Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

GDPR (or General Data Protection Regulation)

GDPR (or General Data Protection Regulation)

Digital privacy is an incredibly important topic for any company that operates online. This is why it is crucial to understand regulations surrounding the handling of individuals’ personal data, such as GDPR. This page will cover all of the ways that Echobox stays up to date with GDPR, as well as how we more generally protect the data privacy of our customers’ subscribers.

For full details on how we handle personal data and adhere to digital privacy laws, please refer to our full DPA.

 

What is GDPR?

GDPR is a set of rules in EU law surrounding data protection and online privacy in the EU and European Economic Area. It is in place to protect and ensure the privacy of individuals, as well as to hold organisations that handle personal data accountable for upholding those rights and treating people’s data with care.

While these regulations apply to individuals within the EU and EEA, they also affect any company that does business in Europe or handles the data of its citizens, regardless of where the company is based.

Other countries have their own laws and regulations for handling online data, such as the UK’s Data Protection Act 2018 (DPA). However, GDPR is widely considered to be the most stringent, which is why it is important to be familiar with these regulations. 

Failure to comply with GDPR standards can result in expensive fines as well as reputational damage, so it is important to understand what responsibilities an organisation has surrounding this.

 

What are the main principles of GDPR?

If you process the data of EU citizens, you must do so according to seven protection and accountability principles outlined by GDPR.

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy — You must keep personal data accurate and up to date.
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Below you will find some key information about the ways in which Echobox maintains these principles and adheres to data protection policies such as GDPR.

 

What subscriber data do you store?

We only store the following information about your subscribers on our platform for more than 30 days:

  • Email address
  • Which Campaigns they are subscribed to
  • First name (optional)
  • Last name (optional)

We do not need to use IP addresses to confirm a subscription or a double opt-in.

 

Do you gather any other data?

Echobox tracks your reader’s engagement with your Campaigns, for example opens and clicks. To ensure compliance with GDPR we ensure any such personally identifiable data is suitably pseudonymised beyond 30 days. This ensures we can still provide you with analytics data beyond 30 days in a way that is GDPR compliant.

 

Do your customers have to hold any (extra) data?

No. We store the previously mentioned data on our platform and customers do not need to hold any more than they currently do, unless they would like to.

 

Do you use Double Opt-In?

Double opt-in adds an additional step to an email subscription opt-in process. It requires a subscriber to verify their email address and confirm interest, before they start receiving regular emails.

We have a setting to toggle double opt-in on or off and we recommend that our customers use it. This ensures that you follow any regulations in a country that requires double opt-in, as well as that your subscribers come from a real and monitored inbox.

 

Do you comply with ‘Right to be Forgotten’ requests?

We process all Right to be Forgotten requests that your subscribers make. 

Our standard unsubscribe mechanism is completely GDPR compliant. When a specific Right to be Forgotten request is made, we will ensure any data about the subscriber (for example their original subscription/unsubscription requests) are removed from our databases. This can be done in the unsubscribe box on the Campaign Dashboard screen.

It should be noted that we only recommend this course of action specifically for Right to be Forgotten requests. This is because when we delete all of a subscriber’s data, we also lose a record of when they unsubscribed, meaning there is a small possibility they could accidentally be re-added and sent more editions in future.

 

Do you use Subprocessors?

We will appoint subprocessors from an approved list which can be found here . All subprocessors we work with conform to the same data handling principles that we do and are also subject to the same contractual obligations regarding this.