What is GDPR
The European Union’s General Data Protection Regulation (GDPR), which becomes effective on 25 May 2018, is a new regulation that extends the protection of Personal Data for European Union citizens. Under the GDPR, companies have new obligations regarding Personal Data collection and processing.
Personizely complies with GDPR and will take every step required to ensure our Clients’ Personal Data security, as data collector and processor.
Personizely as Data Processor
Our Clients have the possibility to collect with Personizely the data subjects (“contacts”, “customers”) that they control. The contacts’ information may include Personal Data such as full name, email address, phone, address, IP address, bio, company name, title, location, and any other kind of data that can be attached as custom fields for further segmentation of contacts.
We have no direct relation with our Clients’ contacts, but we only store and process data, therefore, Personizely acts as Data Processor.
We have added a set of new features to make sure that we as Data Processor, as well as our Clients as Data Controllers, comply with the GDPR regulations.
The changes are mostly related to the right to withdraw consent and the right to be forgotten. Now, data subjects (in this instance “contacts”) have the following options:
- See and/or delete all data collected for an individual person (Data subject).
- IP address will be added to the data collected through Widgets, so you as controller of the data, can verify that the data collected, was given by the Data subject
Since Personizely is acting as Data Processor, it’s the Client’s responsibility as Data Collector to satisfy data subjects’ requests by doing so directly or ask our team to do it (we reserve the right to charge for volume).
Personizely as Data Controller
In our role as Data Controller to our data subjects, we have implemented the following changes:
Consent to collect and process information
Personizely does not include automated check marks to obtain a customer’s consent.
Withdraw consent and data deletion
Clients can withdraw their consent at any time during their lifecycle by canceling their subscription, which means that Personizely will stop processing their Personal Data.
Our data subjects can also view all their data Personizely has collected or is processing, and can choose to permanently delete their account and all associated data. Once an account is deleted, it will also be removed from all our third-party services Personizely is using, while our data security team will make sure no residual information is left.
Right to access data
Clients can request our team to hand over of any of their collected information, or their contacts’ information, in a common format, without any additional charge.
Data protection officer (DPO)
Personizely has appointed a DPO to make sure that our service is fully compliant with GDPR, including all future updates in relevant regulations. The DPO will constantly monitor Personal Data processing activities, will make sure that security checks are made on a strict regular basis, will deal with Data Security requests from our Clients and their Data Subjects, and will supervise Data Removal audits.
The DPO will also make sure that the third-party services Personizely is using for its operations are GDPR compliant, or can provide any other certification to ensure that data transfers are made securely.
Personal data security
Personizely has implemented and maintains reasonable, commercially acceptable security procedures and practices, appropriate to the nature of the information we store, in order to protect it from unauthorized access, destruction, use, modification, or disclosure.
However, please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the Personal Information we have collected from you.
Access to your personal data and data subjects you control
A number of key employees may have access to your Personal Data. Below we will list all the people who have access to your data, what is their role in our company, and to what degree they can access or modify your data:
- Product Management team (access: web interface): Use Personal Data to get in touch with Clients, analyze user behavior and for troubleshooting. The lead Product Manager can modify or remove Personal Data from third-party services; doesn’t have access to data stored on servers.
- Customer Success team (access: web interface): Use Personal Data to get in touch with Clients, analyze user behavior and for troubleshooting. Can not modify, export or remove Personal Data; does not have access to data stored on servers.
- Development team (access: web interface and/or source code): Use Personal Data for troubleshooting. Does not have access to stored Personal Data.
- System administration team (access: source code, server infrastructure, backups): might use Personal Data for troubleshooting and service monitoring; can modify or remove data under the supervision of the Data Protection Officer.
The access to Personal Data is authorized by the Chief Executive Officer (CEO) and the Data Protection Officer. An employee is given access to our admin panel or third-party services that store Personal Data. The access is given, but not guaranteed, for the whole period of employment at our company.
Before being granted access to Clients’ Personal Data and their Data Subject, new employees pass an on-boarding training. Clients and customers’ data handling are extensively covered during the on-boarding.
Employees are provided a corporate email address that they use to sign up and/or log in to the admin panel, and third-party services. Each email address is set up to provide access to the admin panel and third-party apps with limited roles that are decided by the CEO and DPO. Email addresses are disabled by the DPO at employee’s contract termination, therefore removing all access to Clients’ Personal Data and their Data Subjects.
We backup Clients’ Personal Data, and the data they have imported to Personizely or collected with our service on virtual servers leased with Hetzner Gmbh, in Germany.
Personal Data is retained during the subscription period of an active client. If a client cancels the subscription, we reserve our right to keep the data for up to 90 days, so returning Clients can resume their activity in the account. After the 90 days period expires and the client did not reactivate the account, all data is deleted.
