EU General Data Protection Regulation (GDPR) Adar November 2, 2022

GDPRThe General Data Protection Regulation seeks to create a consistent framework across the EU for data protection.

Why was GDPR Adopted?

Recital 1 of the GDPR:
The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

GDPR Compliance

3marketeers Advertising, Inc. is GDPR-ready, so that our clients can communicate with customers and prospects with GDPR compliance in mind.

We take data privacy seriously and meet or exceed data privacy regulations, and support organizations running our agency marketing programs while meeting data privacy obligations across the globe.

Remove Me from All Communications

To be removed from any 3marketeers communications, please confirm you are revoking your consent. By completing this form, we will confirm your details and remove you from further outreach.

*Indicates a Required Field

Your form has been submitted.

We'll send a confirmation to your email address. Please be sure to verify your signup.

Introduction to the GDPR

GDPR, which is an acronym for General Data Protection Regulation, was enacted by the European Parliament (‘EP’) to further strengthen data protection for people inside of the European Union (‘EU’). 

The European Union’s Regulation 2016/6791, the new General Data Protection Regulation, came into effect on May 25, 2018 in order to regulate the processing by an individual, a company or an organization of personal data relating to EU resident individuals in the EU.

GDPR replaces the previous individual EU member state regulations and guidance on privacy. The General Data Protection Regulation is in the form of regulation instead of a directive and is therefore enforceable in EU member states as law.

Organizations need to ensure they are compliant, or risk financial penalties.

GDPR compliance requires commitment from agency clients, as it does with other data protection laws. We are tracking the recommendations and guidance issued by regulatory authorities to assist us to develop tools appropriate for use of 3marketeers’ services.

GDPR Compliance and Data Protection

The principle of accountability is a cornerstone of the GDPR. According to the GDPR, a business /organization is responsible for complying with all data protection principles and is also responsible for demonstrating compliance. The GDPR provides businesses/organizations with a set of tools to help demonstrate accountability, some of which have to be mandatorily put in place.

The legislation makes EU resident individuals’ privacy rights stronger by limiting processing of their personal data, significantly expanding their rights over their data, and giving them greater visibility into the nature, purpose, and use of their data.

GDPR Scope

GDPR is in force for every organization that tracks EU resident behavior inside of the EU and that processes or uses the personal data of EU residents.

It grants broad individual rights pertaining to personal data, some of which include:

  • The right to be fully informed
  • The right to consent
  • The right to withdraw consent
  • The right to erasure of personal data,
  • The right to be forgotten
  • The right to deletion of personal data
  • The right of access to personal data
  • The right to have incorrect personal data rectified
  • The right to object
  • The right to request data
  • “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.” (REGULATION (EU) 2016/679—(Recital 70))
Which Organizations are affected by the GDPR?

In general, any organization that collects, processes or stores personal information about EU citizens within the EU states must conform to the GDPR, no matter if they have an EU business presence or not.

Organizations that fall under the General Data Protection Regulation legislation:

  • An EU country presence.
  • No EU presence, but processes the personal data of EU residents.

Article 3 GDPR

Important GDPR Definitions

(Full list at https://gdpr-info.eu/art-4-gdpr/)

Personal Data
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Controller
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Important GDPR Requirements

When collecting, processing or holding personal information organizations must make certain that the information:

  • Is processed in a way that preserves security
  • Is up to date and accurate
  • Is relevant to the purpose
  • Is only used for legitimate and specific purposes
  • Is processed legally and transparently
Significance for Inbound and Outbound Marketing

Consent by EU persons to collect and utilize personal data
Most marketing-related activities will rely on using “consent” as the appropriate reason for processing data. 3marketeers Advertising customers should assess how consent is gained, how it is documented and how authorization is maintained for processing personal data for EU persons.

Article 4 “Definitions”

Article 4.11
Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Article 7 “Conditions for consent”

Article 7.1
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Article 7.2
The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Article 7.3
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Children’s Personal Information
We do not knowingly collect or solicit any personal information from anyone under the age of 16. In the event that we learn we have collected personal information from someone under the age 16 without parental consent, we will delete that information as quickly as possible. If a child under the age of 16 has provided us with personal information online, a parent or guardian may contact us by emailing us at privacy @ etrigue.com. We will remove the information and unsubscribe the child from any of our electronic communications.

Accountability that processing is performed in accordance with the GDPR
Organizations must consider and be able to demonstrate how they comply with the principles of the GDPR.

Article 24 “Responsibility of the controller”

Article 24.1
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

3marketeers Advertising and GDPR

3marketeers clients are controllers under the GDPR and have the primary responsibility as they choose which prospects, customers and contact information is leveraged for their marketing programs, and who they choose to communicate to.

The 3marketeers GDPR Data Processing Addendum is located here.

Multi-lingual compliance mechanisms such as opt-out capability have always been in place in the tools that 3maketeers uses.

3marketeers clients will continue to rely on Privacy Shield certification for placing lawfully obtained personal data under the GDPR.

We are evaluating, and enhancing our features and processes to further assist users subject to the GDPR and will continue to support GDPR compliance requirements.

Checklist to prepare for GDPR Compliance

Here are some of the steps that can be accomplished within your organization. The list is not comprehensive in nature and your organization must determine individual steps that must be accomplished:

  • Create a compliance group or team for General Data Protection Regulation
  • Audit and document your organization’s personal data processing procedures and activities
  • Determine if your organization requires a Data Protection Officer (‘DPO’) and appoint one
    • Article 37 “Designation of the data protection officer”
  • Document (and collect) the legal basis for processing data—i.e. “consent”
    • Article 7 “Conditions for consent” / Article 8 (Child)
  • Determine policies and mechanisms to accomplish EU subjects’ rights requests
    • CHAPTER III inclusive—”Rights of the data subject”
  • Assess, review and update processor and sub-processor agreements
    • Article 28 “Processor”
  • Update your organization’s privacy policies and procedures
  • Update policy for notification of personal data breach
    • Article 33 “Notification of a personal data breach to the supervisory authority”
    • Article 34 “Communication of a personal data breach to the data subject”
GDPR Guidelines and Resources

European Commission (EC)—Data protection in the EU

European Commission—What does the General Data Protection Regulation (GDPR) govern?

EUR-Lex (Official Journal of the European Union)

GDPR Data Processing Addendum (PDF)

UK Information Commissioner’s Office

Third-party

Third-party—FAQs

Third-party—Overview

Third-party, searchable, indexed

Disclaimer

3marketeers Advertising has made this information available to assist organizations in understanding the GDPR. The information contained herein is not legal advice and shall not be construed as legal advice.

Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required. Organizations should consult their legal counsel to interpret and understand their obligations under the GDPR, and how their organization utilizes and processes personal data.