General Data Protection Regulation (GDPR)

The General Data Protection Regulation seeks to create a consistent framework across the EU for data protection.

Why was the GDPR adopted?

Recital 1 of the General Data Protection Regulation: 

In summary, the protection of natural persons in relation to the processing of personal data is a fundamental right. Thus, article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

eTrigue GDPR compliance

eTrigue is committed to the GDPR so that our clients can use DemandCenter marketing automation with GDPR compliance in mind.

At eTrigue, we take data privacy seriously and meet or exceed data privacy regulations, and support organizations using DemandCenter while meeting data privacy obligations across the globe.

Remove me from all communications

If you would like to revoke your consent for communications from eTrigue under GDPR, please submit the following information. By completing this form, we will confirm your details and remove you from further outreach.

SubmitSubmit Submitted

eTrigue is certified under Privacy Shield

eTrigue has self-certified under the EU-US Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework regarding collection, use and disclosure of personal information in a manner consistent with the laws of the countries in which it does business, and also has a tradition of upholding the highest ethical standards in its business practices.

Our certification may be verified at https://www.privacyshield.gov/list by searching for eTrigue.

Introduction to the GDPR

GDPR, which is an acronym for General Data Protection Regulation, was enacted by the European Parliament (‘EP’) to further strengthen data protection for people inside of the European Union (‘EU’).

The European Union’s Regulation 2016/6791, the new General Data Protection Regulation, is in effect 25 May, 2018 in order to regulate the processing by an individual, a company or an organization of personal data relating to EU resident individuals in the EU.

GDPR replaces the previous individual EU member state regulations and guidance on privacy. The General Data Protection Regulation is in the form of regulation instead of a directive and is therefore enforceable in EU member states as law.

Organizations need to ensure they are compliant, or risk financial penalties.

Background

First of all, eTrigue understands the importance of putting privacy and data protection in the hands of the data subject. Secondly, eTrigue is in compliance with the General Data Protection Regulation.

Finally, GDPR compliance requires commitment from users of eTrigue DemandCenter and eTrigue, as it does with other data protection laws. In addition, We are tracking the recommendations and guidance issued by regulatory authorities to assist us to develop tools appropriate for use of eTrigue’s services.

GDPR Compliance and Data Protection

The principle of accountability is a cornerstone of the GDPR. According to the GDPR, a business /organization is responsible for complying with all data protection principles and is also responsible for demonstrating compliance. GDPR provides businesses/organizations with a set of tools to help demonstrate accountability, some of which have to be mandatorily put in place.

The legislation makes EU resident individuals’ privacy rights stronger by limiting processing of their personal data, significantly expanding their rights over their data, and giving them greater visibility into the nature, purpose, and use of their data.

GDPR Scope

In summary, GDPR is in force for every organization that tracks EU resident behavior inside of the EU and that processes or uses the personal data of EU residents.

Theremore, it grants broad individual rights pertaining to personal data, some of which include the right to: be fully informed, consent, withdraw consent, erasure of personal data, be forgotten, deletion of personal data, access to personal data, have incorrect personal data rectified, object, and request data. 

Also, this includes the right, “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.” (REGULATION (EU) 2016/679 – (Recital 70))

Which Organizations are affected by the GDPR?

In general, any organization that collects, processes or stores personal information about EU citizens within the EU states must conform to the GDPR, no matter if they have an EU business presence or not.

Organizations that fall under the General Data Protection Regulation legislation:

  • An EU country presence.
  • No EU presence, but processes the personal data of EU residents.

Article 3 GDPR

Important GDPR Definitions

(Full list at https://gdpr-info.eu/art-4-gdpr/ )

Personal Data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Important GDPR Requirements

When collecting, processing or holding personal information organizations must make certain that the information is:

  • processed in a way that preserves security
  • up to date and accurate
  • relevant to the purpose
  • only used for legitimate and specific purposes
  • processed legally and transparently

Significance for Inbound and Outbound Marketing

Consent by EU persons to collect and utilize personal data

Most marketing-related activities will rely on using “consent” as the appropriate reason for processing data. eTrigue customers should assess how consent is gained, how it is documented and how authorization is maintained for processing personal data.

