Going into effect on May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on organizations that market to, track or handle EU personal data, no matter where an organization is located.
A new comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” covers any information relating to an identified or identifiable individual (also called a “data subject”).
You can find additional information about GDPR on the official EU website for GDPR.
SOOMLA has been working relentlessly internally and with our existing customers to ensure our commitment to data protection. We have closely analyzed the requirements of the GDPR in order to assist our customers' with the guidelines for compliance.
To this, we have created a data processing addendum which you can find and execute here (DPA).
We have been certified (SOOMLA's Certification) under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks in order to provide a valid transfer mechanism for the information that we collect from you when you open a user account with us. If you wish to use the Standard Contractual Clauses in connection with such transfers, please also execute our standard contractual clauses here.
We've added a pre-signed data processing addendum from SOOMLA to our customers - here
With respect to the end user data that we process for you SOOMLA is considered to be a Data Processor. A data processor is an entity that processes information only in accordance with instructions from its controller, in this case, our clients, and according to the data processing addendum. A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data.
SOOMLA uses Amazon Web Services (AWS) cloud and other service providers that process information in the US. Due to the fact that some of our customers have data subjects (users) in Europe, we made it a priority of ours to obtain a Privacy Shield Certification and are in the process of doing so. EU-U.S. and Swiss-U.S. Privacy Shield frameworks, a mechanism that has been approved to facilitate the transfer of personal data outside the EU/ Switzerland.
Certain optional features offered by SOOMLA might require you to acquire consent from your end users. Starting with version 2.6.0, we are providing customers the ability indicate users’ grant or revocation or consent. This may be relevant e.g. for pipelining data into Facebook and using Soomla Insights.
If you still have any questions at all, feel free to reach out to us and we'll settle all your inquiries.