On May 25, 2018, a new set of laws known as General Data Protection Regulation (GDPR) will go in effect in the European Union (EU). This will change how Vibes and many other companies will be required to collect, store, and share personal consumer data collected from individuals in the EU. Vibes is working to comply with all applicable laws, rules and regulations and industry principals governing the performance of our products and services under GDPR.
Vibes GDPR Mission & Goals
Understand the requirements
Work to ensure Vibes is ready or working toward readiness to be in adherence by the implementation deadline
Ensure Vibes is able to address customer and partner questions, concerns, and requirements
Help provide guidance and thought leadership on best practices for GDPR compliant program execution, while making clear that our customers should consult their attorneys for any legal advice.
What Is the Division of Responsibility Between Vibes and Its Customers on GDPR Issues?
Vibes is a Data Processor & Data Sub-Processor under GDPR; Vibes is responsible for following your instructions about the personal data you provide to us. Vibes’ partners’ customers are the Data Controllers. Among other things, Vibes’ customers remain responsible for obtaining adequate customer consent before sending notifications to a consumer’s mobile phone such as text messages and push notifications. If a partner’s customer has not obtained consent that complies with GDPR principles, they should obtain new, affirmative (i.e., opt-in) consent (including verifiable parental consent for minors under the age of consent that applies in the minor’s country) before continuing to send messages to that consumer.
It is Vibes’ policy to understand and comply with all applicable laws, rules and regulations and industry principals governing the performance of our products and services, including GDPR.
However, it is expected that Vibes’ customers will have legal approval from their own legal teams on all campaigns that they are running via the Vibes Platform, including approval of language of any calls to action and messaging, opt-in functionality, opt-out procedures, terms and conditions/contracts, and data privacy handling and disclosures. Vibes’ customers are also responsible for ensuring that the content of advertising messages complies with all applicable laws and falls within the scope of a recipient’s consent.
What is Vibes’ GDPR Compliance Strategy?
Vibes has assembled a GDPR taskforce, which has identified Key Concepts under the new GDPR laws. We have been working for many months and are continuing to take the necessary actions over the next few weeks to ensure Vibes will be compliant with new GDPR requirements.
We have set-up an email address for the office of our Data Protection Officer, firstname.lastname@example.org, to serve as a central point of contact for any questions about Vibes’ GDPR compliance program.
Transferring of Personal Data
To prevent the unnecessary transfer of personal data outside of the EU, all personal data collected from individuals located in the EU will be stored in the Vibes EU (Ireland) data center. Vibes’ customers have the responsibility of informing Vibes when they collect personal data from individuals located in the EU, and to provide Vibes with the information necessary to identify what personal data has been collected from individuals located in the EU.
Key Terms to Know
Q: What are the responsibilities of aData Processor?
A: A Data Processor is a service provider who acts according to the Controller’s instructions in Data Processing Agreement. The role of a data processor has less onerous liability under GDPR but Controllers flow down their obligations contractually.
What are the responsibilities of aDataSub-Processor?
A: A Data Sub-Processor processes data on behalf of a Data Processor.
What are the responsibilities of a Data Controller?
A: A Data Controller is the customer who makes decisions about how data is to be used/processed. They instruct the Data Processor using a Processing Agreement and are liable for compliance, including Processor compliance.
Q: What does Privacy Shield Certified mean?
A: It’s a voluntary self-certification under which U.S. companies agree to comply with EU privacy principles and other requirements. Companies are still liable and need to ensure as Controller or Processor that they are adhering to all the new GDPR laws.
Q: What is considered personal data?
A: Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. This includes data that Vibes may process: MDN, Device ID, Location Lat/Long, First Name, Last Name, Email Address, Birthday, App Open, and App Click Through.
Q: What effect will Brexit have on GDPR?
A: Businesses should not expect their GDPR obligations to end when Brexit occurs in March 2019, as the British government has already proposed a new Data Protection Bill that will enshrine the basics of GDPR into British law.
Q: As a brand doing business or hoping to do business in the EU, what steps do I need to take to ensure I am compliant with GDPR?
A: Consult your legal counsel if your compliance plan is not in the process of being implemented.