What is GDPR?
It is a new data protection regulation that will replace the PUL (Personal Data Act). GDPR enters into force on 25 May 2018.
The data belongs to the person, NOT the company.
What does that mean in practice?
At any time, a person must be able to obtain information about what personal data a company has registered about the person. In addition, the person must be able to correct their data. The person also has the right to be “forgotten”, i.e. to be deleted completely.
- Consent – consent, the approval to store data about me
- Correction – the right to change the data stored
- Portability – möjligheten att kunna begära ut all data
- Erasure – the possibility to withdraw consent and delete all data
- Access – what data is there about me, with whom and for what purpose?
What is meant by “personal data”?
All kinds of information that can be directly or indirectly attributed and linked to a natural person, e.g. name, e-mail address, mobile number, address, IP number.
Does this concern me?
Yes, it concerns all our customers who communicate with people within the EU!
What does Ungapped do?
- We’ve added a mandatory consent box to the subscription form generator. You write your own consent text, and the box must be ticked, i.e. consent must be given, before the person is added as a subscriber to your newsletter.
- The consent text and date of when the consent was given will be saved on the contact’s contact card
- When importing, you can enter the source and opt-in date (ie the date when consent was given).
- We are developing a new view where your recipients can see the personal information you have about them. In that view, the person can delete and edit their data themselves. The person can also indicate what kind of information they want to receive from you (e.g. newsletters, invitations, technical information), and via which channel (email/text message).
- The person can also notify if they want to be “forgotten”.
- All data is stored on servers in Sweden (Stockholm). Back-ups are usually stored for six months.
What do YOU have to do?
- For your new customers/members/subscribers: the consent date must be saved, i.e. the date when the person became a customer/member/subscriber, or when they ticked the consent box on a form.
You must also record WHERE the consent came from (eg from a subscription form on the web, a business card from a fair, personal contact). We call this “source”.
You must also SAVE INFO about what the person consented to.
- All your digital forms where personal data is collected must have a consent box (it must be mandatory, but must not be pre-filled).
- The text at the consent box must be clear, easy to understand, and specify what you are requesting consent for, as well as what you will use the personal data for.
- For existing customers/members/subscribers: If you cannot prove that you have the active consent of your recipients for your newsletter and SMS, you must contact them and specifically ask for it.
You may NOT send to people who have not given active consent!
What are you NOT allowed to do?
- You may not sell your contacts to another party.
- If you own several brands: if the person has given their consent to brand A, you may not email/text them from brand B.
- You may not send any other type of information than the information to which the contact has consented.
- You may not send text messages to someone who has only given their consent to email, even if you have the person’s mobile number.
What do you get to do?
You may still send emails to an impersonal email address, eg email@example.com or firstname.lastname@example.org, without active consent.
Examples of consent texts
Comment: Should have had two checkboxes: one to agree to receive email, and one to receive sms.
Comment: Should have had a checkbox for each brand (Diggiloo, Bamse, Dinner shows).
Read more about GDPR and Schrems II, and what it really means.
Contact us directly if you have questions regarding GDPR! Email us directly!