GDPR Compliance Overview
As a business owner, website admin or organization that offers goods or services to (or monitor the behavior of) EU data subjects you will have to comply with it. Therefore, if you have EU customers or visitors from anyone residing in the European Union, you have to respect the GDPR policies no matter where you are actually located.
Here are some nice reads to consider on this topic:
- Our GDPR Commitment — a page about GDPR and how do we comply and safeguard the personal data.
- A Data Processing Agreement — Since we, as an analytics solution, are the processors for the website owners, we also prepared this document for everyone having an account! You can find it (and sign it) in your Visitor Analytics Settings.
- A short article about our updates & changes under GDPR
- An article about the ISO27001certification
1. What is GDPR?
The General Data Privacy Regulation (GDPR) is the most important change in data privacy regulation in 20 years. To make it shorter (and easier to understand): the GDPR replaces the Data Protection Directive 95/46/EC and it is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
Date of effectiveness: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
Here is a really nice and easy to understand infographic published by the European Commission: ec.europa.eu/justice/smedataprotect/index_en.htm
2. What data can we process and under which conditions?
- Personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data we’re processing (‘lawfulness, fairness and transparency’). In order to do so, all the data that we process can be checked by each Customer at any moment.
- We only collect and process the personal data that is necessary to fulfill our purpose: offer you website analytics and the option to comment on our blog (‘data minimisation’).
- We are ensuring that personal data is accurate and up-to-date, by offering our Customers the right to edit it at any moment as they need (‘accuracy’).
- We do not further use the personal data for other purposes that aren’t compatible with the original purpose of collection.
- We ensure that personal data is stored for no longer than necessary for the purposes for which it was collected and each Customer can reset its website data at any moment and delete the account — once these steps are done and confirmed, we no longer store the data (‘storage limitation’).
- We installed appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’). Therefore, we also use the procedures and policies under ISO/IEC 27000 family of standards to help organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
3. What are my rights as a user?
You have the right to:
- Information about the processing of your personal data;
- Obtain access to the personal data held about you;
- Ask for incorrect, inaccurate or incomplete personal data to be corrected;
- Request that personal data be erased when it’s no longer needed or if processing it is unlawful;
- Object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
- Request the restriction of the processing of your personal data in specific cases;
- Receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
- Request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.
To exercise your rights you should contact us at email@example.com and we will respond to your requests without undue delay and generally at the latest within 1 month.
You may be asked to provide information to confirm your identity (such as, clicking a verification link, entering a username or password) in order to exercise your rights.
These rights apply across the EU, regardless of where the data is processed and where the company is established. These rights also apply when you buy goods and services from non-EU companies operating in the EU.
At Visitor Analytics, we are fully aware of the trust you place in our product and team and our responsibility to keep your data and privacy secure. Therefore, we are transparent regarding the information we collect when you use our products and services, why we collect it, and how we use it to improve the service for you!
5. Data Privacy
At Visitor Analytics we protect your account data in multiple ways:
- Our Terms of Service and Data Protection Agreement, which all our Customers must agree with, prohibit sending personally identifiable information to Visitor Analytics that could be used to reasonably identify an individual, including (but not limited to) names, email addresses, or billing information.
- Visitor Analytics is only providing the data to each Customer based on the Data Processing Agreement that was signed between the two parties and may not be shared without customer’s consent, except under certain limited circumstances, such as when required by law.
- We have a security-dedicated team to guard against external threats to data. The internal access to data (e.g., by employees) is regulated as well.
6. Privacy Controls
At Visitor Analytics we provide control to all our Customers that own a website and to their Visitors, in order to have more control on how their data is collected by Visitor Analytics:
- Visitor Analytics opt-out service is for the Customers' website Visitors that do not want their data to be tracked by Visitor Analytics. By using a feature to access the websites that are running Visitor Analytics, we will not send any information about you, as a visitor, to the website owner. Please note that this does not prevent the information from being sent to the website itself or to other web analytics services. In the future, this system will be automated, for now you can send an email to our firstname.lastname@example.org.
- Download data: you, as a Visitor Analytics customer, can always download your data by clicking Export in the Latest Visitors section or ask us for a copy of your data within our app by sending us an email to email@example.com.
- Visitor Analytics Account settings: As a Visitor Analytics Customer you are able to sign a Data Processing Agreement with us (and should do so if GDPR applies to you), you have the option to review settings to give you control over data collected about you. We will never sell your data to a third party!. You can delete all your data with just a few clicks and you can opt-in or opt-out from our e-mails at any moment.
7. Visitor Analytics Processing operations
With regard to our App, depending on the person of the Data Subject, the Personal Data inserted will be subject to basic activities such as customer’s registration with regard to using our App; providing Customer with the right to edit his information (Visitor Analytics), statistics; export of statistics; the exclusion of customer’s visits to Customer Website; and Customer account management.
