GDPR Compliance

The purpose of this page is to help you have a clear view of the legal implications when licensing one or more solutions from our Footprints for Retail Product.

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). Article 5 of the GDPR sets out the six principles of data protection. These principles are the foundation of the GDPR and require that personal data is:

— processed lawfully, fairly and in a transparent manner;
— used for the purpose for which it was collected (and that purpose is expressly specified and legitimate);
— relevant and limited to what is necessary in relation to the purposes for which they are processed;
— accurate and, where necessary, kept up to date;
— stored for no longer than is necessary for the purpose for which the personal data is processed;
—andprocessed in a manner than protects the security and confidentiality of the personal data.

We operate within this framework, where the controller of the personal data is responsible to comply with the above six principles. Furthermore, the controller of the personal data will be required to demonstrate compliance with these principles, so it is important that appropriate policies are in place.

Privacy By Design & Privacy By Default

We implement technical and organizational measures at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). We ensure that personal data is processed with the highest privacy protection (for example only the data necessary is processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons (‘data protection by default’).

Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built in to a system during the whole life cycle of the system or process.

Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user. In addition, any personal data provided by the user to enable a product’s optimal use should only be kept for the amount of time necessary to provide the product or service. If more information than necessary to provide the service is processed, then “privacy by default” has been breached.

Data Controller / Data Processor Relation
The data controller determines the purposes for which and the means by which personal data is processed. So, if your company decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.
Your company is a joint controller when together with one or more organizations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.

The data processor processes personal data only on behalf of the controller.

Specific to our solutions, the activities we undertake are legally framed as data processing for Omnichannel CRM, Location Based Marketing and Loyalty App and as joint controller for Ecosystem Analytics. The duties of the processor towards the controller and the joint controller role must be specified in a contract or another legal act. We propose specific Data Processing Agreements that clarifies the role of every company involved.

Data processing for marketing purposes

For the purposes of direct marketing, personal data are often gathered from the data subject (customer). For instance, when shopping for some items, an individual leaves his/her contact details and wishes to be notified about new merchandises.

Personal data must be processed legally and fairly, in an amount which is necessary to achieve the purpose of direct marketing. GDPR states that processed data must be adequate to the purpose and must be proportionate. Authenticity and accuracy of the data must be ensured. Data must be kept for a term which is required for achieving direct marketing purposes.
Direct marketing provider (the controller) is obliged to:

— Provide complete information to the customer about the sources of data;

— Provide the customer with its contact information;

— Provide the customer with the opportunity to request termination of the use of data in a form, which is used for direct marketing and/or define available and adequate means for such a request (e.g. when sending a commercial notification, indicate telephone number or a website, where one can refuse to receive such notifications);

— Take organizational or technical measures, which allow for protection of data from accidental or illegal destruction, amendment, disclosure, obtaining, any other form of illegal use or accidental or illegal loss.

— Cease processing of customer’s personal data for direct marketing purposes at request (cease data processing even in case when direct marketing is carried out via advertising agencies), which includes deletion of data from the database and termination of notifications.

What is personal data?

Personal data is defined in the GDPR as: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

The GDPR covers the processing of personal data in two ways:

— personal data processed wholly or partly by automated means (information in electronic form) – that is our case

— personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (manual information in a filing system).

Examples of types of personal data collected in an electronic form by our tools:

— Classic Data: Name, Surname, Date/Place of Birth, Address, Telephone, Profession, etc.

— Digital Data: Email, Social Media Profiles, etc.

— Sensible Data: Biometric Data (Photos of the user)

Sharing the data with third party apps

At this moment we use three types of integrations:

— Integration with client owned digital properties (websites, loyalty apps, other data collectors)

— Integration with direct marketing apps that are delivering emails and SMS messages to clients (Telcor & Campaign Monitor)

— Integration for remarketing and reporting purposes with Facebook, Google and LinkedIn services (through Footprints for Retail App or API).
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.