10darts GDPR compliance and policy
Next May 25, 2018 the European Commission new General Data Protection Regulation
(GDPR) will become enforceable and to comply with the new regulations, 10darts as a
data processor, has adopted the following GDPR compliance policy.
1. Scope and Personal Data Definition
The GDPR applies to organizations located within the EU those outside if they offer
goods or services to, or monitor the behavior of, EU data subjects.
Personal data is any information related to a natural person that can be used to directly
or indirectly identify the person. It can be anything from a name, a photo, an email
address, bank details, posts on social networking websites, medical information, or a
computer IP address.
2. 10darts personal data processing
10darts processes anonymous data and pseudonymous data by default as the result of our clients’ use of the 10darts platform, such as time-zone, browser version and type, SDK version; and pseudonymous data, including tokenized ID specific to each separate installation of customer’s mobile application, web browser, etc. Any client can request 10darts a list of the data we collect by default. This data, being anonymous, falls outside the scope of the GDPR.
In any case, clients need to have established a lawful basis for each of them to collect and process EU users data. In no case 10darts is responsible for collecting end users lawful consent with respect to the collection and/or processing of their data.
The above notwithstanding, 10darts clients are able to configure the platform to collect and process their users’ personal data, including names, location, emails, Facebook ID, etc. Hence, 10darts might process users’ personal data following clients instructions and pursuant to their configuration and use of the platform.
Accordingly, 10darts clients are data controllers, as they determine the purposes, conditions and means of the processing of personal data, and 10darts is the data processor in so far as it processes personal data on behalf of the controller.
In no case 10darts processes any sensitive personal data including financial data, credit or debit card numbers, government issued identification numbers, or data relating to criminal history, i.e.: special classes of data as defined in the GDPR, neither the client is allowed to storage and/or keep any type of these information categories in 10darts Platform. Hence, no privacy impact assessments are needed asprocessing non-sensitive personal data using new technologies would not result in high risk to the rights and freedoms of data subjects. Nevertheless, 10darts relies on the clients’ decision on whether to conduct privacy impact assessments for their use of the platform.
10darts also supports and processes anonymous data triggered by users’ activity and pseudonymous data such as hashed IDs that may tie back to additional personal data in customer’s systems.
Clients can request a list of data collected in the default settings.
3. Data location, subcontractors and protection
10darts platform is hosted in the cloud by Amazon Web Services (AWS), a subcontractor of the former, cloud data centers implementing and maintaining at all times the required technical and organizational measures to ensure a level of security appropriate to the risk of varying likelihood and severity for the rights and freedoms of natural persons. See below in links for further information on AWS and GDPR.
4. User’s rights
10darts supports their clients fulfilling their regulatory duties under the GDPR, and as such assists clients on their duties when users exercise their personal data rights, including but not limited to:
- Be informed about what personal data clients intend to maintain, why access to that data is required and how clients intend to process it.
- Access users’ personal data that client’s hold about them, at no extra cost.
- Rectification of inaccuracies in user’s personal information.
- Erasure of their personal information from client’s and third party, including 10darts, systems to which this data may have been propagated.
- Restrict processing of their personal data.
- Data portability.
- Object to further processing of their personal data.
- Rights regarding automated decision making.
5. Data storage length and breaches
10darts holds data for clients at least for as long as they are using 10darts platforms legally and their service contract is valid. After 90 days from any termination of the contract, 10darts deletes all en user data. 10darts reminds clients that personal data should only be maintained for the period necessary, and should be deleted once its utility is lost.
10darts will also notify their clients of any potential data breach so they can in turn communicate it to impacted users quickly and transparently.
6. End user consent to 10darts services
End users have to accept the reception of communications sent by 10darts clients through mobile and desktop web, mobile app and Facebook messenger via 10darts platform. Yet each client of 10darts is responsible for ensuring that the users consent is properly obtained.
In that sense, 10darts clients are responsible for collecting “unambiguous” users’ consent clearly and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Parental consent will be required to process the personal data of children under the age of 16 for online services; depending on the state of the user whose data is collected by 10darts client, there might be a lower age of consent but never below the age of 13.
10darts also reminds clients the ‘data minimization’ principle, under which an organization should only collect and hold the bare minimum personal information needed by the same to offer its services effectively.
10darts understands the relevance and fully supports GDPR regulation, rights and obligations and correspondingly wants to cooperate and facilitate their clients all services needed to act accordingly, specially when it comes to their communication with their user through the 10darts platform.
Nevertheless, any 10darts client should know that these guidelines are not legal advice nor they guarantee their compliance with the GDPR in their communication services with their users. For those purposes, 10darts clients should seek and receive specific legal advice on GDPR application to the goods and services they provide their users.
Please contact us at email@example.com for any query or comment in connection with the GDPR.
8. Further information / relevant GDPR links to 10darts platform: