On May 25 2018 General Data Protection Regulation (GDPR) will come into force. In short this means that from this date your business needs to be compliant to avoid the new regime of fines being introduced. At Gametation we are ready – our Shopper solution is in compliance and we are ready to guide our clients.
GDPR focuses on transparency, access and control of private data for individuals and on data management for companies. At Gametation we have designed our templated solutions with the individuals control and transparency in mind from the very beginning and we have updated our platform and data handling to be in full compliance with GDPR. In this whitepaper we outline the key areas that need to be considered in the realm of GDPR.
Privacy By Design
The Gametation Shopper Solution has from the very beginning been designed with Privacy in mind. We only ask about personal information, when there is an explicit need and no other way for shoppers to participate or advance. We only require the mobile phone number when shoppers enter the user journey – and the sole purpose of registering the mobile phone number is to send an SMS, if the shopper wins a prize.
We always include a clear and readable terms & conditions notice, where we inform about the recipient of the data, the right to data correction, the period the data is retained for and why, and how to opt-out. When users opt-out, their data will be deleted or anonymized in full.
Later in the campaign flow, we might ask for e-mail permission, and other personal data on behalf of our Customer, for further communication purposes. This collection of permission data is covered by a separate Terms & Conditions, where we inform about the recipients of the data, and how to opt-out. On behalf of our Customer we provide an “opt-out” service for the participants while the campaign is running. All permissions and data given by the user is accessible through a menu that is accessible to shoppers anywhere in the user journey, giving shoppers full transparency.
In a Gametation Shopper Solution – privacy measures is the default and only option.
Data Processing, Handling & Security
All staff at Gametation is educated in handling Personal Data in a secure and diligent manner. We have had focus on GDPR since late 2016 and have focused on implementing the required level of security and processing that is required in GDPR. As a significant part of this, the majority of personal data processing in our campaigns is automated, and data processing that involves manual data processing is limited.
All Personal Data that are stored on Gametation Servers (Data at Rest) is encrypted, and all Personal Data that is transmitted over the internet is encrypted with SLL/TLS. Per default all Data is stored on Azure Servers in a secure Microsoft data-center located in Ireland. If required by local legislation, we do have the option to store personal Data in a different location. Gametation have a formal Data Security Policy and Security Controls Documented, and would be able to present those upon request, after an NDA is signed.
When running a campaign, Gametation act as the “Data Processor” on behalf of our Customer the “Data Controller”, and a Data Processing Agreement will always be in place to regulate the obligations of Gametation and the Customer. Gametation do not at any point transfer personal Data to any other part than our Customer (the “Data Controller”). Gametation do not transfer any data to any 3rd part or transfer Data out of the region where is was collected.
Gametation do not retain the personal Data collected when the campaign period has ended unless explicitly instructed by our Customer (the “Data Controller”) – If Data is retained after a campaign has ended, it will be governed by the Data Processing agreement between Gametation and our Customer.