Security & GDPR

After the 25th of May 2018, all of your sites will show a banner to inform the user that the site is using cookies and storing information on their browsing behavior.

The header will require visitors to agree to use cookies to track their behavior or give them the option to opt-out from those cookies. Refusing cookies will mean that site behavior (visits, downloads, searches, ...) can and will not be tracked and thus not available on that contacts activity stream.

At any stage, a user can revoke the cookie consent at the bottom of every Prezly site.

Prezly sites have a subscribe button where visitors can leave their email addresses and subscribe to company news.

As of the 25th of May 2018, these submissions will require a double opt-in. This means that visitors will need to confirm their initial subscription by clicking a link in their mailbox. That email will also contain brief information on what they are subscribing to and a disclaimer they are giving you their consent.

When creating or editing contacts inside Prezly we require you to have consent or approval from your contacts to be contacted or receive company news.

At any point, the contact can revoke that consent by making use of the end-user privacy tools.

Many are wondering whether they can email existing contacts that haven’t explicitly opted-in, after 25th May 2018. The answer is: it depends.

On the face of it, the GDPR is quite clear – you must get the explicit consent of individuals in order to communicate with them. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ 

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) *source ico.org

For more detail on each lawful basis, read the relevant page of this guide.

GDPR does not only apply to signups that happened after 25th May 2018, it applies to all existing EU subscribers on your email list.

Marketing under the GDPR (email campaigns, pitches, Twitter DM's) is regulated exactly like any other data processing activity. This means that you have to show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In fact, it often won’t be.

This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent-based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR. Recital 47 of the GDPR actually says that:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

This means that if you want to send an email campaign to a segment or part of your contact database it can be done in reliance on its 'legitimate interests’ – it generally does not need its customers’ consent to this mailing. It will, however, always need to offer them an opt-out (Art 21(2)).

• Much direct marketing (both snail mail marketing and e-marketing) is possible today on the basis of opt-out. Opt-in consent can be used, but is seldom legally required;
• The GDPR does not change this position and, in particular, does not make opt-in consent a mandatory requirement for direct marketing - it acknowledges that marketing can be conducted in reliance on legitimate interests; but
• The forthcoming e-Privacy Regulation seems likely to continue to allow opt-out-based e-marketing in many cases, though marketing teams should monitor developments here closely.

Needless to say, the impact of the new GDPR legislation will depend on how you run your communication campaigns today. Here are a few general guidelines.

• allow people to opt-out and respect that forever
• segment your audiences into interest groups so you can send the right content to the right people
• unsubscribe contacts if they have not opened/replied/clicked or engaged in your attempts after numerous attempts
• make it easy for people to unsubscribe and contact you
• plan for the withdrawal of consent

• store more information than you need for further personalization/segmentation (send relevant content)
• purchase (media) lists of business and personal email addresses
• email everything to everyone to get more attention
• undo unsubscribes to get more eyeballs on your content
• sell data you have collected or are gathering
• keep the data you don't longer use/need

Here is an interesting article with actionable advice on GDPR →

To support you in your efforts to be GDPR compliant, Prezly includes specific features to help you receive and manage data requests.

Each Prezly site has a page containing a form allowing your contacts to submit data requests. These forms are found by navigating to the bottom of the site and clicking on Privacy requests.

Once clicked, you will be directed to the Site Data Request Form.

When a person sends a data request, we ask them to confirm their request by sending them a confirmation email. Once they have confirmed the request, you will be alerted via email, and the request will then be visible on their contact profile.

Data request confirmation email

When data requests are submitted and confirmed, we will send your team members an email informing them about the new request.

Data request notification for team members

From within your Prezly Contacts List, you can find a filter called Data Requests. This enables you to find the contacts with data requests.

Existing data requests can be found on your Contacts Activity Feed.

You can manage the status of your data requests by marking them as completed. Data requests will remain at the top of the contacts activity feed until the request has been completed.

Remember, per GDPR you are required to respond to data requests within 30 days. 

