What is GPDR?
The EU General Data Protection Regulation (GDPR) is European legislation designed to increase protections around the processing of personal data of data subjects in the European Union.
When did the GDPR take effect?
The GDPR took effect on May 25, 2018.
Who does the GDPR apply to?
Subject to certain exceptions, the GDPR applies to any organization with an establishment in the European Union that is processing personal data. It also applies to any organization that processes the personal data of EU data subjects, regardless of whether the organization has a presence in the European Union or whether the processing is conducted within the European Union.
If you have a presence in the EU, or collect, store, manage, analyze, or otherwise process personal data of EU residents, including email addresses, the GDPR’s requirement may apply to you.
What did the GDPR change?
Note: This section covers many of the changes of the GDPR, but it is not intended to be exhaustive. We highly recommend seeking independent legal counsel to determine how GDPR affects your business.
The GDPR lays out a range of requirements related to consent, individual rights, and data processing. The below overview is a non-exhaustive summary of some of the significant requirements of the GDPR.
Consent, initially defined in Article 4 and further clarified under Article 7, is addressed throughout the text of the GDPR. In general, the GDPR institutes a more rigid standard of consent when compared to the Data Protection Directive, the predecessor to the GDPR.
Consent under the GDPR needs to be informed, freely-given, and affirmative. Organizations have an obligation to present information about processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12). in order to make sure any consent is “informed.” Where data processing is based on consent, organizations will need affirmative consent from individuals—and they should be able to prove that individuals have given consent.
When organizations collect personal data, they are required to divulge certain information in accordance with Article 13.
Articles 12-23 discuss the individual rights covered by the GDPR. In general, the GDPR expands individual rights as they relate to personal data.
Right of access
Covered by Article 15, the right of access is the right of individuals to request information from a Controller about how their data is being used as well as a copy of the data itself.
Right to rectification
According to Article 16, individuals are allowed to contact a Controller to correct inaccurate personal data.
Right to be forgotten
According to Article 17, individuals can request that their data be erased under certain specific circumstances. These circumstances include, but are not limited to:
- When the data no longer needs to be processed for the original reason it was collected
- When the individual withdraws consent (if consent was the basis for processing)
- When the data was processed unlawfully
Right to restriction of processing
According to Article 18, individuals have the right to restrict how their data is processed in certain circumstances.
Right to data portability
According to Article 20, individuals have a right to receive their personal data for the purpose of using it somewhere else.
Right to object
Article 21 states that people have the right to object to the processing of their data in certain circumstances, "unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims."
The GDPR specifies a variety of requirements surrounding the processing of personal data. This section will explore some of the data processing requirements and provide links to relevant sections of the text of the GDPR.
Controllers and Processors
A Data Controller is the organization that determines the “purposes and means” of data processing (i.e., how personal data will be used). A Data Processor is the organization that processes personal data on behalf and on the instructions of the Controller.
In most cases, ActiveCampaign acts a Data Processor with respect to customer contact data and ActiveCampaign customers are Data Controllers with respect to contact data. Note that it is possible for a single organization to be both a Processor and Controller.
Data processing agreements
Article 28 lays out some of the primary obligations on Data Processors, including the requirements Data Controllers should impose on Data Processor. Article 28 requires that Data Controllers must have clearly documented contracts with Processors that define the scope of processing. These contracts must be “in writing, including in electronic form.” Requirements for processing contracts can be found in the remainder of Article 28.
Data protection officers
According to Article 37, some organizations will be required to appoint a data protection officer. The specific responsibilities of a data protection officer are covered in Article 39. In general, the data protection officer is responsible for compliance with the GDPR.
Transfer of personal data to third countries or international organizations
Articles 44-50 of the GDPR cover the specific requirements for transferring personal data to third parties or international organizations. The GDPR does not require that personal data of EU residents remain exclusively in the EU, but it does impose additional requirements for such transfers. In particular, transfers of EU personal data to countries that the EU does not consider to adequately protect the rights of freedoms of EU data subjects must be justified by one of several data transfer mechanisms. For more information on the data transfer mechanisms you can use with ActiveCampaign, please see the ActiveCampaign and Privacy Shield page.