As a business owner, website admin or organization that offers goods or services to (or monitor the behavior of) EU data subjects you will have to comply with it. Therefore, if you have EU customers or visitors from anyone residing in the European Union, you have to respect the GDPR policies no matter where you are actually located.
Here are some nice reads to consider on this topic:
1. What is GDPR?
The General Data Privacy Regulation (GDPR) is the most important change in data privacy regulation in 20 years. To make it shorter (and easier to understand): the GDPR replaces the Data Protection Directive 95/46/EC and it is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
Date of effectiveness: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
Here is a really nice and easy to understand infographic published by the European Commission: http://ec.europa.eu/justice/smedataprotect/index_en.htm
2. What data can we process and under which conditions?
The type and amount of personal data we may process is limited to those depicted in the contract with our customer. We are not sharing it with third parties. We ourselves only process personal data as described in our Privacy Policy (https://www.twipla.com/en/support/legal-data-privacy-certificates/standard-integration/privacy-policy). We also respect several key rules as required by GDPR, including
3. What are my rights as a user?
You have the right to:
To exercise your rights you should contact us at support@twipla.com and we will respond to your requests without undue delay and generally at the latest within 1 month.
You may be asked to provide information to confirm your identity (such as, clicking a verification link, entering a username or password) in order to exercise your rights.
These rights apply across the EU, regardless of where the data is processed and where the company is established. These rights also apply when you buy goods and services from non-EU companies operating in the EU.
4. Our Terms of Use and Privacy Policy
We are fully aware of the trust you place in our product and team and our responsibility to keep your data and privacy secure. Therefore, we are transparent regarding the information we collect when you use our products and services, why we collect it, and how we use it to improve the service for you!
Our Terms of Use & Data Processing Agreement describe how we treat personal data in connection with the use of our App and how we take care of it. You can find more information on how we process your personal data in our Privacy Policy.
5. Data Privacy
We protect your account data in multiple ways:
6. Privacy Controls
We provide control to all our Customers that own a website and to their Visitors, in order to have more control on how their data is collected by us:
7. Processing operations
We do not use cookies to report the Visitors' interactions on Customers’ websites.
With regard to our App, depending on the person of the Data Subject, the Personal Data inserted will be subject to basic activities such as customer’s registration with regard to using our App; providing Customer with the right to edit his information, statistics; export of statistics; the exclusion of customer’s visits to Customer Website; and Customer account management.
The Customers’ activity and info concerning the use of the our app may be tracked, but only for performance purposes (e.g. installed app time, deleted app time, subscription status) and each customer can contact us to obtain all the info that we gather about him/her at any moment or control the personal data by reviewing the setting area in your Account.
8. Categories of Data Subjects
The categories of Data Subjects affected by the Processing are Customers (website owner); third parties related to Customer such as employees or other authorized persons; Wix; and persons authorized by us such as employees or other authorized Personnel.
9. Categories of data
Depending on the person of the Data Subject, the Personal Data inserted concern the following categories of data: name; company name; email address; timezone and website for each website owner (customer). This data can be edited at any time by the customer.
In order to provide the service as agreed in the Terms of Use and Data Processing Agreement, we provide the Customer with: IP address; data on the connection of a Visitor to Customer Website (timestamp, number of pages viewed, IP address); information about the visitor’s device (e.g. mobile or computer, OS, browser, screen size); approximate geolocation data inferred from visitor’s IP address location.
10. Sensitive data
We do not anticipate that sensitive data will be Processed.
11. Use of IP addresses
All the computers and devices connected to the Internet are assigned an Internet Protocol (IP) address. The IP is usually used to identify the country, state, and city from which a device is connecting to the Internet. We use IP addresses to provide website owners an approximate geolocation of their Visitors.
The IP Anonymization option gives website owners using our app the choice to not store the IPs, but to still get their Visitors’ approximated location.
12. Data-sharing settings
Within our app the Customers cannot share their account data with other products and services unless they give access to someone to their Wix Website. The provision of our services involves the Processing of Personal Data within the framework of the Contract and the Customer (website owner) shall remain the responsible body for the Processing of Personal Data, for assessing the legal admissibility of Processing the Personal Data and for respecting the rights of Data Subjects.
13. Control over data
All the website owners using our app own both account data and their Visitors’ data, can export reports at any time using a CSV or XLSX download option and use the data as wished or by contacting our support at support@twipla.com.
Website owners can also set-up their e-mail preferences, reset their visitors' data or delete their account at any time.
If you want to know more about what we process, please contact us at support@twipla.com or check our Privacy Notice, Terms of Use and Data Processing Agreement.
14. Our team access to your data
All the data that we gather for our Customer is confidential information. Our employee access controls protect Customer data from unauthorized access, and we use a special script to access a website owner’s data (both account data and their Visitors’ data) and conduct audits to ensure the controls are enforced.
Access to a Customer account data may be granted on a strict need-only basis to our employees who require specific access to perform their jobs or by request from a Customer in order to help or provide support. Our employees requesting access must explain why they need the access, while following our internal privacy policies, and receive approval before they can access the data.
Customer Service Representatives may not access Customers' data without explicit permission from the Customer and may only use the devices and networks provided by us, unless a technical fault is attempted to be fixed.
15. Information Security and disaster recovery
In order to minimize any chance of security breach, data loss or disaster, we implemented appropriate technical and organizational measures to protect the Personal Use Data that meet the requirements of Art. 32 GDPR. In particular, we implemented technical and organizational measures to provide the on-going confidentiality, integrity, availability and resilience of processing systems and services. The technical and organizational measures are described in Exhibit 2 of the Data Processing Agreement. Customer has knowledge of these technical and organizational measures and is responsible for ensuring that they provide an appropriate level of protection for the risks of the Personal Use Data being Processed.
We may update or modify the measures listed in Exhibit 2 from time to time provided that such updates or modifications do not result in any material degradation of the security of the Personal Use Data.
We will notify Customer without undue delay after becoming aware of a Security Incident and assist Customer with its third party notification and communication obligations, taking into account the nature of Processing and the information available to us. However, Customer is solely responsible for fulfilling any third party notification and communication obligations. We will take, where appropriate, measures to mitigate the possible adverse effects of the Security Incident.
In the event of any loss or damage to Personal Use Data, we will use commercially reasonable endeavors to restore the lost or damaged Personal Use Data from the latest back-up of such Personal Use Data maintained by us in accordance with its standard archiving procedures.
We shall not be responsible for any destruction, loss, alteration or disclosure of personal data caused by any third party (except any third parties subcontracted by us to perform services related to Personal Use Data maintenance and back-up).
16. Data Processing Agreement
We are meeting the requirements of the GDPR, the new data protection law coming into effect on 25 May 2018. In summary, the GDPR applies to any business (within EU or with EU Customers) that processes personal data by automated or manual processing (provided the data is organised according to criteria).
As part of our growth and in support of upcoming changes to EU data protection law, we’ve launched a new Data Protection Agreement to be signed by EU users and those user who offer goods/services to users from the EU or monitor their behaviour (e.g. via cookies)., We also updated our Terms of Use, made changes to our contract terms, and changes to our products, to help both you and us meet the new requirements.
We’ve re-organized our Terms of Use and Data Processing Agreement to make it more clear and understandable, defined key terms, and described our data processing practices.
In order to sign our Data Processing Agreement, please:
Once signed, you can also download it and keep it for your very own records.