GDPR Guidance for Yusp services

The General Data Protection Regulation (GDPR) is an EU regulation applicable since 25 May 2018 with the aim to enhance the protection of the personal data of EU citizens. The regulation builds on concepts and rules already put in place across the EU by the 1995 Data Protection Directive.

The GDPR does not only apply to EU-based businesses, but also to any business that offer goods or services to individuals in the EU.  

When you – for example as a eCommerce store owner – use our services, you will – acting as controller – process the personal data of your visitors and customers and you will also engage us as processor with regard to some of your customers’ personal data. It is important for us to help you as our partner to understand the GDPR and what it means to your business. We aim to assist you on how you can build your own processes in a compliant way.

Personal Data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Data you transfer to us concerning your visitors and customers while using our services may qualify as personal data. This includes registration data, e-mail addresses, IP addresses, cookie ID’s etc.

Your role under the GDPR

The GDPR applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.

You, as our client act as the data controller with regard to the personal data of your company’s visitors and customers. If you are a client of Yusp, then Yusp acts as the processor of your visitors’ and customers’ data on behalf of your company.

The legal basis for processing the personal data of your visitors and customers

You must have a valid lawful basis in order to process personal data.

You, as a data controller are responsible to determine the legal basis for processing. There are six available lawful bases for processing specified by the GDPR. No single basis is ’better’ or more important than the others – which basis is the most appropriate to use will depend on your purpose and relationship with the individual.

Generally, when you use the personal recommendation services of Yusp in B2C relationships – for example if you are a eCommerce storeowner – obtaining the consent of the visitors and customers can be necessary as a precondition to operating these services.

The visitors and customers must be told what they are opting into. They need to affirmatively opt-in (pre-checked checkboxes aren’t valid). The consent needs to be granular. This means that it has to cover separately the various ways you process and use the personal data of your visitors and customers. Consent must be logged in a way that it can be evidenced later.

Transparency and Data Subject rights

Transparency is a key requirement under the GDPR. Accordingly, individuals have the right to be informed about the collection and use of their personal data in advance. This means that you as controller must provide appropriate privacy notice for your customers and visitors.

Individuals also have the right to access their personal information. The GDPR also introduces a right for individuals to have personal data erased.

The list of rights the GDPR provides for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.
  9. Right to withdraw consent

If your visitors or customers wish to exercise their rights above you can reach out to us and we will assist you in the process to reasonable extent.

Data processing agreement

You as a controller must conclude appropriate data processing agreement (DPA) with us. This DPA can for example be the schedule of our service agreement and must contain certain provisions as prescribed by the GDPR. We are happy to help you and to provide you with appropriate DPA that we prepared for this purpose.

In this DPA we undertake to process the personal data of your customers and visitors with due care and to implement appropriate security measures to protect such data. We also undertake that we process the personal data of your customers and visitors in accordance with your instructions.

Changing legal landscape

It is useful to monitor the rules and practices regarding data protection in e-commerce continuously. Keep an eye out for the draft E-Privacy regulation, as that may introduce novelties in the rules concerning the cookies used in connection to our services as well.

Disclaimer – The information above only serves orientation, this should not be considered either as a complete privacy notice or as a complete description of your obligations under the GDPR. The is also not legal advice. In order to understand the provisions of the law as applicable under your circumstance please consult a qualified legal professional.