What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation, better known as GDPR, is the European Union regulation that replaced the Data Protection Directive that was enacted in 1995.
The regulation, which is available online in its entirety on the CNIL website, represents the new standard for personal data protection and respect and has several key objectives:
- to give citizens control over how their data are used;
- to make companies aware of their activities and procedures in regard to the processing of their user and customer data;
- to align the data protection laws and legislation established by individual Member States at an EU level.
What stakeholders are involved in the GDPR?
The GDPR covers all types of activities, without any difference in regard to corporate form: the regulation applies to both public and private stakeholders, whether for-profit or non-profit or B2B or B2C.
What are the main innovations that have been introduced?
The main innovations introduced by the GDPR concern the rules regarding personal data processing: since 25 May 2018, data can no longer be kept for an unlimited amount of time for processing, but rather processing must be functional and consistent with the purpose for which said data were collected.
User and customer consent must be explicit: consent means any expression of free, specific and informed will on the part of the data subject, via which said data subject expresses their consent to the processing of their personal data with an unequivocal statement or positive opt-in.
For their part, data collectors must explain the collection methods and uses of the data in a clear and simple way.
New user rights
Thus the GDPR outlines a few new rights for data subjects, regarding data protection and access:
- right to rectification: the data subject may request that their data be modified or corrected;
- right to erasure: the data subject may ask that their data be permanently deleted;
- right to data portability: the data subject may ask that their data be sent to another party (for example, another competitor);
- right to object:the data subject may request that their data be used only for certain uses or types of processing;
- right of access:the data subject has the right to find out about all the data that have been collected and what they have been used for;
A new definition of consent
The new provision that must be remembered is that there is a new definition of consent that must be “given freely”, i.e. a “positive opt-in” for every use that is to be made of the personal data. Essentially, the GDPR has prohibited two practices that were rather common in the past, namely the practices of opt-out and passive opt-in:
- opt-out is the practice of automatically registering a user on a list, leaving it up to them to unsubscribe;
- passive opt-in is when the boxes are pre-ticked on registration forms.
Thus, opting-in is the only legitimate way to obtain explicit consent and only lists that have been obtained in this way can be used legally.
From this perspective, the GDPR affects some activities carried out by digital marketers:
- multiple opt-ins must be added to forms, in accordance with each different use that will be made of the collected data: transactional emails, user profiling, etc.
- Furthermore, you must ask the user for permission again every time you want to use data belonging to them that is in your possession in a way that is different from the one conveyed at the time of collection.
What does ShopCall do to comply with the GDPR?
First and foremost, we clearly specify roles: ShopCall clients are and remain the Data Controllers.
In order to accept to use the ShopCall platform, you must appoint Shopcall Srl, which owns ShopCall technology, as the Data Processor.
We process user and client data scrupulously and in full compliance with the rules.