Personal Data can and will be removed upon a data subject’s request.
Personizely has in place two main security levels to keep processed Personal Data secure.
- 1 level (web interface): We control employees’ data access and actions within our product or third-party services where we store Personal Data.
- 2 level (server-side): Firewalls, all data transfer is encrypted with SSL, 24/7 monitoring. Accounts with admin access require two-factor authentication and only the CEO and DPO have access to credentials, therefore no unauthorized employee can access them.
Notifications and alerts have been set up to notify the CEO and DPO whenever Client or customer’s data is being exported.
Personal data destruction
Personizely is responsible for destroying the stored Personal Data at the end of the retention period.
CEO & DPO can authorize Personal Data destruction. If authorized, the data is digitally removed from our system and backups.
At the end of the destruction procedure, our Server administration teams will perform an audit to check if all relevant PII has been destructed and will provide reports upon request.
Handling data breaches
In the event that Personal Data is compromised due to a breach of security, Personizely, as Data Controller, will notify our country’s supervisory authority of data breaches, as well as our Clients, within seventy-two (72) hours after the breach has been detected (unless the data is encrypted or anonymized), in compliance with applicable law.
We will also take any needed measure to mitigate the consequences of the data breach.
Data processing agreement
This DPA reflects Personizely’s and the Client’s agreement regarding the processing of Personal Data collected with Personizely by the Client.
The terms used in this DPA shall have the meanings set forth in this Agreement. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
Article 1. Purposes of processing
1.2. The Personal Data to be processed by the Processor for the purposes set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data Processing Agreement. The Processor shall not process the Personal Data for any other purpose unless with the Controller’s consent. The Controller shall inform the Processor of any processing purposes to the extent not already mentioned in this Data Processing Agreement. The Processor, however, is permitted to use Personal Data for quality assurance and statistical research purposes regarding the quality of the Processor’s services.
1.3. All Personal Data processed on behalf of the Controller shall remain the property of the Controller and/or the data subjects in question.
Article 2. Processor's obligations
2.1. Regarding the processing operations referred to in the previous clause, the Processor shall comply with all applicable legislation, including all data processing legislation such as the General Data Protection Regulation (GDPR).
2.2. Upon the first request, the Processor shall inform the Controller about any measures taken to comply with its obligations under this Data Processing Agreement.
2.3. All obligations of the Processor under this Data Processing Agreement shall apply equally to any person processing Personal Data under the supervision of the Processor, including but not limited to employees in the broadest sense of the term.
2.4. The Processor shall inform the Controller without delay if in its opinion a Controller’s instruction would violate the legislation referred to in the first clause of this article.
2.5. The Processor shall provide reasonable assistance to the Controller in the context of any privacy impact assessments to be made by the Controller.
Article 3. Transfer of personal data
3.1. The Processor may process the Personal Data in any country within the European Union.
3.2. In addition the Processor may transfer the Personal Data to a country outside the European Union, provided that country ensures an adequate level of protection of Personal Data and complies with other obligations imposed on it under this Data Processing Agreement and the GDPR, including the availability of appropriate safeguards and enforceable data subject rights, and effective legal remedies for data subjects.
3.3. The Processor shall report to the Controller of the countries involved. The Processor warrants that, considering the circumstances that apply to the transfer of Personal Data or any category of transfers, the country or countries outside the European Union have an adequate level of protection.
3.4. In particular, the Processor shall take into account the duration of the processing, the country of origin and the country of destination, the general and sector-based rules of law in the country of destination and the professional rules and security measures which are complied with in that country.
Article 4. Allocation of responsibilities
4.2. The Controller represents and warrants that the content, usage, and instructions to process the Personal Data as meant in this Data Processing Agreement are lawful and do not violate any right of any third party.
Article 5. Third party data processors
5.2. The Controller agrees that if and to the extent such transfers occur, the Controller is responsible for entering into separate contractual arrangements with such third party data processors binding them to comply with obligations in accordance with the GDPR.
5.3. In any event, the Processor shall ensure that any third parties are bound to at least the same obligations as agreed between the Controller and Processor.
Article 6. Security
6.1. The Processor shall use reasonable efforts to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk for the processing of involved operations, against loss or unlawful processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed).
6.2. The Processor shall implement specific security measures specified in the GDPR. The Processor may adjust the security measures at any time unilaterally. The Processor shall inform the Controller of any adjustments.
6.3. The Processor does not warrant that the security is effective under all circumstances. If any security measure explicitly agreed in this Data Processing Agreement is missing, then the Processor shall use his best efforts to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6.4. The Controller shall only provide Personal Data to the Processor for processing if it has ensured that the required security measures have been taken. The Controller is responsible for the parties’ compliance with these security measures.
