Check out this article for information on what we're doing and what you can do to ensure compliance with the new European Union General Data Protection Regulation (GDPR).
What is the GDPR?
The European Union is updating its data protection regulations to protect its citizens. The General Data Protection Regulation (GDPR) regulates how companies access and process the data of people in the European Union (EU). This applies to all companies who do business with people that are EU citizens, regardless of where the company is based.
You can review details of how GDPR requires protection of personal data here.
Who needs to be GDPR compliant?
If you have EU residents who are registering on your Brandkit account or if you are collecting any personal information (e.g. email address), then the GDPR is relevant to you, even if you’re not based in the EU.
It applies to any organisation that processes the personal data of any EU citizen or resident — for example, customers, prospects, employees, and even someone who happens to visit your brand’s website.
It’s more than likely the GDPR applies to you and your company or organisation.
How is Brandkit compliant with the GDPR?
Brandkit will comply with the GDPR when it goes into effect on May 25, 2018. This includes taking the following actions to protect our EU customers’ data:
- We will process data in compliance with the GDPR law.
- We will contractually require third-party providers to comply with data protection laws.
- We will disclose a list of all third-party providers we work with who may access customer data.
- We will use safeguards to protect customer data.
- We will provide privacy and information training to all employees interacting with customer data.
- We will maintain a security incident response plan.
What personal data do we collect?
In the Brandkit App
- Full name
- Email address
- Company/Organisation name
- Job Title (optional)
- Phone number (optional),
- Nature of organisation (i.e. Company/Org industry category)
- Avatar that represents the user (optional)
Note: We collect this data separately for every Brandkit account a user is registered on. That is, each Brandkit account maintains it's own user database.
A user can download a copy of all the personal data we have collected for the user, from the users My Profile page in any Brandkit account they are logged into.
A user can also permanently Delete* their account and personal data, from the same My Profile Page or request email@example.com to do it.
The user would need to repeat this for every Brandkit account that they are are registered on, if the user is registered in more than one Brandkit account.
What data do we collect via 3rd parties ?
We also collect personal data via 3rd parties. You can see a list of these here.
We DO NOT collect
- Demographic data such as Gender, Religion, Race, Culture, Personal preferences.
- Personal Financial data.
- Personal data that is not essential to the delivery of the Brandkit service.
Where is Brandkit Data physically stored?
Brandkit runs on Amazon AWS cloud infrastructure with our primary datacenter in North Virginia, USA. Some clients can choose to locate primary storage in other AWS regions, including the EU (in Dublin, Ireland).
We also use a host of 3rd party sub processors, who may store or transfer data in different locations.
How does GDPR impact Brandkit Customers ?
If you manage or administer a Brandkit account, your company/organisation is effectively a Data Controller and Brandkit is the Data Processor under GDPR.
As a Data Controller you have an obligation to protect your users privacy.
You should also sign a Data Processing Adendum (DPA) with your Data Processor (which in this case is Brandkit).
How can I view and sign your Data Processing Addendum (DPA)?
You can download our Data Processing Addendum (DPA) below.
To complete the DPA, please download the PDF and sign, then email the signed copy to firstname.lastname@example.org.
Changes made to comply with consent rules and give users more control over their personal data.
We've made some changes to the Brandkit platform, that will impact Customer Brandkit's and the way we deal with personal information.
New Terms acceptance block (unchecked by default).
As seen (after being checked by the user) in a Download form below.
New Minimum Age Requirements
To comply with GDPR we can now only accept user registrations from persons that are older that 16 years of age.
Updated User Profiles/ My Profile page
Users can already edit their personal data in their My Profile page, once logged in.
We're adding new capability for users to:
- Download a copy of all the personal data we collect for an individual user.
- Permanently Delete their user account and personal data.
Both these options will be available from the users My Profile page.
Note: When, in the event of a user deleting their user account, we anonymise some activity history, but do keep some personal contact information and transaction data in order to identify persons that receive intellectual Property assets.
So users can now manage their own personal data.
A user can also request that you, as Data Controller, do that for the user, in which case you can pass the request in to email@example.com and we will action.
Note: Both Brandkit and Brandkit Customers will remain responsible for the completion of that process, as far as GDPR is concerned.
Removed unecessary tracking services
After reviewing 3rd party services, we've removed Hubspot and Adroll pixels from the Brandkit marketing site.
Where can I get more information?
You’re always invited to ask questions of our support team at firstname.lastname@example.org or via our Intercom chat bubble.
To learn more about this straight from the source, visit eugdpr.org.
Happy branding :)