GDPR Data Protection guidelines
Processing of personal data
When you use the DataChannel Platform to process data relating to identifiable natural persons (Personally Identifying Information, “PII” or “personal data”) you are responsible for compliance with the provisions of data protection laws (esp. the EU General Data Protection Regulation, “GDPR” and national data protection legislation). The requirements of the GDPR may also apply to processing of PII outside of the EU (see Art 3 GDPR) and may mandate to designate a representative in the EU in case you are not established within the EU.
The DataChannel Platform features special PII warnings (see point 8 below) to notify you when you are selecting connectors that may process PII (e.g. CRM databases). PII may be processed when you use the DataChannel Platform to load data from connectors or when using this data in your reports.
Anonymised data is not subject to the GDPR. Please note, that the process of anonymizing PII (e.g. for anonymizing IP addresses) must also comply with the applicable data protection provisions and falls within the scope of this ADPG.
Special categories of personal data or criminal data
Please be aware that the DataChannel Platform is not intended to process special categories of personal data (“sensitive data”) or personal data relating to criminal convictions and offences (“criminal data”). Sensitive data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. When processing such personal data stricter requirements and limitations apply (see Art 9 and 10 GDPR). Thus, you may consult with your legal counsel before processing such personal data.
Roles and responsibilities
When using the DataChannel Platform for your own marketing purposes you will in general be the controller in the terms of the GDPR. As such, you have inter alia the responsibility to assess the lawfulness of all processing activities and adhere to certain documentation requirements (e.g. keeping a record of all processing activities).
Furthermore, you must ensure that all data subjects are informed about your processing activities in a transparent manner (Art 13, 14 GDPR). This may include informing them about processing of personal data for marketing purposes where data was originally collected for other purposes (e.g. online shop customers).
When you are processing personal data as agency on behalf of your clients (i.e. their customer’s data) as part of your services, you will be the processor in terms of the GDPR. As processor you are obliged to enter into a data processing agreement with the controller (Art 28 GDPR) and ensure an adequate level of data security by implementing appropriate technical and organizational measures.
Legal grounds for processing
The processing of personal data is only permitted when it can be based on one of the legal grounds listed in Art 6 GDPR. For marketing purposes typically the data subject’s consent or the controller’s legitimate interest can serve as legal ground for the processing. For sensitive or criminal data other legal grounds apply (Art 9, 10 GDPR).
When acting as controller you are responsible to show a correct legitimate legal ground for each processing activity.
Requirements for a valid consent
For a valid consent data subjects must be transparently informed about inter alia (i) what data will be processed (ii) by whom, (iii) the purposes of the processing, and (iv) the right to withdraw their consent at any time with effect to the future. Consent may be required e.g. for marketing activities, cookies or newsletter registrations. If consent is not obtained in a valid form (e.g. initial consent does not cover marketing or analysis purposes) the processing activity may be unlawful and subject to sanctions.
The DataChannel Platform enables you to collect and report data from various services. As such, the DataChannel Platform only processes personal data already provided by other services used by you. It should be ensured that existing documents (e.g. privacy notices, records of processing activities, consent forms) are updated to include the purposes pursued within the DataChannel Platform (i.e. marketing analysis).
Data Subject Rights
Data subjects have specific rights regarding their personal data like access, correction, deletion, objection etc (see Art 15 – 22 GDPR). As controller you are responsible to ensure that data subject request exercising these rights can be fulfilled in due time and in compliance with the applicable data protection provisions.
With respect to Art 22 GDPR, the DataChannel Platform does not currently allow for automated individual decision-making processes within the Platform. Should the DataChannel Platform enable such features in the future we will notify you accordingly.
PII warning & connected services
When you intend to configure data connectors that may process PII, you will receive a notification outlining additional information regarding a data protection friendly use of these connectors and if consent of the data subject is likely to be necessary. In such cases additional features to anonymize or pseudonymize PII are available and it is within the controller’s responsibility to apply them.
As customer you are responsible to only use such services that are compliant with data protection laws. When connecting custom databases or third party services with generic APIs, special caution is necessary to only process such personal data that has been obtained lawfully and for the intended purpose.
The DataChannel Platform gives you the tools to select privacy friendly settings and process personal data only on a need-to-know basis (see point 9 below). The connectivity page of the connected service contains links to the websites of the connected service. It is recommended to follow the privacy guidelines published there as well.
Technical and organizational measures for data security
The DataChannel Platform assists you with the implementation of appropriate technical and organizational measures for data security (see Art 32 GDPR). You may use the following features to add to a data protection friendly use of the platform:
- access restrictions,
- usage logs,
- configuration of data retention schedules, and
- pseudonymisation or anonymization of data.
Access restrictions & user roles
In accordance with the principles of integrity and confidentiality access to personal data shall be restricted and secured to prevent unauthorized disclosure or use of personal data. Within the DataChannel Platform appropriate user roles and access authorization should be set up to limit access to personal data to persons on a need-to-know basis (when sharing PII with your employees as well as third parties). Further, personal data shall not be processed for purposes other than they were collected for unless a legal ground exists in this respect.
In order to maintain the security, confidentiality and functionality of the DataChannel Platform, activities and interactions with the product and the contained data are recorded in a usage log. This usage log may contain personal data of users such as usernames, IP addresses, timestamps and actions taken. Additionally, cookies are placed when using the DataChannel Platform (i.e. when used by your employees) for these purposes and the functionality of the browser session. The use of usage logs also requires a legal ground and legitimate purpose for processing (e.g. investigate unauthorized data accesses or data protection incidents). Also, you may have to inform your employees and customers of such processing activities.
DataChannel does not have access to this usage logs unless you require our further assistance within the service contract and provide us with this information (such access may require further data protection measures).
The DataChannel Platform enables you to adjust data retention periods and set up regular deletion schedules. In accordance with data protection principles, storage of the data should be limited to the legitimate purposes. In this respect it may be helpful to use deletion schedules, defining the relevant timing for deletion, and to only retain anonymized summaries where possible.
Pseudonymisation and anonymization of data
Besides the deletion of data, pseudonymisation and anonymization may add further to the minimization of personal data. We recommend reviewing the pseudonymisation and anonymization options when configuring connectors featuring PII.
Confidentiality and data secrecy
Independent of their role as controller or processor, employers must impose data secrecy obligations on their employees (in Austria: § 6 Data Protection Act). Device management policies restricting data access or transfers as well as prohibitions on mobile data storages and mobile access can further reduce the risk of a breach of confidentiality. Employee trainings on data protection increasing the employees’ data protection awareness may form an integral part of a company’s internal compliance efforts.
Transfer of personal data
When you transfer personal data to another (group) entity acting as controller this also requires a legal ground as described above. Additionally such transfers to non-EEA countries which do not have an adequate level of data protection may require additional measures to ensure data protection compliance (e.g. conclusion of EU Standard Contractual Clauses).***