There are two parts to this article:
What we're doing as a 'data processor' to comply with GDPR (part 1)
General information:
1. Is Dotdigital GDPR compliant?
Dotdigital complies with its obligations under the GDPR. Specifically, as a processor, we have taken steps to ensure that we comply with the requirements of Article 28 of the GDPR. These are primarily set out in our data processing addendum.
Specifically:
We have implemented appropriate technical and organisational security measures to meet the requirements of the GDPR, guaranteed in our contract
In accordance with our DPA (Data Processing Agreement, we only engage sub-processors with client authorisation and ensure the same obligations are imposed with any sub-processor
The processing we undertake is governed by a written contract, documenting client instructions and ensuring the confidentiality of data, as well as ensuring compliance with Articles 32-36 GDPR (relating to notifications, security and assistance with compliance)
GDPR compliance is an ongoing exercise and we are constantly reviewing and updating our practices.
2. Is Dotdigital a controller or a processor?
For the data provided by our direct clients within the Dotdigital platform, Dotdigital is a data processor (as defined by the GDPR). For the data we hold on clients and prospects, we are a data controller.
3. Is Dotdigital a joint controller?
No, as the name suggests joint controllers determine the purposes and means of processing data together or jointly. As the data processor, Dotdigital does not determine the purposes and means of processing the data that clients supply to the platform.
4. Can we search for personal data on your systems?
Dotdigital holds the data that our users have uploaded with the platform in a database. Our users have full control and access to their data, including the ability to search, import, export, delete and modify the data as needed.
5. Are you maintaining data processing records?
All data uploaded with the platform is kept within the Dotdigital platform, and clients have full control of the data within the platform, as outlined above.
In our capacity as the Data Processor, we maintain records of business activities that involve the collection, storage, processing, and potential disclosure or sharing of personal data. Clients are expected to maintain their own records as a Data Controller. It is likely to have several different purposes for processing personal data.
6. Who has access to our data?
Clients must maintain their own procedures as to who can access the Dotdigital platform and the data held there.
If you have users that you manage, then you'll probably want to restrict their access within your account. You can do this by editing their permissions.
Dotdigital staff have access to your account to provide support and assist in the provision of the services.
Deletion of data:
7. For how long does Dotdigital keep data?
All data is kept until either:
You delete it, via the app or the API (see below); or
You close your account, where any remaining data is held for 90 days before deletion
You can optionally choose to expire pending contacts 30 days after our last contact attempt.
8. Can we delete personal data from your systems?
Yes, you can delete data in your account at any time (including when responding to a request for a data subject to be “forgotten”).
In December 2017, Dotdigital made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten.
9. Can you confirm our right to have personal data deleted upon termination of contract at no extra cost?
At the end of a contract, all client accounts are terminated, and associated data is deleted after 90 days. The platform enables clients to delete data during the term of the contract through the platform and in response to a request to be forgotten at no extra cost.
10. How is data deleted?
When deleting a contact, the contact will be placed in the account's recycle bin for 30 days (unless manually removed from the recycle bin or in relation to a suppressed contact, which is immediate), after which time they're deleted permanently.
Subject Access Requests (SAR):
11. What will Dotdigital do if it receives a Subject Access Request from one of our clients?
If we receive a Subject Access Request from one of your clients (a data subject), we will pass on any request for data for which you are the data controller so that you can manage the request. We may identify you as the controller of their data.
In December 2017, Dotdigital made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten.
Data Processing Agreement:
12. Do your standard contract terms include the new GDPR mandatory provisions?
We have updated our terms and conditions to incorporate our data processing agreement (available for review here: https://dotdigital.com/terms/data-processing-agreement/). This ensures that the processing that we undertake on your behalf is clearly documented by way of a written contract. Our document has been drafted to reflect the bespoke nature of the processing activities that Dotdigital undertakes on your behalf and at your instruction.
13. Does Dotdigital have a Data Processing Agreement?
Yes, we have updated our terms and conditions to incorporate our data processing agreement (available for review here: https://dotdigital.com/terms/data-processing-agreement/).
If you require a separate hard copy version of this document, please reach out to your account manager or contact privacy@dotdigital.com.
14. I have a Data Processing Agreement – can Dotdigital agree to that?
We understand that our clients have undergone due diligence and may have prepared their own Data Processing Agreements for their suppliers to sign.
However, given the nature of the services Dotdigital provides our clients and the need for processing activities to be documented, we require clients to use Dotdigital’s Data Processing Agreement, as this has been prepared to cover the specific services Dotdigital provides.
