Avaamo & the General Data Protection Regulation (GDPR)

GDPR is an opportunity to build a stronger data protection foundation for the benefit of all. Avaamo is committed to ensuring that our platform is GDPR-compliant when the regulation becomes enforceable on May 25, 2018.
GDPR_banner

GDPR Compliance

What is GDPR?

On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

 

As a result of this change, many organizations that have access to and process the personal data of EU-based users are subject to the rules and regulations that come into effect along with GDPR. Since many of our bot creators are based in the EU, while many of those outside the EU have EU-based bot users, we need to address these rules and regulations accordingly.

What is Avaamo doing to comply?

Avaamo is a company headquartered in the U.S., but we have customers and bot users located in the EU. Despite the fact that we do not have any physical locations in the EU, we recognize the fact that many of our users are directly affected by the GDPR will be expecting us to comply in order to continue using our product and have the confidence that they can do it in accordance with the new legislation.

 

Therefore, we’ve addressed the GDPR requirements that would apply to us as processors (and in some cases subprocessors) of personal data by implementing specific legal, technical and organizational measures aimed to address data privacy and security concerns:

 

  • We’ve put in place the contractual measures in the form of a Data Processing Agreement in accordance with the GDPR requirements that would come into effect the day GDPR comes into force and all platform users will be asked to accept the terms prior to that date.
  • We’ve ensured that we have appropriate contractual measures in place with each of our data subprocessors such as cloud service and analytics providers.
  • We’ve implemented and outlined specific technical and organizational measures (Appendix 2 to the DPA) to ensure data privacy and security and have put in place internal protocols and processes to ensure that we can address the GDPR requirements with regards to storage, processing, and control of personal data.

 

Our Data Processing Agreement will be shared with all users before May 25, 2018, at which point it will come into effect. This document will work as an addendum to our standard Terms of Use and Privacy Policy. If you continue using our platform after that date, you will be asked to agree to accept the terms of the Data Processing Agreement.

Updated Terms of Use and Privacy Policy

In accordance with the GDPR requirements, we have updated our Terms of Use and Privacy Policy. We encourage you to read both documents in full and contact us if you have any questions.

 

These updates will take effect on May 25, 2018. By continuing to use our services on or after that date, you acknowledge our updated Privacy Policy and agree to the updated Terms of Use.

FAQs

Q. What are my main responsibilities under GDPR?

 

Your responsibilities under GDPR will depend on the nature of your business and your personal data processing activities.  Please refer question #5 to determine your role and responsibilities.  Nonetheless, broadly speaking, GDPR requires that personal data be:

 

  1. Processed lawfully, fairly and in a transparent manner
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
  3. Adequate, relevant, and limited to what is necessary for achieving those purposes
  4. Accurate and kept up to date
  5. Stored no longer than necessary to achieve the purposes for which it was collected, and
  6. Properly secured against accidental loss, destruction or damage.

 

Further, GDPR places additional obligations on companies to document their processing activities and be able to demonstrate their compliance with the above principles.  It also codifies the requirement that companies apply data protection by design and by default when developing and designing processes, products and systems.  

 

In addition, if you use service providers to process personal data on your behalf, you will need to ensure that you have an appropriate contract in place that ensures that they are obligated to apply GDPR’s data processing standards. Similarly, if you are transferring EU personal data outside the EU, you may only do so if it is being transferred to a country deemed by the EU Commission to have adequate data processing regulations.  For transfers to countries not deemed adequate, you must ensure appropriate alternative safeguards are in place.  Currently, under the Directive, approved transfer safeguards include the EU-US Privacy Shield and standard contractual clauses.

 

Depending on the nature of your business and your personal data processing activities there are various other GDPR obligations that may apply.  You should consult with a qualified privacy professional to understand how GDPR applies to your specific business.

 

Q. What’s the definition of “personal data” under the GDPR?

 

Personal data means data that relates to an identified or identifiable natural person (aka “data subject”). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, an ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Importantly, this is a very broad definition and can encompass data like IP addresses of a user’s personal device, their device ID, or their phone number.  It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID). What matters is that the information can be used to “pick that user out of the crowd” even if you don’t know who that user is.  

 

It is also important to note that the definition of personal data is not tied to concerns about identity theft the way that definitions of personally identifying information (PII) are under many US data breach laws.  So, even if it seems like there would be little privacy harm if someone got ahold of your users’ IP addresses, that does not mean that those IP addresses are not personal data.  It just means that this data may not require the same level of data protection as more sensitive personal data like your users’ credit card numbers.

 

Q. Do I have to appoint a Data Protection Officer for the GDPR?

 

It depends. Article 37 of GDPR says that entities are required to designate a data protection officer if:

 

  • The processing is carried out by a public authority or body (except courts acting in their judicial capacity);
  • The core activity of the entity consist of personal data processing that amounts to or requires regular or systematic monitoring of EU individuals on a large scale;
  • The core activity of the entity consists of large-scale processing of special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to identify a person, or data concerning health, a person’s sex life or sexual orientation) and personal data relating to criminal convictions or offenses.

 

The Working Party 29 (a group of data protection regulators in the EU) has provided additional guidance to help you determine if you fit within one of these categories.  

 

Q. Is there an addendum to the Avaamo Terms and Conditions for GDPR?

 

Yes. There is an addendum both privacy policy and terms & conditions sections of the agreement. Avaamo will be sending an email to all customers and partners with the updated documents.

