Easypromos and the new General Data Protection Regulation (GDPR)

Carles Bonfill
Carles Bonfill
The European Union’s new General Data Protection Regulation (GDPR) is designed to reinforce and unify data protection for all EU citizens. The regulation was approved by the EU parliament, The Council of the European Union and the EU Commission two years ago. The regulation will be applied as of May 25, 2018.

The GDPR applies to anyone who handles the data of EU residents. Easypromos is based in an EU country (Spain), and is already adapted to Spanish legislation (LOPD) regulating the rights of data subjects, consent for data transfer, and the responsibilities of those in charge of processing the data, so our adaptation to this new EU regulation has taken place very organically.

According to the new regulation, it must be made much clearer to users who is processing and storing their personal data and what they are using the data for. It is no longer permissible to bury this information in long and complex terms and conditions or privacy policies. Users must be informed using intelligible, accessible language, and their consent to having their data processed must be given freely and unambiguously.

In this document we outline all the actions Easypromos has taken to adapt to the GDPR.

Easypromos’s commitment to the GDPR

Our responsibility is to work for the success of our clients. To do this, we have always made the security of contest participants’ data a priority. We are therefore committed to complying with the EU’s new General Data Protection Regulations.

We have analyzed all the requirements set out by the GDPR and can confirm that we are already compliant and prepared for 25 May 2018. We have updated the terms and conditions of the platform to include our commitment as data processor to comply with all the provisions of the GDPR. See our commitment in clause 17 of the Easypromos Terms and Conditions.

Furthermore, as part of this commitment we continue to provide our clients with tools that enable them to adapt to the GDPR more efficiently. We are also dedicated to continuously improving our internal procedures for guaranteeing the confidentiality, availability and integrity of our clients’ data.

Our adaptation to the GDPR

Easypromos’s adaptation to the GDPR is based on three pillars:

  1. Implementation of new tools to enable our clients to create campaigns that are in alignment with the GDPR.
  2. Adaptation of our General terms and conditions regarding our position as data processors of the data provided by contest participants by including a new Data Processor Agreement, as well as implementation of new procedures to guarantee the confidentiality, integrity and availability of this data, and our commitment to data controllers.
  3. Update of our privacy policy and clients’ data protection policy, as well as reviews for obtaining consent for sending commercial communications.

We know that for most people reading this, the first two pillars may seem more important, but it’s imperative to always consider the privacy and data management of our own clients.

Below, we outline the actions carried out to strengthen each of these three pillars.

Implementation of tools to create GDPR compliant campaigns

In online contests and sweepstakes an exchange takes place between brands and participants. In these exchanges, users provide personal data in exchange for the chance to win a prize.

According to the GDPR, the brand behind the contest is responsible for the data of users who sign up and take part. According to the new regulation, the person responsible for the data has a series of obligations. However, as regards the management of promotional campaigns we’d highlight the following:

  1. The brand should clearly inform participants of who will control their data, what purpose the data will be put to, and how participants can exercise their rights to access, edit and delete their data or oppose certain uses of the same.
  2. Participants’ consent for the transfer of data should be given specifically and unambiguously.

To this end, as a platform to create promotions and contests, we provide tools that make it possible to create entry forms that are aligned with the controls, recommendations and good practices of the GDPR. Here are some of the implementations we have carried out:

  • Disclaimer field: this is a field where the brand can add an explicit legal text to the data collection form. This is the recommended field for inserting the first layer of information about data privacy policy.
  • Additional information fields in all text fields: For every field of the forms there are options for providing additional information to users.
  • For all design templates it is possible to insert introductory texts into the entry form, in order to add additional text to the page. In White Label promotions it is also possible to insert HTML text customized via CSS.
  • Check boxes for legal texts or sign-up to newsletters with double opt-in enabled.
  • Control over the default state of the check boxes.
  • Control over access to the entry form based on age.

We’ve also implemented new options in the organizer’s control panel to ensure that participants can exercise their rights more easily:

  • Comprehensive information about the user’s consent, including when it was given, what was consented to, and from what location consent was given. This information is exportable and easily accessible.
  • Quick controls for localizing participants.
  • Quick controls for deleting and editing entries and participants.
  • Tools for exporting all the data of a contest participant for quick and easy portability.
  • Tools that make it possible to automatically synchronize and export participants’ data with CRMs or external databases so that brands can exercise the users’ rights from centralized systems.

In addition, we can confirm that all of the Easypromos infrastructure is within the European Union, meaning that it is not necessary to specifically inform a participating user from the EU that an international data transfer will be carried out.