Data breach:
15. Do you have a documented breach notification process?
Our process for reporting breaches concerning the data of individuals is addressed in our Data Processing Agreement and more specifically addressed in our Incident Reporting Policy.
16. What will Dotdigital do in the event of a data breach?
In relation to the data our clients store with us (where we are a data processor), we will notify any affected client (data controller) of a personal data breach as soon as practically possible, and in any event, within 24 hours of discovering the breach.
In the event of data breach of data relating to our direct clients (where we are a data controller), we will report any data breach within 72 hours to the Information Commissioner’s Office if a breach is likely to result in a high risk to the rights and freedoms of individuals.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, Dotdigital will also inform those individuals without undue delay.
Data Protection Officer (DPO):
17. Does Dotdigital have a DPO?
Yes, Dotdigital’s nominated Data Protection Officer is Stephenson Law Limited. Any request may be addressed to them via post or via email:
Mr Yousif Rajah
Dotdigital
1 London Bridge
London
SE1 9BG
privacy@dotdigital.com
Sub-processors:
18. Do any other organisations (including sub-contractors, contractors or consultants) process any of the data provided by our clients on our behalf?
Yes, Dotdigital works with third party providers/sub-processors for providing the services we offer or storing your data (personal data). Dotdigital uses sub-processors to perform various functions as explained in our Trust Centre.
A sub-processor is a third party data processor engaged by Dotdigital, including entities from within the Dotdigital Group, who has or may have access to, or process, client data. Third parties that do not have access to, or process, client data but who are used to provide the services as “subcontractors” are not sub-processors.
19. What steps do you take to safeguard the processing of our data by third-party organisations?
Further to the above, Dotdigital carries out a selection process where we evaluate the data processing practices of any proposed sub-processor that might have access to client data – this includes reviewing their security and privacy practices
Data protection laws permit sub-processors to be engaged, provided that the equivalent safeguards from client agreements are reflected with these sub-processors.
Dotdigital has entered into contracts with the organisations listed on our Trust Centre to ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations under the GDPR, passing down the measures of the EU Model Contract Clauses to ensure that all client data is protected.
20. How does Dotdigital replace or designate a new sub-processor?
The procedure to replace or appoint a new sub-processor is covered within our Data Processing Agreement with our clients.
We will provide you with advance notice of any changes or additions and give you the right to object (provided these are reasonable). Dotdigital will always ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations under the GDPR, passing down the measures of the EU Model Contract Clauses when working with parties outside of the EU.
Storage of data/international data transfer:
21. Where is our data stored?
To safeguard data confidentiality, integrity, and availability, the core Dotdigital platform is hosted on high-security Microsoft Azure data centres. Data for our European clients is held in the West Europe region, with data backed up to the North Europe region. All Azure facilities meet a broad set of compliance standards.
The Google Cloud platform is also used for some of Dotdigital’s more processing-intensive features, such as Insight data. Client data remains in the same region as the Dotdigital account; for Dotdigital accounts hosted in our Europe region, the data stored on Google's infrastructure is spread across their European region.
Regarding transfers, we commit to clients based in the EEA (in our terms) that data will be hosted and stored at rest within hosting facilities in the EEA. Our Trust Centre and DPA outlines our use of sub-processors and any access required from organisations outside of the EEA, and our DPA specifies that any processing carried out by sub-processors shall be done so in accordance with appropriate safeguards (including the EU Model Contract Clauses). The Model Contract Clauses alone are not enough to ensure protection under the GDPR, so we also stipulate that the provisions of the DPA will also flow onto sub-processors to ensure the obligations of the GDPR are suitably passed on.
22. Dotdigital development and testing platforms
Dotdigital is frequently updating our platform with feature enhancements and additions. We do this in development, testing and staging environments separate to the main platform. No client data is stored in our testing or development environments.
23. EU-U.S Data Privacy Framework for the general processing of personal data
This Dotdigital Data Privacy Framework Policy (“DPF Policy”) and the Dotdigital Privacy Policy (“Privacy Policy”) describes the privacy practices that we implement for Personal Data received from the EEA, UK and Switzerland in reliance on the DPF.
Dotdigital Inc & Fresh Relevance Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Dotdigital Inc & Fresh Relevance Inc has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Dotdigital Inc & Fresh Relevance Inc has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit: https://www.dataprivacyframework.gov/
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Dotdigital Inc & Fresh Relevance Inc commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Dotdigital Inc & Fresh Relevance at: Privacy@dotdigital.com
The Federal Trade Commission has jurisdiction over Dotdigital’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
In accordance with the Data Protection Framework (DPF) Principles, Dotdigital is committed to informing you about your rights, including the possibility of invoking binding arbitration under certain circumstances. Binding Arbitration is a dispute resolution process where an impartial arbitrator reviews the case and makes a decision that is legally binding for both parties. This mechanism can be used in situations where you and our organization are unable to resolve a dispute through other means, such as our internal complaint resolution process.
