As a business owner, website admin or organization that offers goods or services to (or monitor the behavior of) EU data subjects you will have to comply with it. Therefore, if you have EU customers or visitors from anyone residing in the European Union, you have to respect the GDPR policies no matter where you are actually located.
Here are some nice reads to consider on this topic:
1. What is GDPR?
The General Data Privacy Regulation (GDPR) is the most important change in data privacy regulation in 20 years. To make it shorter (and easier to understand): the GDPR replaces the Data Protection Directive 95/46/EC and it is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
Date of effectiveness: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
Here is a really nice and easy to understand infographic published by the European Commission: http://ec.europa.eu/justice/smedataprotect/index_en.htm
2. What data can we process and under which conditions?
3. What are my rights as a user?
You have the right to:
To exercise your rights you should contact us at email@example.com and we will respond to your requests without undue delay and generally at the latest within 1 month.
You may be asked to provide information to confirm your identity (such as, clicking a verification link, entering a username or password) in order to exercise your rights.
These rights apply across the EU, regardless of where the data is processed and where the company is established. These rights also apply when you buy goods and services from non-EU companies operating in the EU.
We are fully aware of the trust you place in our product and team and our responsibility to keep your data and privacy secure. Therefore, we are transparent regarding the information we collect when you use our products and services, why we collect it, and how we use it to improve the service for you!
5. Data Privacy
We protect your account data in multiple ways:
6. Privacy Controls
We provide control to all our Customers that own a website and to their Visitors, in order to have more control on how their data is collected by us:
7. Processing operations
With regard to our App, depending on the person of the Data Subject, the Personal Data inserted will be subject to basic activities such as customer’s registration with regard to using our App; providing Customer with the right to edit his information, statistics; export of statistics; the exclusion of customer’s visits to Customer Website; and Customer account management.
The Customers’ activity and info concerning the use of the our app may be tracked, but only for performance purposes (e.g. installed app time, deleted app time, subscription status) and each customer can contact us to obtain all the info that we gather about him/her at any moment or control the personal data by reviewing the setting area in your Account.
8. Categories of Data Subjects
The categories of Data Subjects affected by the Processing are Customers (website owner); third parties related to Customer such as employees or other authorized persons; Wix; and persons authorized by us such as employees or other authorized Personnel.
9. Categories of data
Depending on the person of the Data Subject, the Personal Data inserted concern the following categories of data: name; company name; email address; timezone and website for each website owner (customer). This data can be edited at any time by the customer.
10. Sensitive data
We do not anticipate that sensitive data will be Processed.
11. Use of IP addresses
All the computers and devices connected to the Internet are assigned an Internet Protocol (IP) address. The IP is usually used to identify the country, state, and city from which a device is connecting to the Internet. We use IP addresses to provide website owners an approximate geolocation of their Visitors.
The IP Anonymization option gives website owners using our app the choice to not store the IPs, but to still get their Visitors’ approximated location.
12. Data-sharing settings
Within our app the Customers cannot share their account data with other products and services unless they give access to someone to their Wix Website. The provision of our services involves the Processing of Personal Data within the framework of the Contract and the Customer (website owner) shall remain the responsible body for the Processing of Personal Data, for assessing the legal admissibility of Processing the Personal Data and for respecting the rights of Data Subjects.
13. Control over data
All the website owners using our app own both account data and their Visitors’ data, can export reports at any time using a CSV or XLSX download option and use the data as wished or by contacting our support at firstname.lastname@example.org.
Website owners can also set-up their e-mail preferences, reset their visitors' data or delete their account at any time.
14. Our team access to your data
All the data that we gather for our Customer is confidential information. Our employee access controls protect Customer data from unauthorized access, and we use a special script to access a website owner’s data (both account data and their Visitors’ data) and conduct audits to ensure the controls are enforced.
Access to a Customer account data may be granted on a strict need-only basis to our employees who require specific access to perform their jobs or by request from a Customer in order to help or provide support. Our employees requesting access must explain why they need the access, while following our internal privacy policies, and receive approval before they can access the data.
Customer Service Representatives may not access Customers' data without explicit permission from the Customer and may only use the devices and networks provided by us, unless a technical fault is attempted to be fixed.
15. Information Security and disaster recovery
In order to minimize any chance of security breach, data loss or disaster, we implemented appropriate technical and organizational measures to protect the Personal Use Data that meet the requirements of Art. 32 GDPR. In particular, we implemented technical and organizational measures to provide the on-going confidentiality, integrity, availability and resilience of processing systems and services. The technical and organizational measures are described in Exhibit 2 of the Data Processing Agreement. Customer has knowledge of these technical and organizational measures and is responsible for ensuring that they provide an appropriate level of protection for the risks of the Personal Use Data being Processed.
We may update or modify the measures listed in Exhibit 2 from time to time provided that such updates or modifications do not result in any material degradation of the security of the Personal Use Data.
We will notify Customer without undue delay after becoming aware of a Security Incident and assist Customer with its third party notification and communication obligations, taking into account the nature of Processing and the information available to us. However, Customer is solely responsible for fulfilling any third party notification and communication obligations. We will take, where appropriate, measures to mitigate the possible adverse effects of the Security Incident.
In the event of any loss or damage to Personal Use Data, we will use commercially reasonable endeavors to restore the lost or damaged Personal Use Data from the latest back-up of such Personal Use Data maintained by us in accordance with its standard archiving procedures.
We shall not be responsible for any destruction, loss, alteration or disclosure of personal data caused by any third party (except any third parties subcontracted by us to perform services related to Personal Use Data maintenance and back-up).
16. Data Processing Agreement
We are meeting the requirements of the GDPR, the new data protection law coming into effect on 25 May 2018. In summary, the GDPR applies to any business (within EU or with EU Customers) that processes personal data by automated or manual processing (provided the data is organised according to criteria).
In order to sign our Data Processing Agreement, please:
Once signed, you can also download it and keep it for your very own records.