we prove consent and how should you document the circumstances under which consent was given?

If an individual does challenge your right to send them marketing emails, it is important that you can defend yourself by providing details on when, how, and under what conditions the individual first registered. For this you will need to store the following data:

  • The IP address used to register.

  • The date and time of registration.

  • A copy of your T&Cs or similar as shown at the point of registration.

  • The registration page as shown at the point of registration.

You should keep copies and an archive of previous privacy policies and consent agreements when you make changes (e.g., screenshots saved as PDFs or images) to track the changes. In addition, and if you use double opt-ins, you could send a copy of each confirmation email that is sent to your internal email archive.

Do we need separate consent for open and click tracking?
No separate consent is necessary, you must however state in your privacy policy that you are logging whether an email has been opened and which links were clicked on, how you track this, and that this data is used for analysis purposes and to adapt email content to individual reader preferences.
Can children consent to the processing of personal data?
No, according to the GDPR individuals under the age of 16 cannot provide valid consent. The EU member states are however entitled to set their own age limit down to 13 years old and the age limit does therefore vary for some of the EU member states.

In Sweden, Denmark, and Finland the age limit is 13 years. If the child is below the age limit, the processing is only allowed with explicit consent from a guardian. Please note however that according to Swedish marketing law (and similar legislation in most of the EU member states), companies are not allowed to send direct marketing (hence, marketing by emails, text messages, mail, etc.) to children under 16. In the Nordics, it is therefore not possible for a child under 16 to consent to direct marketing.
How do we ensure that the individual is over 16, do we always need to ask for age?
During the registration process, you should point out that subscribers need to be over the age of 16 (or 13). By registering, the subscriber, therefore, confirms that he or she is at least 16 (or 13) years old. This does however not apply if the offer is directed at children, in this case, it may be necessary to obtain verification as well as the consent of a guardian.
Note however that direct marketing is not allowed for children under the age of 16 and that further restrictions under the marketing legislation may apply if you direct marketing at children.

The rights of the individuals under the GDPR

Individuals have different rights under the GDPR, this section deals with how Voyado helps you fulfill and comply with these.

What should we do if an individual asks that we delete all personal data about her/him?

The customer has a right under the GDPR to request that all personal data you have on her/him shall be deleted. This is however not an absolute right, meaning that you may be entitled and required to keep some personal data. This applies to personal data which you are obligated to process for legal purposes, for example, financial information and receipts.

You may also keep personal data to defend yourself against a possible claim from the individual. All other personal data shall however be deleted.

It is a common misconception that all personal data needs to be deleted with just “one click”. This is not the case. Under the GDPR, you must, after receiving a request, delete the personal data within 30 days and send confirmation of this to the individual concerned. Voyado provides tools for both the export and deletion of personal data. If you are unsure of how to use these, please reach out to your contact person for a demonstration.

What should we do if an individual requests access to their stored personal data?
Voyado provides a tool you can use to export all personal data processed on a specific individual to provide a report to the individual. There is no legally prescribed form on how to provide this personal data, but the easiest way would be by email, perhaps with an attached spreadsheet.
Can I correct personal data in Engage if we get a request that personal data is not correct?

Yes, you can correct personal data stored in Engage. Please reach out to your contact person if you are unsure about how to use this function.

Voyado and Schrems II

Third-country transfer and transfer to the US have been a hot topic for discussion since the ECJs ruling in Schrems II. This section describes how Voyado complies with the ruling.

How does Voyado comply with the CJEUs ruling in Schrems II?

To transfer personal data outside of the EU/EEA, you need to rely on one of the legal bases listed in the GDPR. One of these is an adequacy decision by the European Commission. Previously there was one such decision regarding the US called Privacy Shield.

A transfer based on Privacy Shield is however no longer possible since the ruling in Schrems II declared that the European Commissions’ Privacy Shield Decision for transfer of personal data to the US was invalid on account of invasive US surveillance programs, thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal.

