Check out this article for information on what we're doing and what you can do to ensure compliance with the new European Union General Data Protection Regulation (GDPR).

What is the GDPR?

The European Union is updating its data protection regulations to protect its citizens. The General Data Protection Regulation (GDPR) regulates how companies access and process the data of people in the European Union (EU). This applies to all companies who do business with people that are EU citizens, regardless of where the company is based.

You can review details of how GDPR requires protection of personal data here.

Who needs to be GDPR compliant?

If you have EU residents who are registering on your Brandkit account or  if you are collecting any personal information (e.g. email address), then the GDPR is relevant to you, even if you’re not based in the EU

It applies to any organisation that processes the personal data of any EU citizen or resident — for example, customers, prospects, employees, and even someone who happens to visit your brand’s website.

It’s more than likely the GDPR applies to you and your company or organisation.

How is Brandkit compliant with the GDPR?

Brandkit will comply with the GDPR when it goes into effect on May 25, 2018. This includes taking the following actions to protect our EU customers’ data:

  • We will process data in compliance with the GDPR law.
  • We will contractually require third-party providers to comply with data protection laws.
  • We will disclose a list of all third-party providers we work with who may access customer data.
  • We will use safeguards to protect customer data.
  • We will provide privacy and information training to all employees interacting with customer data.
  • We will maintain a security incident response plan.

What personal data do we collect?

In the Brandkit App

  • Full name
  • Email address
  • Company/Organisation name
  • Job Title (optional)
  • Country
  • Phone number (optional), 
  • Nature of organisation (i.e. Company/Org industry category)
  • Avatar that represents the user (optional)
  • Cookies and Usage Data (see definition in Privacy Policy)

Note:  We collect this data separately for every Brandkit account a user is registered on. That is, each Brandkit account maintains it's own user database.

A user can download a copy of all the personal data we have collected for the user, from the users My Profile page in any Brandkit account they are logged into.

A user can also permanently Delete* their account and personal data, from the same My Profile Page or request support@brandkit.io to do it.

The user would need to repeat this for every Brandkit account that they are are registered on, if the user is registered in more than one Brandkit account.

---

Note: In the event that the user chooses to Delete their user account, we will permanently delete the users personal data, and anonymise some of the users history, we will however, keep some transaction history and a way to legally identify the user as a recipient of Intellectual Property (IP), in the event that the IP owner needs to identify whether the user has received IP assets, the date of that receipt and the fact that the user has agreed to Terms of Use, Licence Rules and any other Usage restrictions.

---

What data do we collect via 3rd parties ?

We also collect personal data via 3rd parties. You can see a list of these here.

We DO NOT collect

  • Demographic data such as Gender, Religion, Race, Culture, Personal preferences.
  • Personal Financial data.
  • Personal data that is not essential to the delivery of the Brandkit service.

Where is Brandkit Data physically stored?

Brandkit runs on Amazon AWS cloud infrastructure with our primary datacenter in North Virginia, USA. Some clients can choose to locate primary storage in other AWS regions, including the EU (in Dublin, Ireland).

We also use a host of 3rd party sub processors, who may store or transfer data in different locations.

How does GDPR impact Brandkit Customers  ?

If you manage or administer a Brandkit account, your company/organisation is effectively a Data Controller and Brandkit is the Data Processor under GDPR.

As a Data Controller you have an obligation to protect your users privacy.

As a result you must ensure that your Privacy Policy is GDPR compliant.

We are updating our default Privacy Policy to meet the new GDPR standards by the 25th May 2018.

You will need to check that our default Privacy Policy meets your obligations and if you have your own custom Privacy Policy in your Brandkit Portal Terms page, then you will need to ensure it is updated to comply.

You should also sign a Data Processing Adendum (DPA) with your Data Processor (which in this case is Brandkit).

How can I view and sign your Data Processing Addendum (DPA)?

You can download our Data Processing Addendum (DPA) below.

Brandkit Data Processing Addendum (PDF)

To complete the DPA, please download the PDF and sign, then email the signed copy to dpa@brandkit.io.

Changes made to comply with consent rules and give users more control over their personal data.

We've made some changes to the Brandkit platform, that will impact Customer Brandkit's and the way we deal with personal information.


Updated Privacy Policy

We're updating our Privacy Policy with effect from 25th May 2018. This will be the new default Privacy Policy used in Brandkit accounts (unless you have provided your own custom privacy policy).

You can review the updated Privacy Policy here.

Updated Forms

In Brandkit we've made changes to User Registration, Download forms (see image below) and other forms that collect a user's personal data, so that in addition to agreeing to Terms of Use, the user is also expressly giving consent to the collection of personal data to be used in accordance with your Privacy Policy (this is the one published in your Terms of Use page in Brandkit).

New Terms acceptance block (unchecked by default).

As seen (after being checked by the user) in a Download form below.

New Minimum Age Requirements

To comply with GDPR we can now only accept user registrations from persons that are older that 16 years of age. 

We're adding that requirement to the Agreement to Terms of Use and consent to collect Personal Information checkbox.

Updated User Profiles/ My Profile page

Users can already edit their personal data in their My Profile page, once logged in.

We're adding new capability for users to:

  • Download a copy of all the personal data we collect for an individual user.
  • Permanently Delete their user account and personal data. 

Both these options will be available from the users My Profile page.

Note: When, in the event of a user deleting their user account,  we anonymise some activity history, but do keep some personal contact information and transaction data in order to identify persons that receive intellectual Property assets.

So users can now manage their own personal data. 

A user can also request that you, as Data Controller, do that for the user, in which case you can pass the request in to support@brandkit.io and we will action. 

Note:  Both Brandkit and Brandkit Customers will remain responsible for the completion of that process, as far as GDPR is concerned.

Removed unecessary tracking services

After reviewing 3rd party services, we've removed Hubspot and Adroll pixels from the Brandkit marketing site.

Where can I get more information?

You’re always invited to ask questions of our support team at support@brandkit.io or via our Intercom chat bubble.

To learn more about this straight from the source, visit eugdpr.org.

Happy branding :)

Did this answer your question?