How do I get my account ready for GDPR?
GDPR (General Data Protection Regulation) is Europe’s new privacy law. Adopted in April 2016, it replaces the 1995 Data Protection Directive – and marks the biggest change in data protection in 20 years. To fully comply with new regulations review your signup processes and marketing materials. See what work you need to do inside or outside GetResponse.
This content is provided for educational purposes only. GDPR is fact-specific and the way it applies to your organization may differ from what’s discussed in this article. Please do not treat it as a substitute of a professional legal opinion. Always consult your lawyer or other professionals responsible for data protection within your organization. GetResponse can’t be held liable for any indirect, special, incidental, or consequential damages arising out of any use of or reliance on any content or materials included here.
Do all businesses need to comply with the GDPR?
You need to comply with the GDPR when:
- your business is based in the European Union (EU),
- you process the personal data of individuals in the EU.
You’ll need to ask your contacts if it’s OK to process their personal data. The GDPR defines consent as:
“Any freely given, specific, informed and unambiguous indication of
the data subject’s wishes by which he or she, by a statement or by a
clear affirmative action, signifies agreement to the processing of
personal data relating to him or her.”
This bit’s important: they need to explicitly give their consent – and you can’t make it a pre-condition for providing a service (unless you need that information to carry out the service). You also need to prove they have opted in.
It should be easy for contacts to withdraw consent. And you’ll need to stop processing their data if you have no other legal reason to do so.
Before collecting personal data, you need to tell the person:
- Who you are and your contact details
- Why and how you will use their data – and the legal basis for doing so
- If their personal data will be shared with anyone else
- If you plan to transfer their data to a third country or international organization, as well as the relevant safeguards and how they can view them
You also need to share:
- How long you’ll keep their data
- Their rights to access, update, or erase it – or stop you from processing it
- How they can withdraw their consent
- How they can lodge a complaint with a supervisory authority
- Why you need the personal data. Is it a statutory or contractual requirement? Is it needed to enter into a contract? Do they need to provide their personal data? What happens if they don’t?
- Whether you use profiling, the logic used and the significance or consequences of processing their data in that way.
Above all, new contacts should know exactly how you’ll use the data they give you.
How can you prove you have their consent?
You’ll find it in the Contacts section of your account. See How do I search for contacts? for more information.
The right to be forgotten – deleting contacts
If a contact asks you to erase their personal data, you must do it as soon as possible – if you have no legal grounds to keep processing it. You also should delete their data if you no longer need it, if it was used unlawfully, or if the contact exercised their right to object.
In your GetResponse account, you’ll find three options to help you comply:
- Your contacts can unsubscribe from your list(s) in any sent message. An unsubscribe link is automatically added to each message footer. For more, see how can a contact unsubscribe from my list?
- You can delete contacts from your list if they ask you directly. See how to remove them from your lists or entire account.
- You or your contacts can ask our customer support to remove them. Get us 24/7 on LiveChat or email us.
If another data processor (such as third-party services) has the contact’s information, you should also ask them to erase it – or do it yourself.
The right to object – updating personal data
Contacts can object any time to you using their personal data for direct marketing purposes, or for legitimate interests such as:
- Your internal administrative activities.
- Ensuring network and information security (providers of electronic communications networks, security technologies, and related services).
To comply, just follow the steps we mentioned in the previous section.
The right to rectification
Under GDPR, your contacts can also ask you to update their personal data, if it’s incorrect or incomplete. And you should do it straight away.
- Your contacts can view and update their data that you have in your GetResponse account. They can simply click on the “Change contact details” link automatically included in the footer of your sent messages.
- You can update their data in your account at any time. Just go to Contacts, search for their name, click on it, and edit the custom fields. You just can’t change their email address and opt-in proof.
- You or your contacts can ask GetResponse customer support to edit their data. Get us 24/7 on LiveChat or email us.
The right of access
Your contacts also have the right to know:
- If their data is being used
- How they can access it
- Why it’s being used
- Who it’s shared with
- How long it will be stored
You should also let them know how they can change or erase their data – or restrict the way you process it.
You can email our privacy experts directly with any questions.