The purpose of this Q&A is to provide guidance on how to comply with the GDPR when using Engage. We want to assist you in understanding how such legislation might affect you as a Voyado customer.
Please note however that Voyado is not a law firm specializing in data security legislation and that we do not offer legal advice. We recommend that you always refer to a qualified legal source to advise whether you are compliant in any given situation.
The information below presumes that you are using Engage correctly and in accordance with our documentation.
General information regarding the GDPR
Yes, if you use it correctly. As a customer, you are the data controller, and you need to make sure that all requirements for the processing of personal data you enter into the service are fulfilled.
- Ensure that you have a legal basis under the GDPR for all personal data processing activities and that you do not process personal data which is regarded as “sensitive” under the GDPR, or personal data which is otherwise unnecessary, not relevant, inaccurate, or too old.
- Ensure that you have obtained consent when necessary, for example for direct marketing. Make sure that you have a correct “consent-process” with for example, “tick-in boxes” with explicit consents for explicit purposes and that you do not use pre-filled “tick-in boxes” as further described under the section “Consent” below.
- Ensure that you have set retention periods for all personal data and that personal data is not stored longer than necessary.
- The legal basis for all processing activities you perform using the individual’s personal data.
- What personal data is being collected and how the data is processed and used.
- Retention periods, namely, for how long different categories of data is saved.
- You need to explicitly name the third parties you share the personal data with and its purpose, for example, subcontractors such as Voyado for the purpose of providing the individuals with newsletters, etc.
- A disclosure that the personal data will be processed outside of the EEA and the legal bases for such processing under the GDPR (usually the standard contractual clauses) and the technical and organizational measures you undertake to protect the personal data.
- We further recommend including a specific section on direct marketing which explains the type of emails, text messages, or other ways of contact, the right to unsubscribe at any time and unsubscribe methods.
- Remember to list all processing activities, even those which are less obvious, such as the processing of personal data by logging whether an email has been opened and the links that were clicked on, how you track this, and that this personal data is collected for analysis purposes and to adapt email content to individual reader preferences.
- The processing activities conducted by Voyado are listed in the instruction to the Data Processing Agreement between us, and we also recommend discussing this with your IT-team to make sure that all activities are listed.
Special categories of personal data include, for example, data on political or religious views or data concerning health, sexual preferences, or ethnicity. Please note that you are responsible for ensuring that no such personal data is entered into Engage.
In order to process personal data, you need a legal base. This section deals with which legal basis could be applicable.
Since newsletters usually involve direct marketing you should use consent received in accordance with Art. 6 (1) (a) GDPR for newsletter registration and for sending direct marketing via emails and text messages. You should use different “tick-in boxes” for different contact methods.
According to § 19 of the Swedish marketing act (2008:486) you are also entitled to send direct marketing to an email address obtained in connection with the sale of goods if (i) the individual has not objected against this, (ii) you have given the individual the opportunity to object when collecting the personal data and (iii) the direct marketing concerns your own similar goods.
There are similar terms in the European marketing acts but please check your local marketing legislation if you operate outside of Sweden. Note that marketing legislation is usually applicable regardless of where your office is registered if you directly market to individuals in the applicable country. For information on how to receive valid consent, please see below under “consent”.
Personal data which you are required to store due to legislation can be processed under Article 6 (c) “legal obligation” in the GDPR for as long as you are required to keep records under your local law.
The GDPR sets up requirements for how a consent process must be designed, which information must be provided, who may consent etc. This section deals which such questions.
A double opt-in provides a feasible means of collecting this evidence and we, therefore, recommend that where email addresses have been received via an offline source, they are promptly followed up with a confirmation email with a registration link.
If an individual does challenge your right to send them marketing emails, it is important that you can defend yourself by providing details on when, how, and under what conditions the individual first registered. For this you will need to store the following data:
- The IP address used to register.
- The date and time of registration.
- A copy of your T&Cs or similar as shown at the point of registration.
- The registration page as shown at the point of registration.
You should keep copies and an archive of previous privacy policies and consent agreements when you make changes (e.g., screenshots saved as PDFs or images) to track the changes. In addition, and if you use double opt-ins, you could send a copy of each confirmation email that is sent to your internal email archive.
In Sweden, Denmark, and Finland the age limit is 13 years. If the child is below the age limit, the processing is only allowed with explicit consent from a guardian. Please note however that according to Swedish marketing law (and similar legislation in most of the EU member states), companies are not allowed to send direct marketing (hence, marketing by emails, text messages, mail, etc.) to children under 16. In the Nordics, it is therefore not possible for a child under 16 to consent to direct marketing.
