The General Data Protection Regulation (GDPR) went into effect 25May 2018 and aims to reshape the way in which organizations approach data privacy. It provides for greater harmonization throughout the EU and implements a number of changes to enhance data privacy rights. It is important to know how the GDPR affects how you handle personal data within your organization and how third-parties process personal data on your behalf.
How does Thunderhead ensure it complies with the GDPR?
Thunderhead has worked diligently with its legal counsel and industry experts to ensure it understands its primary role as a data processor (i.e. the entity processing personal data on behalf of its customers) in respect of its core business activities. We have trained our workforce on GDPR requirements and conducted a detailed data mapping exercise to understand exactly how the GDPR will affect our core business. As a result of this exercise, we have produced a GDPR compliant Data Processing Addendum to give our clients piece of mind that we process their personal data in accordance with applicable data protection legislation along with updated Data Protection and Security, and Privacy policies to show what technical and organizational measures we implement.
Does Thunderhead ensure it implements privacy by design practices?
Yes. Thunderhead adopts measures to ensure that it considers and integrates data compliance measures into our data processing activities, and product development where we introduce a new technology or a new data processing activity.
Does Thunderhead transfer data outside the EU?
Where our customer is based inside the EU, Thunderhead does not transfer personal data to any country outside of the EU without prior written consent from the customer, except for transfers to and from: (i) any country which has a valid adequacy decision from the European Commission (which guarantees appropriate safeguards are already in place); or (ii) any organization which ensures an adequate level of protection in accordance with the applicable data protection laws and regulations.
Thunderhead operates its services from Microsoft Azure and data is stored only on servers within the EEA. Azure is a fully certified and regulated data-center & cloud security platform. Azure’s ISO27001 and other industry recognized certifications can be reviewed at the following link: https://www.microsoft.com/en-us/trust-center/compliance/compliance-overview
When we use the Thunderhead services, what role does Thunderhead play in respect of processing personal data about our customers?
In respect of its core business activities, Thunderhead acts as a “data processor”, which means we only process personal data on behalf of our clients and act on their instructions. Our clients are “the data controller”, which means they determine the purpose and manner in which any personal data is processed. As a data processor, Thunderhead must assist its clients to fulfill their obligations under the GDPR.
What are my responsibilities when using Thunderhead services?
Our clients are “the data controller”, which means they are responsible for the collection, accuracy, quality, and legality of Personal Data (e.g., ONE customers are responsible for managing opt-in/out status and consent) and the means by which they acquire Personal Data. For example, when establishing the legal basis for collecting personal data, controllers may need to evaluate if the basis falls under “Consent” or “Legitimate Interest.” If using consent as a basis, the controller will need to have clear policies that inform individuals why data is being collected, how the data will be used, their rights, and how the data will be shared so they can make an informed decision.
Determining the basis as legitimate interest would require balancing the interests of the data controller against those of the individual using a three-part test:
Purpose test: are you pursuing a legitimate interest?
Necessity test: is the processing necessary for that purpose?
Balancing test: do the individual’s interests override the legitimate interest?
Legitimate interest is more flexible than the other GDPR lawful basis for processing and is commonly used for activities such as marketing where there would be a minimal privacy impact to individuals and the marketing would be of interest to the individuals.
If my company operates outside the EU, does the GDPR still apply to me?
GDPR Article 3 “Territorial Scope” establishes that the GDPR applies to organizations outside the EU if that organization is processing personal data in relation to the offering of goods or services to individuals in the EU or monitoring their behaviour in the EU. Given the global nature of online activity, this extra-territorial effect is likely to capture a number of non-EU companies. For example, a company based outside of the EU that is targeting a specific demographic outside of the EU and is not explicitly marketing its services to EU residents may not necessarily be subject to the GDPR. Conversely, if the same company were to update its website to include EU language translations or international options for payment or contact, it may meet the criterion to comply with the GDPR. If unsure, we recommend obtaining expert legal counsel to avoid potential GDPR compliance issues.
How does Thunderhead help its customers be compliant with the GDPR when using the ONE Engagement Hub?
The Thunderhead services ensure that control over personal data rests with the client to easily identify what personal data we are processing and respond to any requests from customers as and when required.
What are Thunderhead’s data retention periods and can I specify new limits?
Under normal usage all customer data has a natural 13 month expiration date in the system. Refreshing or updating that data will reset the retention period. Thunderhead services allow you to completely remove data from ONE for a specific customer identifier on-demand.
After termination of our services, Thunderhead’s standard policy without exception is to provide a 30 day period for its customers to retrieve any customer data submitted via the Thunderhead services. The data is then securely overwritten or deleted.
Can I request that previously collected EU citizen data be erased?
There is no prohibition on processing EU citizens’ personal data. The GDPR does not require organizations to delete data which they currently hold on EU citizens if clear and specific consent was given to process the data. If you want to erase EU citizen data, you can do so on a case-by-case basis using the ONE API. Please contact us to discuss options for bulk erasure.
How can I support an individual’s right to be forgotten?
If you receive a right to be forgotten from one of your customers, the Thunderhead services allow you to erase the relevant data which has been submitted via the Thunderhead services.
ONE provides a simple facility to completely remove data from ONE for a specific customer identifier. Therefore, as and when a customer issues a request to be forgotten, the brand simply needs to ensure that the removal process includes triggering the deletion of customer data from ONE for that individual. This can be as part of a manual process or triggered through an automated API call to ONE. ONE customers are responsible for managing opt-in/out status and consent after removal.
Does using Thunderhead’s services result in “profiling” and does that require special consent from our customers?
Profiling is defined broadly as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement”, which would include the Thunderhead services.
However, the GDPR does NOT prohibit profiling as long as there is a lawful basis for it. What the GDPR does prohibit is using profiling to make automated decisions without an individual’s consent that would result in legal or similarly significant effects to the individual.
Customers should be informed of the existence and consequence of profiling (which can be achieved via your privacy and cookies policy) and any automated decisions made from such profiling activity. Individuals have a right to object to profiling and not to be subject to a decision based solely on automated processing which results in legal effects concerning that individual.
An advertising campaign, for instance, would typically not be considered a form of “automated decision making” that would have legal effects on an individual in contrast to an automatic refusal of an online credit application without human intervention.
How can I support a right of data access and/or data portability request?
Customers should submit a service “ticket” to Thunderhead when a data subject makes a request. Taking into account the nature of the Processing, Thunderhead shall assist customers by appropriate technical and organizational measures, insofar as this is reasonably possible and technically feasible, for the fulfilment of customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.
Does this mean I can no longer use anonymized data to provide useful analytics regarding our customers’ use of our website and apps?
No. If the data you are processing is truly anonymized, the GDPR does not apply and you can use such data freely.
Can I continue to use third-party cookies and tags to help understand our customers and tailor marketing content for them?
Is Thunderhead Privacy Shield certified?
Yes, Thunderhead complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework.
View our certification here
Where can I find more information about the GDPR and who do I contact if I have further questions?
To learn more about the GDPR and how it applies to you, you can visit the official EU Commission’s website.
Members of the Thunderhead group have appointed Patrick Wade as our Data Protection Officer who can be reached at firstname.lastname@example.org in the event you have any questions relating to how we handle personal data.