Article 4 “Definitions”

Article 4.11

Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Article 7 “Conditions for consent”

Article 7.1

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Article 7.2

…The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Article 7.3

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Children’s Personal Information

We do not knowingly collect or solicit any personal information from anyone under the age of 16. In the event that we learn we have collected personal information from someone under the age 16 without parental consent, we will delete that information as quickly as possible. If a child under the age of 16 has provided us with personal information online, a parent or guardian may contact us by emailing us at privacy @ etrigue.com. We will remove the information and unsubscribe the child from any of our electronic communications.

Accountability processing is performed in accordance with the GDPR

Organizations must consider and be able to demonstrate how they comply with the principles of the GDPR.

Article 24 “Responsibility of the controller”

Article 24.1

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

eTrigue DemandCenter and GDPR

eTrigue DemandCenter users have the advantage of a powerful platform with capabilities to help prepare for and become GDPR compliant.

Customers of eTrigue are controllers under the GDPR and have the primary responsibility as they choose which subscriber and contact information is loaded into their DemandCenter instance, and who they choose to communicate to.

The eTrigue GDPR Data Processing Addendum is located here.

Multi-lingual compliance mechanisms such as opt-out capability have always been in place in DemandCenter.

eTrigue customers will continue to rely on eTrigue DemandCenter’s Privacy Shield certification for placing lawfully obtained personal data under the GDPR.

We are evaluating, and enhancing our features and processes to further assist users subject to the GDPR and will continue to support GDPR compliance requirements.

Checklist to prepare for GDPR Compliance

Here are some of the steps that can be accomplished within your organization. The list is not comprehensive in nature and your organization must determine individual steps that must be accomplished:

  • Create a compliance group or team for General Data Protection Regulation
  • Audit and document your organization’s personal data processing procedures and activities
  • Determine if your organization requires a Data Protection Officer (‘DPO’) and appoint one
    • Article 37 “Designation of the data protection officer”
  • Document (and collect) the legal basis for processing data – i.e. “consent”
    • Article 7 “Conditions for consent” / Article 8 (Child)
  • Determine policies and mechanisms to accomplish EU subjects’ rights requests
    • CHAPTER III inclusive – “Rights of the data subject”
  • Assess, review and update processor and sub-processor agreements
    • Article 28 “Processor”
  • Update your organization’s privacy policies and procedures
  • Update policy for notification of personal data breach
    • Article 33 “Notification of a personal data breach to the supervisory authority”
    • Article 34 “Communication of a personal data breach to the data subject”

GDPR Guidelines and Resources

European Commission (EC) – Data protection in the EU: https://ec.europa.eu/info/law/law-topic/data-protection_en

European Commission – What does the General Data Protection Regulation (GDPR) govern? https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en

GDPR Data Processing Addendum (PDF)

EUR-Lex (Official Journal of the European Union): http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

UK Information Commissioner’s Office: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Third-party, searchable, indexed : https://gdpr-info.eu/

Disclaimer

eTrigue has made this information available to assist organizations in understanding the GDPR. The information contained here is not legal advice and shall not be construed as legal advice.

Anyone who intends to rely upon or use the information contained here is responsible for independently verifying the information and obtaining independent expert advice if required. Theremore, organizations should consult their legal counsel to interpret and understand their obligations under the GDPR, and how their organization utilizes and processes personal data.

© eTrigue Corporation  |  Privacy Policy  |  Acceptable Use  | Legal Notices  |  Privacy Shield  |  GDPRDPA 

Amplify your great marketing.

Get a customized Partner Marketing Report

See how your partner marketing stacks up against your peers — take this 5-minute quiz and receive your personalized report.
Contact Us