Some conditions under which you may invoke binding arbitration include:
If you have exhausted all other available dispute resolution mechanisms with our organization.
If your complaint has not been addressed or resolved within a reasonable time frame.
If you believe that our organization has not complied with the applicable data protection principles, and this non-compliance has caused you harm or damage.
To initiate the binding arbitration process, please follow the procedure outlined in our privacy policy or contact our designated data protection officer for more information. Please note that certain terms and restrictions may apply, as detailed in our privacy policy.
We encourage you to familiarize yourself with your rights and our dispute resolution procedures, as our organization is dedicated to ensuring the security of your personal data and maintaining a transparent relationship with you.
Subject to the remainder of clause 5 in our data processing agreement, dotdigital shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data without the Client’s written authorisation (such authorisation not to be unreasonably withheld, conditioned or delayed).
Client specifically authorises the engagement of dotdigital’s affiliates and associated group companies as Sub-Processors and also authorises the appointment of any of the Sub-Processors listed at https://dotdigital.com/trust-center/.
dotdigital shall ensure:
via a written contract that the Sub-Processor only accesses and processes Protected Data to perform the obligations subcontracted to it and does so in accordance with the measures contained in this DPA that is enforceable by dotdigital; and
remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
When any new Sub-Processor is engaged by dotdigital during the Term, dotdigital shall give Client 30 days’ prior notice of the appointment of any new Sub-processor, including details of the Processing to be undertaken by the Sub-Processor, via email.
Client may object (on reasonable grounds and only relating to data protection) to any new Sub-Processor appointed per clause 5.4. above within 14 days of dotdigital’s notice; If Client notifies dotdigital in writing of any objections to the proposed appointment:
dotdigital shall work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-Processor; and
where such a change cannot be made within 14 days of dotdigital’s receipt of Client’s notice, Client may by written notice to dotdigital with immediate effect terminate the Service Agreement to the extent that it relates to the Services which require the use of the proposed Sub-Processor. This termination right is Client’s sole and exclusive remedy to Client’s objection of any Sub-Processor appointed by dotdigital during the Term
In the event we are unable to resolve your concerns, you can contact our third party dispute resolution provider JAMS (free of charge). For UK individuals, the supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone at 0303 123 1113 or other channels as updated at https://ico.org.uk/global/contact-us.
Right to audit Dotdigital:
24. To what extent can clients audit Dotdigital's systems?
Dotdigital will facilitate client requests for audits and inspections. The terms of such audits can be found in the Data Processing Agreement in addition to our terms and conditions.
Technical and organisational security measures:
25. What security certification do you hold?
Dotdigital is ISO 27001 (Information Security), 27701 (Privacy), and 14001(Environment and Sustainability) certified. Our management system is independently audited by UKAS accredited certification bodies. Dotdigital also maintains Cyber Essential Plus certification.
26. What technical and organisational security measures does Dotdigital have in place?
Please see our Trust Centre for high-level information on how we protect the confidentiality, integrity and availability of the Dotdigital services and the data held on our platform.
Details of our technical and organisational security measures are provided below:
Security management:
Dotdigital employs a dedicated privacy and compliance team (with a nominated Data Protection Officer) to oversee the security, privacy and compliance programs of the organisation.
Personnel security (Human Resources security):
Dotdigital maintains starter/leaver policies and procedures which will include the conducting of background checks (where available) on employees joining the organisation, and revocation of access rights on termination of employment.
Physical and environmental security:
Dotdigital restricts access to workspaces, and to secure data centre facilities where information systems that process personal data are located, to identified authorised individuals.
Workstation security and server security:
Within Dotdigital, we:
Employ a maintenance schedule that facilitates the timely installation of security patches
Install and regularly update anti-virus software
Commission annual independent build reviews of workstations and servers
Use role-based permissions to restrict access to resources
Network security:
Within Dotdigital, we:
Deploy firewalls at network perimeters, running management-authorised rule sets
Maintain a vulnerability management program to regularly asses the security of network perimeters
Subject both internal and external networks to annual independent security assessments
Undergo annual independent technical security reviews, and shall maintain at a minimum the Cyber Essentials Plus Certification
Business continuity and disaster recovery:
27. What business continuity and disaster recovery policies and systems does Dotdigital maintain?
The Dotdigital platform is built using redundancy and load balancing at every level, meaning a single component failure should not result in a service disruption.
