Brandify & The GDPR
Helping you stay compliant is our priority.
By now you’re probably aware that the European Union (EU) has drafted a new set of regulations for upholding the rights of EU citizens when it comes to the storage and use of private data. The new rules are known as the General Data Protection Regulation or GDPR, and they are effective as of May 25, 2018. Though the rules are designed to protect the privacy rights of people in the EU, they are being implemented by companies who do business outside the EU, because most online services are available globally.
At Brandify, we are committed to upholding our customers’ rights as contained in these new regulations. Brandify will strive to support the compliance efforts of our brand clients and resellers. This document is designed to help Brandify clients and resellers understand the extent to which Brandify captures and stores private data on behalf of brands, and to outline the changes we are making in light of the GDPR.
Though we are working carefully to comply with the regulations, we must clearly state that nothing contained in this document should be interpreted as legal advice. Please be sure to work with an attorney if you have questions about your brand’s responsibilities.
The GDPR lays out certain roles and responsibilities for various parties involved in the gathering, collecting, and processing private consumer data. The regulation also helps define what kinds of data should be protected.
Data Subject: A data subject is any person in the EU whose personal data is being collected, held, or processed by a company, and therefore needs to be protected.
Data Controller: This is the company of record on whose behalf personal data may be collected. The Data Controller controls and is responsible for the keeping and use of personal information. You, the brand, would be considered a data controller if, for instance, you gather consumer names, emails, and phones on your store locators or local landing pages.
Data Processor: Any company who helps the data controller to process data. In cases where Brandify collects personal data in the service of a brand client, Brandify is the data processor.
Sub-Contractor: A third party contracted by the data processor to perform data processing. Sub-contractors may include vendors, publishers, or contract employees. The extent to which their activities fall under GDPR depends on their access to personal consumer data.
Personal Data: According to GDPR, personal data consists of any data that can be used to identify a person, whether directly or indirectly. Names, photos, emails, phone numbers, social posts, and computer IP addresses are examples of personal data.
The new regulation outlines several specific privacy rights for persons in the EU. These rights relate to personal data such as your name, email address, phone number, profile photo, and anything else that could be used to identify you. Essentially, the GDPR grants residents of the EU broad rights with restricting to the control, verification, and access to personal data. It guarantees the following:
The right to be informed – an obligation on Brandify to inform you of the use of your personal data;
The right of access – a right to access personal data we hold about you;
The right to rectification – a right to correct personal data about you that may be incomplete or inaccurate;
The right to be forgotten – in certain circumstances you can ask us to delete the personal data we have about you, unless there is a legal requirement on our part to keep it;
The right to restrict processing – a right for you to request a suspension of personal data processing;
The right to data portability – a right to ask us for a copy of your personal data; and
The right to object – a right for you to object to us with respect to our use of your personal data.
Brandify collects private consumer data to a limited degree on behalf of brand clients and resellers.
Visitors to store locators, local pages, and any other public pages we host on behalf of brands may be able to request that information, such as a store’s location, be sent to them via email or text message. We capture but do not store the user’s email or phone number in these cases.
Other features on public pages we host on behalf of brands may include a request for a price quote or to be contacted by phone. In these cases, we store customer names, emails, and/or phone numbers on behalf of the brand.
In order to provide accurate, customized search results to users, many of our store locators contain code that automatically detects the user’s location by means of their computer’s IP address or the GPS coordinates of their phone. When asking for GPS coordinates, we always request permission from the user. In general, however, this form of data detection is not stored and only used to show a more relevant search result page.
Brandify stores and reports on social data related to your brand, such as consumer reviews of your stores and social posts that mention your brand by name. Social data may include names, photos, and other personal data that users have opted to share on social networks. We collect this data through publicly available sources, such as APIs made available by social sites. In GDPR terms, the social sites themselves are the data controllers, and those sites have primary responsibility for guaranteeing the rights of their users. We will follow the direction of any social site that instructs us to remove personal data on behalf of its user or users. We will discontinue use of any such website that is not compliant with the GDPR.
We are reaching out to brands to coordinate any needed updates. In the meantime, please feel free to contact us at firstname.lastname@example.org and we’ll be happy to consult with you.