In 2018, the protection of Internet users' personal data was strengthened considerably. Fines for companies making improper use of personal data have multiplied (up to 130-fold). This legal revolution has been brought about the General Data Protection Regulation (GDPR).
The GPDR was adopted by the European Parliament in 2016 and became effective on May 25, 2018. The regulation affects all companies that process the personal data of European users’ personal data wherever the company itself is based’.
Disclaimer : Kameleoon does not provide legal advice regarding GDPR. This page only aims to inform readers about the major challenges GDPR brings and how Kameleoon's personalization tool complies with this regulation.
Any organization breaking the new rules risks fines of up to 4% of their overall turnover, or €20 million, according to the severity of the infraction.
COLLECTION AND PROCESSING OF PERSONAL DATA
Under GDPR, you no longer have the right to collect personal data if the user hasn't explicitly authorized you to do so. Your data management policy needs to be perfectly clear. You do not have the right to process a visitor's personal data unless they have explicitly agreed to this.
DATA TRANSFER OUTSIDE THE EU
With GDPR, transferring a customer's personal data outside the European Union becomes illegal. A company operating on several continents and using tools that centralize customer data outside the EU breaches the new regulation. The same is true for any company operating in Europe and centralizing user data outside the EU.
OBLIGATION TO REPORT SECURITY LEAKS AND DATA THEFT
Yahoo, MySpace, eBay, Sony, Ashley Madison, Dropbox, Tumblr, LinkedIn, Adobe, etc.: Data theft happens all the time. In the past, companies tried to hide these glitches as long as they could. With the GDPR, corporations have 72 hours from the moment the breach is known to inform the relevant authorities. Users also have to be informed, although the GDPR doesn’t set a timeframe for this. However, it’s a matter of common sense and of keeping trust to inform users as soon as possible.
USER’S RIGHT TO RETRIEVE THE COLLECTED DATA (PORTABILITY)
Under GDPR, you must be able to provide all of a visitor’s data at their request, in a structured, unencrypted format.
RIGHT TO BE FORGOTTEN
A person who has given you his or her data has the right to ask you to erase it entirely. If they do, you have to comply.
NOMINATION OF A DATA PROTECTION OFFICER
The nomination of a Data Protection Officer (or DPO) is mandatory for all corporations processing user data on a large scale or regularly tracking data subjects or sensitive information. This also applies to the public sector, independently of the purpose or type of processing.
KAMELEOON PLATFORM COMPLIANCE
- Data Collection
In its standard setup, Kameleoon's platform doesn't collect or process any personal data as defined by the GDPR. The only data collected is anonymized browsing data which doesn't allow a visitor to be identified. However, our customers are able to inject existing personal data from their technology ecosystem (such as CRM or DMP solutions) into Kameleoon, to improve analysis and results. In this case, the Customer has total control over the information they use and should only selects authorized data. Kameleoon processes this personal data in a totally GDPR-compliant way and follows the Customer's written instructions and data processing procedures.
- IP Anonymization
As the IP address is considered personal data, Kameleoon doesn’t process or save it but replaces it with a randomly generated ID. This guarantees complete anonymization and a higher level of data protection.
Kameleoon enables the Customer to deliver the entirety of a given visitor's collected data at their demand.
- Right to be forgotten
KAMELEOON ORGANIZATIONAL COMPLIANCE
- Nomination of a DPO
Our security and GDPR compliance program is supervised by a Data Protection Officer named in January 2018.
- Response in case of an incident
Our incident management program enables us to react to security breaches on a 24/7 basis. If visitor or customer data is impacted, the Customer is informed without delay, as stipulated in the contract.
- Security insurance plan
Kameleoon's security measures take into account state-of-the-art technology and GDPR requirements. Kameleoon guarantees confidentiality, integrity, availability and traceability of the Customer's data and keeps an updated written documentation detailing implemented technical and organizational security measures.
- EU-based servers
Kameleoon’s servers are situated in Europe. No personal data whatsoever circulates outside the EU, so our customers are sure to comply with GDPR’s data circulation restrictions.
- Product development and new features
All new features we develop will be GDPR compliant. We follow strict guidelines to guarantee compliance with personal data protection rules.