The Customers’ activity and info concerning the use of the Visitor Analytics App may be tracked, but only for performance purposes (e.g. installed app time, deleted app time, subscription status) and each customer can contact us to obtain all the info that we gather about him/her at any moment or control the personal data by reviewing the Setting area in the Visitor Analytics Account.
8. Categories of Data Subjects
The categories of Data Subjects affected by the Processing are Customers (website owner); third parties related to Customer such as employees or other authorized persons; Wix; and persons authorized by Visitor Analytics such as employees or other authorized Personnel.
9. Categories of data
Depending on the person of the Data Subject, the Personal Data inserted concern the following categories of data: name; company name; email address; timezone and website for each website owner (customer). This data can be edited at any time by the customer.
10. Sensitive data
We do not anticipate that sensitive data will be Processed.
11. Use of IP addresses
All the computers and devices connected to the Internet are assigned an Internet Protocol (IP) address. The IP is usually used to identify the country, state, and city from which a device is connecting to the Internet. Visitor Analytics uses IP addresses to provide website owners an approximate geolocation of their Visitors.
The IP Anonymization option gives website owners using Visitor Analytics the choice to not store the IPs, but to still get their Visitors’ approximated location.
12. Data-sharing settings
Within Visitor Analytics App the Customers cannot share their account data with other products and services unless they give access to someone to their Wix Website. The provision of the Visitor Analytics Services involves the Processing of Personal Data within the framework of the Contract and the Customer (website owner) shall remain the responsible body for the Processing of Personal Data, for assessing the legal admissibility of Processing the Personal Data and for respecting the rights of Data Subjects.
13. Control over data
All the website owners using Visitor Analytics own both account data and their Visitors’ data, can export reports at any time using a CSV or XLSX download option and use the data as wished or by contacting our support at firstname.lastname@example.org.
Website owners can also set-up their e-mail preferences, reset their visitors' data or delete their account at any time.
14. Visitor Analytics team access to your data
All the data that we gather for our Customer is confidential information. Visitor Analytics’ Employee access controls protect Customer data from unauthorized access, and we use a special script to access a website owner’s data (both account data and their Visitors’ data) and conduct audits to ensure the controls are enforced.
Access to a Customer account data may be granted on a strict need-only basis to Visitor Analytics’ employees who require specific access to perform their jobs or by request from a Customer in order to help or provide support. Visitor Analytics’ employees requesting access must explain why they need the access, while following our internal privacy policies, and receive approval before they can access the data.
Customer Service Representatives may not access Customers' data without explicit permission from the Customer and may only use the devices and networks provided by Visitor Analytics, unless a technical fault is attempted to be fixed.
15. Information Security and disaster recovery
In order to minimize any chance of security breach, data loss or disaster, Visitor Analytics implemented appropriate technical and organizational measures to protect the Personal Use Data that meet the requirements of Art. 32 GDPR. In particular, Visitor Analytics implemented technical and organizational measures to provide the on-going confidentiality, integrity, availability and resilience of processing systems and services. The technical and organizational measures are described in Exhibit 2 of the Data Processing Agreement. Customer has knowledge of these technical and organizational measures and is responsible for ensuring that they provide an appropriate level of protection for the risks of the Personal Use Data being Processed.
Visitor Analytics may update or modify the measures listed in Exhibit 2 from time to time provided that such updates or modifications do not result in any material degradation of the security of the Personal Use Data.
Visitor Analytics will notify Customer without undue delay after becoming aware of a Security Incident and assist Customer with its third party notification and communication obligations, taking into account the nature of Processing and the information available to Visitor Analytics. However, Customer is solely responsible for fulfilling any third party notification and communication obligations. Visitor Analytics will take, where appropriate, measures to mitigate the possible adverse effects of the Security Incident.
In the event of any loss or damage to Personal Use Data, Visitor Analytics will use commercially reasonable endeavors to restore the lost or damaged Personal Use Data from the latest back-up of such Personal Use Data maintained by Visitor Analytics in accordance with its standard archiving procedures.
Visitor Analytics shall not be responsible for any destruction, loss, alteration or disclosure of personal data caused by any third party (except any third parties subcontracted by Visitor Analytics to perform services related to Personal Use Data maintenance and back-up).
16. Data Processing Agreement
We are meeting the requirements of the GDPR, the new data protection law coming into effect on 25 May 2018. In summary, the GDPR applies to any business (within EU or with EU Customers) that processes personal data by automated or manual processing (provided the data is organised according to criteria).
In order to sign our Data Processing Agreement, please:
- Go to your Visitor Analytics Account
- Click Settings
- Check the Data Protection section and click View
- Sign the Data Protection Agreement
Once signed, you can also download it and keep it for your very own records.