Article 7. Notification and communication of data breaches
7.1. The Controller is responsible at all times for notification of any security breaches and/or Personal Data breaches (which are understood as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed) to the competent supervisory authority, and for communication of the same to data subjects. In order to enable the Controller to comply with this legal requirement, the Processor shall notify the Controller within 72 hours after becoming aware of an actual or threatened security or Personal Data breach.
7.2. A notification under the previous clause shall be made at all times, but only for actual breaches.
7.3. The notification shall include at least the fact that a breach has occurred. In addition, the notification shall:
Describe the nature of the Personal Data breach including, where possible, the approximate number of data subjects concerned; Describe the likely consequences of the Personal Data breach; Describe the measures taken or proposed to be taken by the Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Article 8. Processing requests from data subjects
8.1. In the event a data subject makes a request to exercise his or her legal rights under data protection legislation, the Processor shall pass on such request to the Controller, and the Controller shall process the request. The Processor may inform the data subject that the Controller has been notified of their request.
Article 9. Confidentiality obligations
9.1. All Personal Data that the Processor receives from the Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties. The Processor shall not use this information for any goals other than for which it was obtained, not even if the information has been converted into a form that is no longer related to an identified or identifiable natural person.
9.2. The confidentiality obligation shall not apply to the extent the Controller has granted explicit permission to provide the information to third parties The provision to third parties is reasonably necessary considering the nature of the assignment to the Controller or if the provision is legally required.
Article 10. Audit
10.1. The Controller has the right to have audits performed on the Processor by an independent third party bound by confidentiality obligations to verify compliance with the security requirements, GDPR compliance, unauthorized use of Personal Data by the Processor’s personnel, compliance with the Data Processing Agreement, and all issues reasonably connected thereto.
10.2. This audit may be performed once a year as well as in the event of a substantiated allegation of misuse of Personal Data.
10.3. The Processor shall give its full cooperation to the audit and shall make available employees and all reasonably relevant information, including supporting data such as system logs.
10.4. The audit findings shall be assessed by the parties in joint consultation and may or may not be implemented by either party or jointly.
10.5. The costs of the audit shall be borne by the Controller.
Article 11. Limitation of liability
11.1. Pursuant to article 82(2) of the GDPR, the Processor shall only be liable for damage caused by processing where the Processor has not complied with obligations of the GDPR specifically directed to processors or where the Processor has acted outside or contrary to this Agreement.
11.2. The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
11.3. The Processor’s cumulative liability to the Controller or any other party for any loss or damages resulting from claims, demands or actions arising out of relating to this Agreement shall not exceed the total paid-in fee from the Controller to the Processor within the 12 months previous to the date the claim is first brought against the Processor.
Article 12. Term and termination
12.2. This Data Processing Agreement is entered into for the duration of the Agreement, the subscription period of the Client, or for up to 90 days after the subscription has been canceled but the Client has not withdrawn consent for data processing.
12.3. Upon termination of the Data Processing Agreement, regardless of the reason or manner, the Processor shall – at the choice of the Controller – return in original format or destroy all Personal Data available to it.
12.4. This Data Processing Agreement may be changed in the same manner as the Agreement.
Appendix 1. Stipulation of personal data and data subjects
The Service processes two types of Personal Data: Client Personal Data and Data Controlled by Client. The Processor shall process the below Personal Data under the supervision of the Controller, as specified in article 1 of the Data Processing Agreement:
Client Personal Data: When signing up and using the Service we may ask you to provide us with certain Personal Data that includes:
Email address First name and last name Company name Title Phone number IP address Location (country and/or city) You may decline to share certain Personal Data with us, in which case you will not be able to sign up and use the Service.
Data Controlled by Client: While using the Service, you can collect the following data about your visitors using the Service:
- Data subject’s email address
- Data subject’s first name and last name
- Data subject’s company name
- Data subject’s title
- Data subject’s phone
- Data subject’s address
- Data subject’s bio
- Data subject’s IP address
- Data subject’s location (country and/or city)
- Any other fields created using the Service to collect Data subject's information The Service has no direct relationship with a user’s customers, and each user is solely responsible for notifying his customers about the reason behind the collection of their Personal Data and how this information is processed in or through the Service.
The Processor shall process the below Personal Data under the supervision of the Controller, as specified in article 1 of the Data Processing Agreement:
The Controller represents and warrants that the description of Personal Data and the categories of data subjects in this Appendix 1 is complete and accurate, and shall indemnify and hold harmless Process for all faults and claims that may arise from a violation of this representation and warranty.
Still Having Questions?
Feel free to contact us at any time via email or on-site chat