The European Union implemented the General Data Protection Regulation (GDPR) on 25 May 2018.
Since then, two significant developments have impacted the GDPR: the European Court of Justice’s decision in a case known as Schrems II, and the United Kingdom’s exit from the European Union.
This article will detail how Constant Contact protects the information and data of European Union and European Economic Area (EU/EEA) customers and how Constant Contact supports its customers with compliance under the GDPR, even in light of the Schrems II decision. This article will also address the impact of the United Kingdom’s departure from the European Union on GDPR. This article does not require action.
European Union General Data Protection Regulation Compliance
Prior to the enactment of the GDPR, the European Union adopted the Data Protection Directive (officially known as Directive 95/46/EC) in 1995, which dealt with how individuals were protected in regards to how personal data was processed and moved. Under Directive 95/46/EC, personal data could be transferred to organizations in countries outside the European Union only if the organization provided an adequate level of protection.
Directive 95/46/EC was repealed and replaced with the GDPR. The GDPR is a law which expands on original European Union data protection laws. The law was enacted 27 April 2016 and was implemented 25 May 2018.
On 16 July 2020, the European Court of Justice issued its decision in the Schrems II case, which impacted how companies transferred personal data internationally. The decision removed the United States’ Privacy Shield certification as a mechanism on which entities may rely when transferring data from the European Union to the United States. The decision, however, did leave intact reliance on the Standard Contractual Clauses as a mechanism to make such international data transfers.
On 31 January 2020, the United Kingdom left the European Union, and, as a result, is no longer governed by the GDPR. The United Kingdom adopted its own version of the GDPR (known as the UK GDPR), which substantially mirrors the requirements and penalties of the GDPR discussed herein. The United Kingdom also adopted and subsequently revised the Standard Contractual Clauses. The United Kingdom's Standard Contractual Clauses reflect that the United Kingdom is the country of origin when governing data transfers from the United Kingdom to the United States.
Why the GDPR Impacts Constant Contact and Customers
The GDPR impacts organizations and individuals in similar ways. There are several important differences to consider, however.
Constant Contact, as well as all marketing automation providers that have European Union customers, are impacted by the GDPR. These regulations are meant to regulate the flow, procurement, and use of data between data controllers and data processors. Article Four of the GDPR states the following:
- Data controllers are those entities that determine the means and purpose of processing personal data.
- Data processors are entities and organizations that process personal data on behalf of the data controller.
The GDPR impacts organizations that fulfill at least one of the following situations:
- The organization is based in the European Union and controls or processes personal data for EU/EEA individuals (also known in this capacity as data subjects).
- The organization processes personal data from individuals in the EU/EEA in relation to either the offering of goods or services to individuals in the EU or the monitoring of individuals in the EU.
As stated, the GDPR applies not only to organizations within the European Union. It may also apply to customers or organizations located outside of the European Union, depending on how they interact with EU/EEA individuals. This interaction includes—but is not limited to—offering standard goods or services to monitoring individuals' the data and behavior. Refer to the Recommended Customer Actions section of How the GDPR Impacts Constant Contact and You for more information.
How Constant Contact Abides by the GDPR
Constant Contact updated terms, privacy policies, software, and infrastructure when the GDPR went into effect 25 May 2018. Refer to How the GDPR Impacts Constant Contact and You for more information on Constant Contact's changes to software and policies.
For European Union and United Kingdom customers, Constant Contact does transfer data outside of the European Union. Data is mainly stored in data centers in the United States, and this data can be accessed by both the United States and international resources working for Constant Contact during the course of the customer relationship. When required by law, Constant Contact subsidiaries supporting Constant Contact's global customer base shall enter into the Standard Contractual Clause agreements with the EU/EEA subsidiary. For the Constant Contact subsidiaries supporting Constant Contact's UK customer base, these subsidiaries shall enter into Standard Contractual Clause agreements that comply with the UK GDPR when required by law.
Penalties for Violating the GDPR
Failure to comply with the GDPR will result in monetary penalties. There are two levels of fines related to noncompliance. These fines relate to the severity of the violation:
- For lesser violations, such as not reporting a data breach in the time specified by the GDPR, the fine will total the greater amount of €10,000,000 or 2% of total global annual turnover.