Data is backed up to a secondary location, hundreds of miles away, yet still in the same region complying with data protection obligations. In the event of a catastrophic event at the primary facility, the service will be restored in the secondary location.
How the Dotdigital platform helps with GDPR compliance (part 2)
Options added:
28. What are the changes within the platform?
We want to make sure that our clients have the tools that they need to be compliant with the GDPR. We are working on the platform to make the necessary changes.
In December 2017, Dotdigital made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten.
In April 2018, we added a feature for clients to store the consent text each contact agreed to when subscribing (for example, from your signup form), alongside the IP address of the computer they used and the date they did it. This means you can see exactly what a contact is happy to receive and cross-reference it with the permissions you hold on them. You can read more in our support article Record consent for your contacts.
29. What features will assist in responding to Subject Access Requests?
In December 2017, Dotdigital made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten. You can view and export the data you hold on both subscribed and suppressed contacts from November 2018.
30. How are we catering for multi-consent and preference centres?
At a product level, we are reviewing how our current preference centres serve our customers – and changes may come as a result. Multi-consent preference centres are currently supported by the platform, either self-serve by utilising data fields or address books, or through custom work using address books, data fields or Insight data. We are continually developing in this area and welcome any ideas you may have, so keep an eye on the roadmap for changes in this area.
Legal basis and using Dotdigital to help:
31. Can we document the legal basis we are processing the data uploaded to the Dotdigital platform?
If you are using consent as your legal basis, Dotdigital includes enhanced functionality around consent storage to allow a client to store additional information.
In April 2018, we added a feature for clients’ storing the consent text each contact agreed to when subscribing (for example, from your signup form), alongside the IP address of the computer they used and the date they did it. This means you’re able to see exactly what a contact is happy to receive, and cross-reference it with the permissions you hold on them. You can read more in our support article Record consent for your contacts.
32. Will we need to keep a log of the opt-in text at the time of consent?
We recommend capturing and storing what disclosures were provided to the data subject when consent was initially given to demonstrate that consent was informed and freely given. This is possible through platform enhancements for consent capture and management.
33. Do we have to know every subscribe and unsubscribe date if they have opted in and out?
As a data controller, you should know where, when and how you obtained the personal data of a data subject. The dates associated with subscribe and unsubscribe is available within our platform if using the ConsentInsight feature.
34. Can we determine which campaign led to an individual unsubscribing?
Dotdigital provides unsubscribe reports, details of which can be found here.
35. What should we do with a contact's data other than their status and email address when someone unsubscribes?
When a contact unsubscribes, they are moved to the suppression list. This means that you can no longer contact them through the suppressed channel, or channels, until the suppression is removed, either by the contact themselves, or by you.
36. Should we also remove their behavioural data if they unsubscribe?
The action of an individual unsubscribing or removing a contact from a mailing list will not remove their contact data from the platform. However, this data can be removed and deleted by clients within the platform using the delete functionality.
37. Are we going to be able to add the date of opt-in in Dotdigital?
In April 2018, we added a feature for clients’ storing the consent text each contact agreed to when subscribing (for example, from your signup form), alongside the IP address of the computer they used and the date they did it. This means you’re able to see exactly what a contact is happy to receive, and cross-reference it with the permissions you hold on them.
38. Is the 'Last subscribed' date actually when the recipient opted in or when they were last added into the account?
The ‘last subscribed’ date is just that: the last date they subscribed. If a contact resubscribes, this date gets updated. If an already subscribed contact is uploaded again, it won’t update. This date can also be manually added by a user.
Decision making/profiling:
39. Is the data provided by clients used to make automated decisions about data subjects?
Not within the platform; any ability to make automated decisions is entirely controlled by clients.
40. Is the right to opt-out of web behavioural tracking incorporated into Dotdigital's platform?
Dotdigital allows you to use the data you hold on your contacts to profile them (such as what email they should receive and when). If you have a contact who is exercising a right under the GDPR to not have their information processed for profiling purposes, the easiest and safest action is to unsubscribe them. This means you guarantee that Dotdigital won’t use their data for any profiling. However, it also means they won’t be able to receive any standard, non-automated campaigns.
If you have large numbers of contacts exercising their individual rights, you can create a new account and request us to turn off the segmentation, program and Web Behaviour Tracking tools. Note, however, that the send time optimisation tool may be considered as automated processing, and this can't be turned off.