And finally, we continue to generate:

  • Informative material about good practices in the creation of campaigns and promotions that are in alignment with the GDPR.
  • New options for increasing promotion administrators’ efficiency in terms of data protection when managing the campaign.

Our commitments as processors of the data provided by contest participants

In contests and promotions created via our platform, Easypromos acts as data processor of the information provided by participants. To comply with the requirements of the new regulations in our capacity as data processors we’ve carried out the following actions:

a) Update of our commitments as data processors in our terms and conditions

We’ve updated our terms and conditions, adding clause 17, in which we indicate our commitment to complying with all the obligations of EU Regulation 2016/679, passed by the European Parliament and Council on April 27, 2016. The clause establishes Easypromos’s role as processor of the data provided by participants, under the control of the organizing brand.

As data processors, our commitments are: (i) not to give data to third parties; (ii) to guarantee the confidentiality, integrity, availability and permanent resilience of processing systems and services; (iii) to restore availability and access to personal data in case of physical or technical incident; (iv) and to guarantee the security of the data through the efficiency of technical and organizational measures.

Our responsibility as data processors also includes assisting and cooperating with the contest organizer who is responsible for the participants’ data.

b) Incorporation of a Data Protection Officer (DPO or DPD)

As a company that manages data on a large scale, Easypromos has incorporated a data protection officer. This delegate will be responsible for ensuring Easypromos’s compliance with data protection. Our DPO is the legal entity Letslaw, S.L. (www.letslaw.es) and its functions are as follows:

  • To inform and advise on data protection matters
  • To supervise compliance with the provisions of the European Data Protection Regulation
  • Tasks related to impact evaluation
  • To cooperate with the Control Authority
  • Point of contact on data protection issues

c) ISO 27001 certification seal and impact evaluation

To guarantee the permanent confidentiality, integrity, availability and resilience of the treatment systems and services, Easypromos is undertaking the ISO 27001 certification process. We have adopted this data security management system as the most effective means to minimize risk, ensuring that the assets and risks of the company are identified and valued, assessing the impact for the organization, and adopting controls and procedures that are efficient and consistent with our business strategy.

The GDPR does not yet have specific certification, but the management methodology, procedures and controls of the ISO 27001 include the controls, obligations and recommendations stipulated in the GDPR.

d) Technical security measures

The security and reliability of the system has always been one of the cornerstones of the Easypromos platform. That’s why many of the control measures postulated by the GDPR and ISO 27001 have already been implemented:

  • Pseudonymization of user data
  • Encryption techniques for all data at rest
  • Backup copies and encryption of backup copies
  • Firewalls and intrusion detectors
  • Data access controls
  • Encrypted communications
  • Procedures for incident control and communication
  • 24×7 system monitoring
  • Procedures for recovering from technical or physical disasters

Some of the techniques that we have already applied are explained in the following link.

Update of our privacy policy regarding data provided by our clients and our policy regarding commercial communication with clients

The third pillar of our adaptation is the review of our internal procedures for the protection of the data provided by our own clients: those who use our platform. To this end we are doing the following:

  1. Updating our privacy policy for a clearer and easier-to-understand definition of the data we ask clients to provide, and how our clients can exercise their own rights. We also indicate our policy for profiling to send segmented communications. You can review our updated privacy policy in this link: https://www.easypromosapp.com/privacy-policy/. We have separated the clauses on data protection into a number of files. There is (i) the privacy policy for our clients; (ii) the privacy policy for users who accept the Easypromos application to carry out Social Login on the social networks; and finally (iii) the data processor agreement for the processing of participants’ data that is controlled by the promotion organizer mentioned in the previous point.
  2. Review of consent to commercial communications and acceptance of policies: We’re in the process of reviewing clients’ consents to receiving commercial communication. This is to ensure that we have each client’s unequivocal confirmation, as established in the GDPR. In the following days, our clients should reconfirm if they wish to continue receiving commercial communications, and of what sort, from Easypromos. In addition, all data collection forms are being updated to include our updated privacy policy and the first information layer regarding data transfer.
  3. Implementation of tools to exercise the rights of clients more efficiently. As we indicate in our privacy policy, our clients can exercise all their rights. And that’s why we’re implementing internal tools that enable us to be more efficient when users exercise their rights to portability, erasure, and to be forgotten.

The implementation of these three pillars enables us to guarantee that Easypromos is correctly adapted to the new Regulations for May 25, 2018. The security of the data of our clients is fundamental to our company, and we’ll continue to work each day to adapt and improve on every level: legal, organizational, and technical.

For any questions about data protection, please contact our data protection officer at dpo@easypromosapp.com.