- For more egregious violations, such as disregarding the GDPR's data processing rules, the fine will total the greater amount of €20,000,000 or 4% of total global annual turnover.
In addition, if an organization violates multiple rules in the GDPR, the organization will be fined for only the most egregious violation, and not for each separate violation.
Rights and Protections Overview
The GDPR was crafted with privacy rights in mind. The regulation's core tenets reflect this. These protected rights include, but are not limited to:
These rights and protections are expanded upon below.
With the GDPR, protections for consent were considered paramount. As a result, conditions and qualifications for consent were vastly improved and otherwise strengthened. The GDPR requires the following for consent:
- Organizations must speak and write plainly and are disallowed from using unclear, legally-worded, or otherwise illegible terms and conditions.
- Requested consent must be provided clearly and must be wholly accessible.
- All requests for consent must clearly state the purpose as to the reason for requesting consent.
- Consent must be able to be withdrawn as easily as it was given.
The Right to Access
The GDPR provides rights and securities for individuals in regards to access. Specifically, the GDPR does the following:
- The GDPR provides individuals with the right to know whether or not data controllers are processing their personal information, as well as the processing location and purpose.
- The GDPR requires data controllers to provide a free electronic copy of the individual's personal data in some circumstances.
The Right to Be Forgotten
Data erasure, known also as the right to be forgotten, entitles individuals to the following rights in certain circumstances:
- Individuals can request that data controllers permanently erase their personal data.
- Individuals can force the stoppage of further dissemination of their personal data.
- Individuals can force third parties to halt processing of their personal data.
Data erasure is conditional, however. Conditions include—but are not limited to—the data no longer being relevant to original purposes for processing or individuals withdrawing consent.
Data Breach Notification
Under the GDPR, notifications on data breaches that are likely to harm individuals are mandatory and must be reported to regulatory authorities within 72 hours of an organization first having become aware of the breach. In addition, data processors will also be required to notify data controllers without delay after first becoming aware of a data breach.
Data portability is the right for an individual to receive their personal data and all associated data in which they are affiliated in certain circumstances. This data must be provided in a common and easily readable electronic format. With data portability, individuals have the right to transmit that data as needed.
Privacy by Design
Privacy by design requires data protection as a core feature when designing systems, as opposed to being a later addition. Additionally, data controllers can retain and process only the data for which they have a legitimate basis for processing. Privacy by design also installs limits for who has access to personal data.
Data Protection Officers Overview
Data protection officers (DPOs), also known as data privacy officers, are security officials. DPOs are a key requirement for GDPR compliance. While not necessary for all organizations, the GDPR states that these roles are mandatory for any organization that processes or stores large amounts or personal data. This personal data can deal with an organization's employees, an organization's customers or providers, or any other individuals covered by the GDPR.
Officer and Organization Interaction
DPOs primarily audit organizations to ensure compliance, and should be treated as any other auditor. As such, per the GDPR, DPOs require operational independence. This means that organizations may interact with their DPOs in very specific manners. The GDPR requires the following for DPOs:
- DPOs should not receive instruction from or otherwise be pressured in any fashion by an organization.
- DPOs must have an unhindered, immediate, and total authority to investigate organization activities, including those activities at higher levels of organizational management.
- Within an organization, DPOs must not be subject to direct supervisory oversight and must report to the most senior levels of management.
- Organizations must provide operational support to the DPO, including any necessary staff, resources, or facilities.
The primary duties of the DPO are to ensure that an organization is in compliance with and acting in full faith towards the GDPR. The individual aspects of these duties include the following:
- DPOs are generally the point-of-contact for data subjects and are available to inform them on how an organization is utilizing and protecting their personal data, as well as how data subjects can request data erasure.
- DPOs must remain in contact with and work alongside applicable regulators.
- DPOs must audit an organization and present to applicable regulators information on organizational operations that present specific risks or otherwise are most likely to violate GDPR rules.
- DPOs must alert an organization to violations of GDPR rules.
- DPOs must hold an organization accountable when the organization is in violation of GDPR rules.
- DPOs must educate and train an organization and its employees on remaining compliant with the GDPR.