 

Q. Is the Avaamo Platform considered Data Processor (or) Data Controller?

 

“Data controller” and “data processor” are important concepts in understanding a company’s responsibilities under the GDPR. Depending on the scenario, a company may be a data controller, data processor or both — and will have specific responsibilities as a result:

 

Data Controller

A company is a data controller when it has the responsibility of deciding why and how (the ‘purposes’ and ‘means’) the personal data is processed. Under the GDPR, data controllers will have to adopt compliance measures to cover how data is collected, what it’s used for and how long it’s retained. They will also need to make sure people can access the data about them. Data controllers must ensure data processors meet their contractual commitments to process data safely and legally.

 

Data Processor

A company is a data processor when it processes personal data on behalf of a data controller. Under the GDPR, data processors have obligations to process data safely and legally.

 

Sub Processor

A subprocessor is a third party data processor engaged by a Company, including entities from within the Company, who has or potentially will have access to or process personal data. Avaamo Conversational Platform acts only as a “Data processor” working with Enterprises on their data. The Enterprise (Customer) is the “Data controller”, and may also function as the primary “Data processor” of end user PII.

 

Q. How does the platform identify PII information and how does the Avaamo platform protect it?

 

Personal data means data that relates to an identified or identifiable natural person (aka “data subject”). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, an ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Importantly, this is a very broad definition and can encompass data like IP addresses of a user’s personal device, their device ID, or their phone number.  It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID). What matters is that the information can be used to “pick that user out of the crowd” even if you don’t know who that user is.  

 

It is also important to note that the definition of personal data is not tied to concerns about identity theft the way that definitions of personally identifying information (PII) are under many US data breach laws.  So, even if it seems like there would be little privacy harm if someone got ahold of your users’ IP addresses, that does not mean that those IP addresses are not personal data.  It just means that this data may not require the same level of data protection as more sensitive personal data like your users’ credit card numbers.

 

Avaamo Platform already identifies a set of data fields as PII information and masks these fields as well as encrypts this information in the platform. These are the identified fields are the following:

 

Primary

  • Name
  • Email
  • Address
  • Zipcode
  • Credit Card
  • Phone Number
  • Social Media Handle

 

Inferred

  • IP Address (only the last octet)

 

Q. As a bot developer hired by Avaamo’s Enterprise customer to implement one or more bots, am I considered a Data controller or a Data processor?

 

If there are additional fields that can be PII information that the Company  is collecting from the user – they need to be tagged and identified by the developer in the platform.  These tagged fields will be masked and encrypted by the platform. Avaamo also provides mechanisms to view and delete such data on request.

 

Please refer to #5 for definitions of “Data controller” and “Data processor”. Avaamo’s Enterprise customer is the “Data controller” for PII of their end users. Any bot developer hired by Avaamo’s Enterprise customer may be a “Data processor” if they are primarily implementing a scope of work as directed by the Enterprise customer. To determine your exact relation to data and how it may be deemed within the GDPR framework, we suggest conferring with your legal counsel.

 

Q. Should I be requesting user consent within the bot – does it matter which channel the bot is on – our website/app/FB Messenger/etc.?

 

The GDPR defines several possible legal bases for processing information.

 

Under the GDPR, there are a number of approved reasons (or “legal bases”) a company might legitimately process a person’s data. Below, we’ve outlined the most relevant legal bases under the GDPR.

 

Reason Requirements
Contractual necessity Data processed must be necessary for the Service and defined in the contract with the individual
Consent Requires a freely given, specific, informed and unambiguous consent by clear affirmative actionPeople have a right to withdraw consent, which must be brought to their attentionMust be from a person over the age of consent specified in that Member State, otherwise given by or authorised by a parent / guardianExplicit consent is required for some processing (e.g., special categories of personal data)
Legitimate interests If a business or a third party has legitimate interests which are not overridden by individuals’ rights or interests.Processing must be paused if an individual objects to it

 

Depending on your use-case, you may need to rely on users’ explicit consent to process their data. The way you obtain consent may vary, for example you may want to ask for consent when a user is talking to your bot via message or a webview or other UI means. We suggest you confer with legal counsel to determine the requirements for your business

 

Q. Now that GDPR is in effect, do I need to get consent for prior conversations I’ve had? What if I reuse that data as part of my bot?

 

Under the GDPR, you should ensure you have a valid basis for storing, using, or sharing any data regardless of when it was shared with your business. To determine whether you have a valid existing legal basis or if additional steps are necessary to remain compliant, we suggest conferring with your legal counsel.

 

Q. Are there any circumstances when GDPR does not apply?

 

GDPR has broad scope and reach.  That said, it is not unlimited.  So, if you do not have an establishment in the Union and you do not process personal data of EU individuals, GDPR will not apply to your activities.   If you do not know whether you process EU personal data, then you should consider whether you are offering any goods and services (even free ones) to individuals in the EU or if you’re monitoring the behavior of individuals in the EU.  If so, then you are subject to GDPR.  Recital 23 of GDPR does indicate that GDPR is not intended to apply to entities that may inadvertently process EU personal data, but are not trying to provide their goods or services to people in the EU.

Disclaimer
The above information is Avaamo’s interpretation of GDPR and its requirements as of the date of publication.  Please note that not all interpretations or requirements of the GDPR are well settled and its application is fact and context specific.  This information should not be relied upon as legal advice or to determine how GDPR applies to your business or organization. We encourage you to seek guidance of a qualified professional with regard to how the GDPR applies specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. You may copy and use this posting for your internal, reference purposes only.