Athens Word of Mouth constantly works on building, reviewing and further developing required policies, processes, and procedures in place to comply with the applicable privacy and data protection laws. Some of those laws include the EU and the UK General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”), and the e-Privacy Directive as implemented in the Member States of the EU. Further, Athens Word of Mouth is constantly evaluating our exposure to other data protection laws to make any necessary adjustments to our privacy program. Additionally, we regularly monitor data protection developments with a view to incorporate the principles from new laws, frameworks, and best practices into our operations to keep strengthening the protection of personal data.
We have engaged privacy experts to assist us with our privacy and data protection compliance efforts, and with their assistance, we are actively engaged in ensuring our own compliance with applicable data protection laws and having solutions to enable our customers to comply with their own obligations as data controllers under the applicable data protection laws. Read on to learn a few things we have done to help you make our use of our service as compliant as possible.
What Are the EU GDPR and UK GDPR?
The GDPR is the European Union’s, comprehensive privacy and data protection law that took effect on May 25, 2018. The primary aim of the GDPR is to regulate how the personal data of individuals in the EU is processed – even by businesses that have no physical or legal presence in the EU. Organizations can face hefty fines for non-compliance: up to €20 million or 4 percent of annual global revenue, whichever is higher. The UK GDPR largely mirrors the GDPR and was adopted by the UK as part of Brexit.
Is Athens Word of Mouth GDPR certified?
There is not yet any kind of recognized GDPR global certification scheme in the EU, but we’ve been working hard to ensure that we’re in compliance with the GDPR. We spend a considerable amount of time and energy to ensure that our data protection practices meet or exceed the highest standards, so that individuals who disclose personal data to us can rest assured that their data is protected. Read on to learn how we work to make your use of our service compliant.
What Does Athens Word of Mouth Do to Ensure that Its Vendor Relationships Meet Applicable Data Protection Requirements?
Before transferring any personal data to service providers, we conduct due diligence on the recipient of the data (including reviewing security reports). We also ensure that robust contractual protections are in place. Our vendor management procedures require that such contracts be in line with the highest common denominators when it comes to data protection laws (the GDPR and the CCPA). We have developed a detailed DPA that all service providers must sign in addition to their standard contract. We can also sign the service providers’ DPAs if they meet the legal and contractual requirements.
When we need to transfer personal data governed by the GDPR outside the European Economic Area (“EEA”) or the UK to a country that has not been deemed to provide an adequate level of data protection by the European Commission or the UK Secretary of State, we ensure to strengthen the protection of the data through SCCs or other approved transfer mechanisms.
GDPR and You
So Athens Word of Mouth is focused on compliance with the GDPR. Does that mean that I’m automatically compliant too? If not, where can I learn more about my own obligations?
No. Controllers need to address their own practices to ensure that they meet applicable requirements.
Much of how you collect, use, and dispose of personal data is not determined by Athens Word of Mouth (your data processor). Thus, each organization should get its own professional guidance on the topic to help ensure compliance.
Am I a Data Controller? Is Athens Word of Mouth a Data Processor?
Typically, a Athens Word of Mouth customer will be considered a data controller (i.e., an organization that determines the purposes and means of the processing of personal data) and Athens Word of Mouth will be considered a data processor under the law.
Controllers and processors each have their own respective obligations under the law. Therefore, our GDPR compliance plan looks a bit different from what yours will look like. This doesn’t mean we can’t be used by data controllers – quite the opposite. When a data controller engages a service provider like us, the service provider is typically a data processor acting on behalf of the controller, and the processor acts at the behest of the controller. As stated above, our DPA will govern the relationship, and the nature of the processing activities, between Athens Word of Mouth and its customers.
Does the GDPR Require an Additional Checkbox to Be Able to Lawfully Process Personal Data? Or Will a Sentence such as “Enter your information for us to email you XYZ Pdf” Be Sufficient?
If you are processing personal data on the basis of the data subject’s consent, you will need to include a mechanism to collect that consent, which could include an unticked checkbox which the data subject can tick to consent to the processing of his or her data for a specified purpose (for example, receiving email marketing communications from you about your products). If you can consider this type of arrangement as a “contract” between you and the individual who requested the “something,” then you may be able to skip the checkbox altogether and base your processing on the need to perform your obligations under this “contract”.
Do I need to obtain consent again from all my contacts?
Not necessarily. There are other permitted bases for processing personal data under Article 6 of the GDPR, such as the need to process personal data for the performance of a contract, or the legitimate interests of the data controller or another party. However, if you will be processing personal data based solely on the consent of the individual, you likely need to re-acquire consent from these “old” contacts. For more information on this topic, take a look at the Consent section of our GDPR Readiness Guide.
Under GDPR, can I still have my opt-in forms checked by default?
No, please note that the use of pre-ticked opt-in boxes is not valid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely using a service (without first ticking a box to indicate agreement) doesn’t count as “consent”.
GDPR and Other Channels
How does the GDPR apply to social media?
The GDPR applies to personal data processed for the purposes of social media marketing campaigns, communication with customers via social media, and using Facebook tracking pixels and similar technologies. However, the specific impact depends on the manner in which the social media is used. Social media isn’t specifically discussed in the GDPR, so there are no aspects of the GDPR that are unique to social media or social media marketing.
Does the GDPR apply only if a customer buys something from a website?
If you are offering services to a data subject in the UK or EU, they do not necessarily need to buy something from you in order for the GDPR to apply. When you go out of your way to offer goods or services to the people in the UK or EU, the GDPR likely applies to you.
Compliance of Third-Party Integrations with Athens Word of Mouth
When you configure your Athens Word of Mouth service to connect with third-party apps, you must ensure that you also use those providers in a compliant manner. For example, you need to ensure service providers that you enter into a contract with the service provider that meets the requirements laid out in Article 28 of the EU and UK GDPR. This means, for example, that there must be an agreement that, among other things, requires the service provider to use the personal data you entrust it with only upon your instructions, and to notify you of any data breaches. You also need to determine whether such service providers have the technical capabilities to protect the personal data you make available to them.
When you configure your Athens Word of Mouth service to connect with those third-party apps, you should ensure that those vendors are also GDPR compliant, and that your relationship with that vendor meets the requirements laid out in Article 28 of the GDPR. For example, the service agreement in place between your company and the third-party service provider should impose various obligations on that service provider, such as a requirement to use the personal data only upon your instructions, and to notify you of any data breaches.