Letter from Gobot’s CEO
At Gobot, we take privacy very seriously. As CEO, I am personally serving as Gobot’s Data Protection Officer (DPO). Any questions or concerns in this regard contact me directly at firstname.lastname@example.org.
Not only is Gobot compliant with privacy laws as it relates to our customer data, we literally designed Gobot with the intent of facilitating your compliance with privacy laws. In other words, this bot will help you get it right! Gobot makes it very easy for you to delete your customer or visitor’s data upon request and also to send your customers and visitors a report as to their personal data. Gobot also documents your visitors’ consents and removal of consent, which you might be required to produce upon request by the authorities. You can also leverage Gobot to provide your visitors necessary notices, which is key. Long story short, use Gobot to facilitate your privacy compliance!
There has been much talk about new privacy regulations in Europe. The good news is that the rules regarding transfers of personal data abroad don’t change under the GDPR. As Gobot processes your data in the US outside the EU, to provide you with the assurances you need for your customers, we have certified that we adhere to the EU-US and Swiss-US Privacy Shield principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. Gobot complies with the EU-US and Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. See our certification here.
We are also offering our EU and EAA based customers a Data Processing Agreement (DPA), which includes the EU approved model clauses. The DPA clarifies exactly how Gobot handles the data we process for you and provides the information and assurances you may need under GDPR. Click here to access the DPA.
While I am not a lawyer, and don’t pretend to be, below you will find some background information about GDPR and how you can leverage Gobot to comply with GDPR.
CEO and Founder
This website is not intended to provide legal advice. You should not rely on this website for such, nor as a recommendation as to a particular legal understanding. Our goal is to provide background information to help you understand how Gobot has addressed some important legal points. This information is not the same as legal advice where a lawyer applies the law to your particular circumstance. Therefore, we suggest that you consult a lawyer to seek assistance in the interpretation of this information including its accuracy.
GDPR Background Information
Has Gobot certified to adherence to the EU-US and Swiss-US Privacy Shield?
Absolutely. Gobot has officially certified to adhere to the EU-US and Swiss-US Privacy Shield principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. Gobot complies with the EU-US and Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland.
Click here to see Gobot's certification.
How do I access Gobot’s Data Processing Agreement?
We are also offering our EU and EAA based customers a Data Processing Agreement (DPA), which includes the EU approved model clauses. The DPA clarifies exactly how Gobot handles the data we process for you and provides the information and assurances you need under GDPR. Click here for Gobot’s DPA.
What is GDPR?
The GDPR (General Data Protection Regulation) is an EU Regulation that replaces the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. GDPR came into force on May 25, 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
The full text of the GDPR can be found here.
Does GDPR apply to me?
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
Why should I care about GDPR?
The aim of GDPR is a positive one: to protect the privacy of EU citizens. However, violation of GDPR may result in a serious fine. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater).
Will data now have to be stored in the EU?
No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is "adequately protected", data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as "white listed countries"), so it is permissible to transfer data to those countries from the EU. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g., the Model Clauses in Gobot’s Data Processing Agreement) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification (and, yes, Gobot is certified!).
What are my rights under GDPR and how does Gobot facilitate my compliance?
Whenever a data subject, e.g., your customer or website visitor, is about to submit their personal information, the data controller, e.g., your company, has to make sure the data subject has given their consent. The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters”. Further, GDPR requires the data subject to signal agreement by "a statement or a clear affirmative action."Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must also know exactly what they are consenting to and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence or pre-ticked boxes. This means that informing the user during the opt in is important.Gobot provides the flexibility you need to seek consent and, if necessary, process withdrawn consent. With Gobot, how you script your bots is up to you. To play it safe, however, we suggest that when interacting with European citizens your bots be drafted to seek consent such that what you get is “freely given, specific, informed and unambiguous.” In other words, make sure to have your bots ask for permission to use the information you collect in a specific and very clear way. Also, allow your visitors and customers to respond in a very specific and clear way, e.g., using specific and well thought out multiple choice options that avoid subjective responses.Finally, if your customer or visitor opts to withdraw consent as to email, Gobot’s emails include an optional opt-out button you can use for European citizens.
Gobot also makes it very easy for you to provide the notice required under GDPR. When collecting data, consider including notice in your bot script clarifying exactly how long you will hold onto the data, what you will use it for, who you will share it with, how the visitor can seek to opt out later, whether the visitor’s data will be used to make automated decisions, the relevant legal bases for processing, and means to communicate with you. Gobot’s notice functionality makes it real easy for you to provide the required notices in a clear and trackable manner.
Above and beyond allowing for scripting of a bot that seeks consent in a clear and unambiguous way, providing the requisite notice, and allowing for easy opt-out when your customer or visitors change their mind, Gobot has simplified and added additional control over retention. Consistent with GDPR, Gobot makes it easy to hold onto data you collect only for a period reasonably necessary to accomplish the purpose for which the data was collected for in the first place.
Right to be forgotten:
GDPR also grants European citizens the “right to be forgotten,” which requires that controllers delete all personal data stored about the citizen and also that the controllers alert downstream recipients of the deletion request. Gobot makes it easy to delete all information you have about a particular contact with the press of a button.
Right to data portability:
GDPR also grants European citizens the “right to data portability,” which allows data subjects to demand a copy of their personal data in a common format. Gobot makes it easy to print a report including personal data Gobot has collected from a particular contact.
Controllers will also be required to provide evidence that their processes are compliant and followed in each case. Gobot’s consent log and transcript feature facilitates compliance in this regard. If you are ever questioned as to whether a particular visitor or customer provided consent to use of their personal data, e.g., email address, you can point the customer or authorities to your Gobot consent log, which clearly documents the consent provided. The log references the bot transcript showing exactly the authorization you requested and the notice your provided, and importantly, the consent your visitor or customer responded with.