We have spent months talking about the General Data Protection Regulation (GDPR). The 25th of May, which is the day when it goes into effect, is fast approaching. During this time, we have provide you with tons of information related to adapting your email marketing strategy.
In this article, we want to make a recap of how has Benchmark adapted to the GDPR and about all the changes we have implemented and which you might need to know:
“Right to be forgotten”
This right is one of the biggest changes of this Regulation. For the very first time, this right is regulated and obliges the controller to completely remove the data if the data subject requests. To exercise the right to be forgotten, we have two different scenarios:
Benchmark | Customer
If a Benchmark customer wants to be “forgotten,” he or she needs to request the deletion of the data by writing to email@example.com and we will proceed with the removal of their data.
Benchmark | Customer | Subscriber
Any of our client’s subscribers can request to be deleted from lists and/or records. It’s the customer’s responsibility to delete a subscriber from our (and other) systems, with one exception: if the subscriber has already unsubscribed, the client will not be able to remove the data from the “Unsubscribe” list. If this happens, the customer should forward the user’s email to firstname.lastname@example.org and we will proceed with the elimination of the subscriber from the list.
In this FAQ, we explain all the steps to follow.
Accessibility / rectification / unsubscribe
An email marketer must include the “Manage Subscription” option on all email campaigns:
Adding this option, the client gives the data subject the option to access, rectify and unsubscribe from his/her data. When the subscriber clicks on that link, he/she will find this screen:
The subscriber can exercise his/her rights here. At Benchmark, we are currently preparing to allow the data subject to be able to rectify the rest of the fields and not just the email, name and surname.
International transfer of personal data
Article 45 mentions that a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.
This international transfer of personal data is guaranteed under the EU-US Privacy Shield Agreement whose certification is held by Benchmark:
It was actually NEVER an obligation to have servers in Europe, but with the new GDPR it is even less necessary. One of the goals of the GDPR is to equate the data protection that the European companies are fulfilling with the one applied by companies from abroad, in a way that all companies are obliged to compete in equal conditions.
Contract between the controller and the processor
Article 28 explains the possibility to sign a contract between the controller and the processor and provides all the details about it. We have created this contract and will make it available for you through the tool.
If you want to check the regulation, you can do it here.
If this article has been interesting for you, please, share it with your colleagues and friends.