Voyado does not rely on Privacy Shield for any transfer to the US. There are however still other bases for transfer to third countries in the GDPR. One of these is the so-called “Standard Contractual Clauses” drafted by the European Commission, please see link here.

To be able to transfer personal data to the US, Voyado has, therefore, on behalf of its customers, and subject to our Data Processing Agreement, entered into Standard Contractual Clauses with all sub-processors with a connection to the US.

In addition to this, we have also agreed on specific and extra organizational security measures with such subcontractors in order to mitigate any risks and to keep the personal data safe. We further only use very well renowned subcontractors in the US with extremely high security standards and only for the processing which is deemed necessary.

Voyado works with legal specialists with extensive experience in the area and we keep ourselves continuously updated on any news and further guidance provided by the European supervising authorities. Should anything change in the future, we will undertake immediately available actions.

Do we need to undertake any actions with regards to Schrems II?
As a data controller, you need to inform the individuals of the legal basis for your transfer of personal data to a third country, hence, that you rely on the Standard Contractual Clauses referred to above for this and extra technical and organizational security measures. It is further always recommended to work proactively with data minimization and other risk minimizing activities.

Technical and organizational security measures

What technical and organizational security measures does Voyado provide? A comprehensive description of which technical and organizational security measures apply between you and Voyado is included in the Data Processing Agreement. In general, Voyado provides the following measures.

1. General security measures

Measures that generally prevent unauthorized processing of personal data.

  • Security standard – Voyado works with technical and organizational security according to the self-assessment model published by the Cloud Security Alliance.

  • Encryption of personal data – Data transfers to and from Voyado are protected using encryption following the current established practice. At rest, data is encrypted where technically feasible, at least using disk-level encryption.

  • Separation of data – Customer data is separated by using logical separation or logical identifiers, tagging information to clearly identify ownership, and ensuring that customer data can only be accessed by that customer.

  • Regular and independent vulnerability- and penetration testing and regular security updates and patches.
2. Physical Access control
Measures that prevent unauthorized persons from gaining access to data processing systems which process personal data.
  • Access to systems and personal data is restricted only to those who need access to provide Voyado to the customers on a need-to-know-basis.

  • User authentication to protect access to data processing systems.

  • Secure password policies. Employee workstations are encrypted using full-disk encryption and protected with strong passwords.
3. Organizational measures

Measures which ensure secure routines and practices within the organization.

  • Risk management – Voyado shall have documented processes and routines for handling risks within its operations. Voyado shall periodically assess the risk related to information systems and processing, storing, and transmitting the information.

  • Change control – Voyado maintains a structured change management process to ensure that changes are reviewed and tested before being deployed to production. Roll-back measures are in place in the event of any unintended behavior.

  • Secure testing – Voyado maintains separate production and testing environments.

  • Data protection officer – Voyado maintains a data protection officer who has appropriate security competence and who has overall responsibility for implementing the security measures and who will be the contact persons for customer’s security staff.

  • Security is the responsibility of everyone who works for Voyado and all employees are trained to identify security risks and take action to prevent any such.
4. Data breach management
Measures that ensure secure and proper management in the event of any data breaches.
  • Voyado shall have established procedures for data breach management.

  • Voyado shall inform the applicable customer about any data breaches as soon as possible in accordance with the data processing agreement.

  • All reporting of personal data breaches shall be treated as confidential information.

  • Reporting shall include available information necessary to report to the supervising authority.
5. Business continuity management
Measures which ensure the on-going operation of the services.
  • Voyado shall identify business continuity risks and take necessary actions to control and mitigate such risks.

  • Voyado shall have documented processes and routines for handling business continuity.

  • Information security shall be embedded into the business continuity plans.

  • The efficiency of Voyado’s business continuity management and compliance with availability requirements shall be periodically evaluated.
The technical and organizational measures are subject to technical progress and development and Voyado will implement alternative adequate measures to always adhere to industry security best practices.

Last updated: 2021-03-15

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.