Anyone can submit a GDPR request through your site footer, even if they aren't in your CRM, since they fill in the email field for the request themselves:

If you receive a data request from an email address that isn't in your CRM, this may be down to an accident on the user's part – for example, they might mistakenly believe that you have info on them when you do not. There is also the possibility that this is spam.

In any case, we recommend reaching out to the address given within the 30-day GDPR timeframe to confirm that you hold no information related to their email account.

Overview of the data sources that make your experience better

At Prezly, we collect data from third parties about your contacts. This enables us to enrich your contact information and gathers deeper insight into who your influencers are and how they will interact with your content.

Below you can find a list of data providers and data sources that we currently use.

We gather our data through partnerships with these third-party organizations:

• Fullcontact
• AYLIEN News API
• Clearbit Logo API
• Twitter API
• Youtube API
• Pinterest API
• Instagram API
• Facebook API

From the data partners listed above, we collect a wide variety of data sources:

• Social Network data – check Fullcontact page for a complete list
• Company logos
• Profile pictures
• Companies that people belong to
• Community membership – books, movies, and celebrities that people like
• Interests
• Published stories and news articles across the internet
• Tweets
• Facebook posts from public pages
• Publicly available social media profiles

Prezly engages third-party sub-processors to process personal data on Prezly’s behalf. The Sub-processors currently engaged by us and authorized by the Customer are the following:

• Database (postgres): Ireland, Dublin, Amazon Web Services
• Logs (elastic): Ireland, Dublin, Amazon Web Services
• Backups: St. Ghislain, Belgium, Google
• Assets: CDN (worldwide), Uploadcare

Prezly shall notify the Customer in advance of any new Sub-processor being appointed.

We will only transfer data outside of the EU to Third Countries that offer an appropriate level of data protection.

More information can be found in this section.

General information about the GDPR policy

As a European company, we are committed to being GDPR Compliant. 

We’re evaluating requirements by the Regulation to ensure that we handle customer data in compliance with applicable law by the May 2018 deadline. As we make progress we will keep this page, and our users and clients up to date on the steps taken. 

• (completed) Familiarise ourselves with the GDPR regulation
• (completed) Estimate the impact on the product and documents
• (completed) Nominate a Data Protection Officer
• (in-progress) Review internal data processes and improve them to be compliant with GDPR
• (completed) Provide all of our clients with an updated Terms of Service, Privacy Policy and Data Processing Agreement. All clients will need to agree and comply with these.
• (completed) Make a list of all product updates and improvements that need to happen.
• (in-progress) Implement the necessary changes to the product areas that need changing.
• (in-progress) Educate our users about GDPR and what is expected from them. 

We will be providing all our clients with an updated version of our Terms of Service and privacy policy. You will also need to sign a Data Processing Agreement. 

A Data Processing Agreement is a legal document listing all the actions taken on our part to keep your data safe in compliance with the applicable law. 

Yes. Prezly will make double opt-in a requirement for every new contact subscribing to a site. 

For those unfamiliar with this term, "double opt-in" is a 2-step mechanism where a person must confirm their email address after initially signing up. 

What about existing contacts?

It is unclear at this stage if all existing contacts will need to double opt-in to make the consent absolutely clear. ​ We're doing more research in this area and will support a mechanism making this easy for clients.

The most prominent product changes will be:

1. End-user privacy tools (request to be deleted, request for rectification, ...)
2. Ability to export contact data
3. Double-opt in on sites.

In addition, there are a number of backend modifications and changes to some internal processes.

Yes.

We will provide a list (as part of our data processing agreement) of all third-party vendors Prezly integrates with and can have an impact on customer data. 

Next to that, we’re setting up Data Processing Agreements with all of our Third-Party Vendors, making sure they apply the same rules concerning customer data as us.

We will make regular updates to this page as well as keep you posted through email and in-app messages.

You will need to agree to our Data Processing Agreement as well as the new terms of service and privacy policy before the 25th of May.

Handling personal data is a joint responsibility. We as a data processor will implement the necessary procedures, but our clients (as a data controller) will need to take the necessary rules into account as well.

• Searchable GDPR regulation
• Full-text legislation 
• EU website on GDPR
• GDPR Hysteria
• GDPR Actionable Advice