GDPR – New privacy policy laws from the EU

Data privacy is an extremely important topic, and lately, we’ve seen more and more media coverage and discussion about it. High-profile data breaches, and misuse and abuse of Facebook user data by third parties have dominated the headlines the past few months. Governments across the world have been working for years on creating laws that adequately protect consumer’s privacy. The European Union is set to release the newest consumer privacy laws this month.

On May 25, 2018, the EU General Data Protection Regulation (GDPR) comes into effect. This new regulation replaces Data Protection Directive 95/46/EC and harmonizes data privacy laws across Europe. The GDPR affects any person, organization, or entity who processes and/or stores data of citizens of the EU. Wicket and some of our clients fall under these new regulations.

Your organization as the Data Controller

Article 4 of the GDPR defines “Data Controller” as:

“(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”

By collecting the data from your EU members or contacts, you and your organization are acting as the Data Controller. This data includes an EU citizen’s name, email, social media posts, IP addresses, or other metadata. So, how can you comply?

  1. Ensure you have obtained explicit, opt-in, and freely given consent from the user to gather and store their data. This consent can be withdrawn by the user at any time.
  2. When requested by a user, you must permanently delete all personal data you have collected about them
  3. When requested by a user, you must provide them with all personal data you have collected about them
  4. We recommend seeking legal advice to ensure your Privacy Policies cover you under the GDPR as you must be clear in how you are storing and using personal data

Wicket as the Data Processor

Article 4 of the GDPR defines “Data Processor” as:

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Your user data is processed and stored by Wicket. Wicket can help you obtain explicit consent from users, delete user data, and export collected data. For deletion and export of data please contact Wicket Support.

Wicket’s data is processed and stored on servers located in Canada. Canada is listed as a “Secure third country” by the European Union. The EU has confirmed that commercial organizations within Canada must adhere to privacy laws comparable to those in the EU. This means that data of EU citizens can be transferred to, and processed by, Wicket.

Wicket Integrations

Wicket uses integrations with the world’s best software for email campaigns, events management, and more. Each of these integrated software vendors must meet GDPR regulations as Data Processors as well. Here is a breakdown of the integrations and their details:

MailChimp

MailChimp is located in the United States. While the US is not on the pre-approved list of “Secure third countries,” MailChimp has voluntarily certified to the U.S. Department of Commerce that they comply with the EU-U.S. Privacy Shield Framework. This means that they are allowed to process data under the GDPR.

Read more about MailChimp’s GDPR preparations

MailChimp’s official Privacy Shield certification

Eventbrite

Eventbrite is located in the United States. While the US is not on the pre-approved list of “Secure third countries,” Eventbrite has voluntarily certified to the U.S. Department of Commerce that they comply with the EU-U.S. Privacy Shield Framework. This means that they are allowed to process data under the GDPR.

Read more about Eventbrite’s GDPR preparations

Eventbrite’s official Privacy Shield certification

Shopify

Shopify is located in Canada, but has voluntarily certified to the U.S. Department of Commerce that they comply with the EU-U.S. Privacy Shield Framework.

Read more about Shopify’s GDPR preparations

Shopify’s official Privacy Shield certification

Litmos

Litmos by CallidusCloud, Inc. is located in the United States. While the US is not on the pre-approved list of “Secure third countries,” CallidusCloud has voluntarily certified to the U.S. Department of Commerce that they comply with the EU-U.S. Privacy Shield Framework. This means that they are allowed to process data under the GDPR.

Read more about CallidusCloud’s GDPR preparations

CallidusCloud’s official Privacy Shield certification

Chartio

Chartio is located in the United States. While the US is not on the pre-approved list of “Secure third countries,” Chartio has voluntarily certified to the U.S. Department of Commerce that they comply with the EU-U.S. Privacy Shield Framework. This means that they are allowed to process data under the GDPR.

Read more about Chartio’s GDPR preparations

Chartio’s official Privacy Shield certification

Formstack

Formstack is located in the United States. While the US is not on the pre-approved list of “Secure third countries,” Formstack has voluntarily certified to the U.S. Department of Commerce that they comply with the EU-U.S. Privacy Shield Framework. This means that they are allowed to process data under the GDPR.

Read more about Formstack’s GDPR preparations

Formstack’s official Privacy Shield certification

Sub-processors

Wicket uses several industry-leading sub-processors for services such as hosting, email processing, credit card processing, and service monitoring. The services are as follows, and all have voluntarily certified to the U.S. Department of Commerce that they comply with the EU-U.S. Privacy Shield Framework

Amazon Web Services

Host for Wicket

Amazon’s official certification

Postmark by Wildbit

System email processing for Wicket

Wildbit’s official certification

Sentry by Functional Software

Error logging and monitoring for Wicket

Functional Software (Sentry)’s official certification

Google Maps

Geocoding of person record addresses for displaying on Google Maps

Google’s official certification

Moneris

Credit card processing in Wicket

Moneris is a Canadian company and therefore can store, process, and transfer EU data.

Questions?

If you have any questions about Wicket’s role in helping you adhere to GDPR, please reach out to Wicket Support. For legal questions, we suggest seeking legal counsel.

Dig deeper into the GDPR


Seeing is believing

Get a free demo

This website uses cookies. By continuing to use wicket.io you will be agreeing to the website Terms and Conditions while using the website and our services. Please also read our Privacy Policy under which, to the extent stated, you consent to the processing of your personal data.