GatherUp takes data privacy very seriously, and we view the GDPR as an opportunity to enhance our commitment to data protection for the benefit our customers.
In effect from 25 May 2018, GatherUp will Process Personal Data in accordance with GDPR requirements. https://www.eugdpr.org/.
1) Does GDPR affect me and my business?
If you have customers in the EU, plan to have customers in the EU – then yes.
2) My Business is not not based in the EU – do I need to be GDPR compliant?
Any business that collects, processes or handles data from the EU will need to comply with the GDPR regardless of whether they are physically located within the EU.
This said, we are not able to provide legal advice and highly recommend that you refer to your legal counsel or an applicable data supervisory authority for full details on whether you will need to comply to the GDPR.
You may find the following two resources helpful.
3) If GatherUp is GDPR compliant, does this also mean that my business is GDPR compliant because we are a GatherUp client?
All data you collect using GatherUp via Kiosk Mode and Unique Feedback URL is GDPR compliant as of May 25, 2018.
However, we cannot confirm that any customer data collected and processed outside of our platform and prior to importing into GatherUp is GDPR compliant.
In other words: If “you” upload a customer list or add a customer manually we cannot confirm that “you” obtained GDPR compliant customer permission first.
4) What should I do about my legacy contacts?
New and explicit permission will have to be obtained before sending emails or text messages to your legacy contacts using GatherUp “unless” you have record of their consent to receive such communication from you.
#1) Check your workflow, signup and other processes to ensure that all customer information and data is in compliance with the GDPR.
#2) Check your privacy policies, terms of service and other publicly visible pages detailing your service to ensure that you are transparent about collecting, sharing and usage of your customer data.
#3) Your customers have the right to know how their personal data is being processed. Clearly define all processing activities by you and disclose any third parties processing on your behalf.
#4) Check your forms to ensure the above mentioned information is available and provided when collecting new customer information.
5) Where does GatherUp store and process data?
GatherUp stores data in its secure AWS data centers in the United States (US). For resellers of GatherUp and digital agencies we recommend adding a clause stating that the data is uploaded with their full knowledge and consent and that they agree it will be processed outside of the EU.
As per GDPR rules you will need to update your “own” terms of service and disclose all Sub-Processors that “you” use for “your” customer data. In order to protect your white-label you can use “EarlyEcho LLC with AWS DataCenter in the United States”. Early Echo LLC is the holding company that owns GatherUp.
6) Does GDPR apply to UK Businesses?
Until March of 2019, the UK remains an EU member state, so GDPR compliance applies to business based in the UK, or those collecting and processing data from the UK.
7) Does GatherUp offer a Data Processing Agreement?
GDPR law specifies that the Controller (you) is responsible for Data Processing Agreements (DPA) with third party processors you may use.
You as the controller would need to specify the subject matter, nature and purpose of the processing for “your” customers. We as processor act only upon a controller’s instruction according to GDPR laws.
Please submit your DPA to us via support@GatherUp.com or dpo@GatherUp.com
8) I have further questions about GatherUp and GDPR
We are happy to answer any questions you may have. Please email us at support@GatherUp.com
8) Additional GDPR Compliance Information
1) In effect from 25 May 2018, GatherUp will Process Personal Data in accordance with GDPR (General Data Protection Regulation) requirements. https://www.eugdpr.org/
2) GatherUp is a “processor” by definition of the GDPR.
Definition: A processor is a natural or legal person or agency that processes data on behalf of a controller. “Processing” is defined very broadly in the Directive to include collection, use, storage, manipulation, disclosure, disposal, and virtually any other action with personal data.
GatherUp processes data as delegated by the “controller”.
Definition: A controller is as the natural or legal person or public agency that “alone or jointly with others” determines “the purposes and means of processing” personal data.
The GDPR defines the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking and enabling right to access. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request.
3) Data Protection Impact Assessment. In effect from 25 May 2018, upon Customer’s request, GatherUp (processor) shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to GatherUp.
4) GatherUp shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified by the GDPR.
5) Notification of Sub-processors and Objection Right for New Sub-processors. Customer acknowledges and expressly agrees that GatherUp does engage with Sub-processors and that GatherUp may engage in new Sub-processors at any time. All current Sub-processors have expressed their intention to be GDPR compliant by May 25th. List of current Sub-processors: SendGrid for Email delivery, Twilio for SMS delivery, Amazon AWS for data storage, Paypal Pro for payment processing, Campaign Monitor for Welcome and Marketing emails.
6) GatherUp maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by GatherUp or its Subprocessors of which GatherUp becomes aware (a “Customer Data Incident”).
GatherUp shall make reasonable endeavors to identify the cause of such Customer Data Incident and take those steps as GatherUp deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within GatherUp’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
7) Information collected by Account Owners and Users. Account owners and Users can store data that may contain Personal information in “Customer Notes”, “JobID”, “ExtraField” and “CustomField”. GatherUp has no direct relationship with the individuals whose Personal Data it hosts as part of those entry fields. Each Account owner is responsible for providing notice to its customers and third persons concerning the purpose for which the Personal Data is stored and how this Personal Data is processed.
8) Information collected by GatherUp. GatherUp collects the name, email address, mailing address, mobile phone number, and credit card information upon signup. GatherUp uses this information for administrative purposes and billing. GatherUp may also use the information to understand and analyze usage and preferences in order to improve the product and functionality. Data is only used in anonymized or aggregated form.
9) In compliance with GDPR Article 37 GatherUp has a designated DPO available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights. Please contact dpo@GatherUp.com