The rights of the individuals under the GDPR
Individuals have different rights under the GDPR, this section deals with how Voyado helps you fulfill and comply with these.
The customer has a right under the GDPR to request that all personal data you have on her/him shall be deleted. This is however not an absolute right, meaning that you may be entitled and required to keep some personal data. This applies to personal data which you are obligated to process for legal purposes, for example, financial information and receipts.
You may also keep personal data to defend yourself against a possible claim from the individual. All other personal data shall however be deleted.
It is a common misconception that all personal data needs to be deleted with just “one click”. This is not the case. Under the GDPR, you must, after receiving a request, delete the personal data within 30 days and send confirmation of this to the individual concerned. Voyado provides tools for both the export and deletion of personal data. If you are unsure of how to use these, please reach out to your contact person for a demonstration.
Yes, you can correct personal data stored in Engage. Please reach out to your contact person if you are unsure about how to use this function.
Voyado and Schrems II
Third-country transfer and transfer to the US have been a hot topic for discussion since the ECJs ruling in Schrems II. This section describes how Voyado complies with the ruling.
To transfer personal data outside of the EU/EEA, you need to rely on one of the legal bases listed in the GDPR. One of these is an adequacy decision by the European Commission. Previously there was one such decision regarding the US called Privacy Shield.
A transfer based on Privacy Shield is however no longer possible since the ruling in Schrems II declared that the European Commissions’ Privacy Shield Decision for transfer of personal data to the US was invalid on account of invasive US surveillance programs, thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal.
Voyado does not rely on Privacy Shield for any transfer to the US. There are however still other bases for transfer to third countries in the GDPR. One of these is the so-called “Standard Contractual Clauses” drafted by the European Commission, please see link here.
To be able to transfer personal data to the US, Voyado has, therefore, on behalf of its customers, and subject to our Data Processing Agreement, entered into Standard Contractual Clauses with all sub-processors with a connection to the US.
In addition to this, we have also agreed on specific and extra organizational security measures with such subcontractors in order to mitigate any risks and to keep the personal data safe. We further only use very well renowned subcontractors in the US with extremely high security standards and only for the processing which is deemed necessary.
Voyado works with legal specialists with extensive experience in the area and we keep ourselves continuously updated on any news and further guidance provided by the European supervising authorities. Should anything change in the future, we will undertake immediately available actions.
Technical and organizational security measures
What technical and organizational security measures does Voyado provide? A comprehensive description of which technical and organizational security measures apply between you and Voyado is included in the Data Processing Agreement. In general, Voyado provides the following measures.
Measures that generally prevent unauthorized processing of personal data.
- Security standard – Voyado works with technical and organizational security according to the self-assessment model published by the Cloud Security Alliance.
- Encryption of personal data – Data transfers to and from Voyado are protected using encryption following the current established practice. At rest, data is encrypted where technically feasible, at least using disk-level encryption.
- Separation of data – Customer data is separated by using logical separation or logical identifiers, tagging information to clearly identify ownership, and ensuring that customer data can only be accessed by that customer.
- Regular and independent vulnerability- and penetration testing and regular security updates and patches.
- Access to systems and personal data is restricted only to those who need access to provide Voyado to the customers on a need-to-know-basis.
- User authentication to protect access to data processing systems.
- Secure password policies. Employee workstations are encrypted using full-disk encryption and protected with strong passwords.
Measures which ensure secure routines and practices within the organization.
- Risk management – Voyado shall have documented processes and routines for handling risks within its operations. Voyado shall periodically assess the risk related to information systems and processing, storing, and transmitting the information.
- Change control – Voyado maintains a structured change management process to ensure that changes are reviewed and tested before being deployed to production. Roll-back measures are in place in the event of any unintended behavior.
- Secure testing – Voyado maintains separate production and testing environments.
- Data protection officer – Voyado maintains a data protection officer who has appropriate security competence and who has overall responsibility for implementing the security measures and who will be the contact persons for customer’s security staff.
- Security is the responsibility of everyone who works for Voyado and all employees are trained to identify security risks and take action to prevent any such.
- Voyado shall have established procedures for data breach management.
- Voyado shall inform the applicable customer about any data breaches as soon as possible in accordance with the data processing agreement.
- All reporting of personal data breaches shall be treated as confidential information.
- Reporting shall include available information necessary to report to the supervising authority.
- Voyado shall identify business continuity risks and take necessary actions to control and mitigate such risks.
- Voyado shall have documented processes and routines for handling business continuity.
- Information security shall be embedded into the business continuity plans.
- The efficiency of Voyado’s business continuity management and compliance with availability requirements shall be periodically evaluated.
Last updated: 2021-03-15