General Data Protection Regulation and Rintral Trading Sl.
The General Data Protection Regulation (GDPR) was adopted 27 April 2016 and entered into application on 25 May 2018: it is a set of laws that governs both how we communicate, interact with and store customer data for any of the European member states citizens. It also introduces some substantial changes to the way we are used to treat personal data until then.
In this article we’ll try to cover all the crucial aspects of using our platform within the new regulation. A quick note before starting: while GDPR uses the term “subject data”, for clarity we’ll use here “customer data” instead.
What is customer data?
Quite all the concepts expressed inside the GDPR run around the notion of “personal data“. The definition the regulation gives is pretty strict: “Any information that could be used, on its own or in conjunction with other data, to identify an individual.”
In Rintral Trading Sl., we store many information about the customers: from the email address to name and surname and IPs. This is not forbidden per se, but we are compromised to tell our customers exactly what we keep track of and why we are doing that. The word to take home here is transparency, starting from the first step: consent.
How Rintral Trading Sl. treats consent
One of the most important aspects of the new regulation is how consent is given by the customer and how to keep proof of it. To keep it simple, we have to be completely sure of what our customers give consent to during the registration process.
Two key aspects here: the double opt-in and the privacy checkbox.
The double opt-in, other than a good practice, is required by the law in many countries to confirm the will of the customer by having him to give consent two times before the actual service starts.
Proof of consent
To keep proof of customers consent is mandatory with the GDPR rules. In Rintral Trading Sl., when a customers changes his or her profile, activating specific option, he could be giving us a specific consent, for example to send marketing email. Rintral Trading Sl. provides a logging feature which records every change the customer performs on their profile and what they changed with a timestamp.
Which data Rintral Trading Sl. stores
Besides name and email address, our service can collect other data if extra profile fields have been created. More importantly, Rintral Trading Sl. collects IP addresses at the moment of the registration and, whenever a customer performs an action on newsletters or service, if tracking is active. IP’s are used for various features, from tracking to geolocalization.
How long does Rintral Trading Sl. keep customer data?
One of the requirements of the GDPR is that we make our customers aware of how long we are going to keep their data on our servers and we clearly state it on the T&C page. The reason behind this is to avoid keeping obsolete data or contact information, which reliability we cannot be sure of.
Inside Rintral Trading Sl., we deal with these requirements in two ways:
- we can delete all customers with a status that makes them unreachable: bounced, unregistered, not confirmed and so on.
- we can delete all customers who didn’t interact with us in a specified interval of time.
Performing these actions periodically helps us keeping our list clean and avoid losing valuable customers.
Data export and portability
GDPR also requires to offer our users the ability to ask for a copy of their files for portability reasons. The downloaded data export file will be in a machine-readable format (not human readable). Rintral Trading Sl. by default collects names, email addresses and other profile fields, and that data could be exported as well.
Data modification and integration right
Rintral Trading Sl. customers are able to access their own profile editing panel where they can change every detail whenever they feel like to, and we make this option as clear as possible.
Are we using an external delivery service?
Most of the external Smtp providers are already GDPR compliant. We state in our policy that we're using external services.
What about our hosting provider?
Our providers store physically our data on their servers including our customers data, hence they need to be GDPR compliant.