As a digital marketer, we expect you know all about the General Data Protection Regulation, better known as GDPR, but here is a very brief reminder of what it means to you as an Emarsys customer.
The most important things for you to know as an Emarsys customer
First and foremost, remember that GDPR affects you and your customer data.
If you are in breach of these regulations, any resulting legislation will affect you, not Emarsys.
As your partner in digital marketing, we provide all the tools, means and advice you need to stay compliant, but it's up to you to use them properly. It should also be stressed that we are not qualified to offer legal advice, and at all times it is assumed that you are using the Emarsys Marketing Platform properly, as instructed in our documentation or by our support teams.
We can protect the data you hold on your customers, through data security best practices and ISO compliance, but it is still up to you to collect and use that data in the right way.
In other words, we advise, encourage and enable you to be GDPR compliant, but it is your responsibility to take the necessary steps.
We feel this point is important enough to make it twice, and in a different color.
Emarsys is not a law firm specializing in data security legislation, and we do not offer legal advice. We want to help you to understand how this legislation can affect you as an Emarsys customer, and this article assumes that you are using the Emarsys Platform properly, according to our documentation.
You should always refer to a qualified legal source when it comes to checking whether or not you are compliant in any given situation.
What are the most important points of GDPR in a nutshell?
GDPR concentrates on the following:
- Consent - Now more than ever, you have to be 100% sure that your contacts have given you explicit permission to collect and use their data. Not only that, you have to be able to demonstrate that now and in the future.
- Access to data - Customers have always had a theoretical right to know what data you hold on them, but in the past it has been hard to make companies comply. Now this right is more robust, with more stringent rules applied to costs and a lowered, 30-day maximum timeframe.
- Data protection officer - Article 37 of GDPR lays out the conditions under which you are obliged to appoint a designated data protection officer, to monitor your data processing activities and to act as point of contact for incoming data processing requests from customers.
- The right to be forgotten - Customers can demand that you delete all the data you hold on them.
- Data portability - Customers can request that you provide their data in an easily accessible format.
- Child protection - Under 16 years, children require parental consent. That is, they cannot subscribe themselves.
It also acknowledges that the Internet has made the location of your HQ all but irrelevant. You still need to comply if you offer goods or services to EU data subjects, or monitor their online activities.
You must capture explicit consent before you start to collect data with Web Extend in that given web session.
Before you use Web Extend it is your responsibility to ensure that you always obtain the necessary consent for that data from your consumers (i.e: a natural person such as a customer, contact, or account). For more about Web Extend data collection, see the Emarsys Developer Hub.
In short, GDPR puts the law firmly on the side of the individual when it comes to collecting and using their data. And it makes it much, much more painful for the companies who fall foul of it, with the maximum fine now €20 million.
How does the retrieval and deletion of our contact data work?
- All data stored by Emarsys relating to a contact can be exported at the Contact Profile page in the Contact Data Export tab. Once the export is ready you can download the collected data in a .zip archive containing .csv files per data points.
- Likewise for data deletion, you can simply delete the individual user from the Platform interface, or via the API. No additional action is needed after that, all data related to that contact is gone once the contact is deleted. For details, see Deleting contacts.
Emarsys and Data Protection
Emarsys has prepared a Data Processing Agreement for all our customers. You can download a signed copy here (requires a login):
If you have not already done so, please download the version appropriate to the Emarsys office with which you signed your contract, countersign it, save a copy for your records and email a scanned copy to firstname.lastname@example.org.