Securely respecting privacy: your GDPR-compliant campaigns.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation, better known as GDPR, is the European Union regulation that replaces the directive on the protection of personal data issued in 1995.
The regulation, available online in its complete version on the CNIL website, represents the new standard for the protection and respect of personal data and has some main objectives:
- assigning citizens control over the use made of their data;
- making companies aware of their activities and procedures related to the processing of users’ and customers’ data;
- standardizing at the community level the regulations and rules on data protection defined by individual States.
Which subjects are involved in GDPR?
GDPR concerns all types of activities, without any differences related to the corporate form: the regulation applies to public and private entities, with or without a profit purpose, B2B or B2C.
What are the main new features introduced?
The main new features introduced by the GDPR concern the rules on the processing of personal data: from May 25, 2018, processing cannot be unlimited in time but must be functional and consistent with the reason for which personal data was collected.
The consent of users and customers must be explicit: consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The entities collecting data must explain the collection and use methods clearly and simply.
New rights for users
The GDPR defines some new rights of data subjects regarding access and protection of data:
- right of rectification: the data controller may request that their data be modified or corrected.
- right to be forgotten: the data controller may request that their data be permanently deleted.
- right to data portability: the data controller may request that their data be transmitted to another entity (e.g., a competing company).
- right of objection: the data controller may request that their data be specifically used only for certain purposes or processing.
- right of access: the data controller has the right to know all their data that has been collected and the use that is being made of it.
A new definition of consent
The main provision to remember is a new definition of consent which must be “freely given” and take the form of a “positive action” for each use that will be made of personal data. The GDPR has essentially prohibited two practices that were quite common in the past, namely opt-out and passive opt-in:
- opt-out is the practice of automatically subscribing a user to a list, leaving it up to them to unsubscribe;
- passive opt-in is instead the situation where, in a registration form, the boxes are already checked by default.
Opt-in is therefore the only legitimate way to obtain explicit consent, and only lists obtained in this way can be used legally.
From this point of view, the GDPR implies some activities that concern those who carry out digital marketing activities:
- first of all, it is necessary to insert additional opt-ins in the forms, depending on each different use that is made of the data that is collected: newsletters, automated or transactional emails, user profiling…
- moreover, it is necessary to request a new permission from your users every time you want to use their data in your possession in a way that is different from what was expressed at the time of collection.
What does Infomail do to comply with the GDPR?
First of all, let’s clarify the roles precisely: Infomail’s customers are and remain the Data Controllers.
To accept the use of the Infomail platform, it is necessary to appoint Hoplo, the owner of the Infomail technology, as the Data Processor.
This is why, when activating the account, before being able to upload a list of email addresses, that is, before making Personal Data available on the platform, it is necessary to appoint a Data Processor.
We treat the data of users and customers with extreme care and in full compliance with the rules.