GDPR and Marketing Automation

The GDPR gives users ("data subjects"), whose data are processed, certain rights. Among these, the right to be forgotten should certainly be mentioned, which in the new framework of the GDPR becomes synonymous with the right to data erasure. This means that data subjects have the right to request the deletion of their personal data if it is no longer necessary in relation to the purposes for which it was collected and processed; it is processed unlawfully; and/or the data subject has withdrawn consent or objected to the processing and the data controller has no further purposes and other legal basis for processing the data.

Among other rights under the GDPR, the right to data portability deserves specific mention, which allows our customers and their users to request in a structured, commonly used, and electronically readable format the personal data concerning them and/or to request its transfer to a new provider, should their contracts be transferred to the latter. The right to data portability applies to all processing of personal data: based on the user's consent; carried out in an automated manner. It should be noted, however, that, the right to request the transmission of data to another data controller exists only if the operation is technologically feasible, it being therefore necessary that, for example, the two systems concerned, transmitter and receiver, are compatible with each other. The Blendee platform makes it easy and straightforward to exercise the right to data portability, and therefore clients and their users will be able to easily obtain copies and/or transfer all their contacts to another data controller, in the form that will be most convenient for them: in the form of a file or via API.

The GDPR defines personal data in Article 4 as "any information relating to an identified or identifiable natural person ('data subject')," specifying that "an identifiable person is any natural person who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier, or to one or more characteristic elements of his or her physical, physiological, genetic, mental, economic, cultural or social identity. "This means that an online identifier is also personal data. On the other hand, anonymous data is information that, originally or as a result of specific processing, cannot be associated with an identified or identifiable individual.If the tracking of users is done on the basis of anonymous data, which therefore does not allow their identification, even indirectly, the GDPR does not apply and the client does not have to worry about acquiring their consents.

In order to use Blendee properly, it is not necessary to change the contact collection forms. It will not be necessary to include any additional requests for consent, other than those that our clients normally use, as long as they provide the information to the individuals concerned and acquire proof of having done so.

The Blendee platform will enable, in alignment with the obligations imposed by the GDPR, the detection, identification and preservation of evidence of the origin of personal data ("data source"), identifying where and from whom it was collected.

In the case of the Blendee platform, users' personal data are processed for profiling and marketing purposes with their consent, which is revocable at any time. The right to revoke consent to the processing of our clients' user data, applies to data processed in both digital and paper form, as well as to all backups of such data. To make this right effective, Blendee has set up the revocation(Opt Out) button, also adjusting the standard durations of data use and storage. Customers and/or their users may also object to further promotional email communications by using the appropriate "unsubscribe" link, which is present in each promotional email sent.

‍Blendee has implemented a data security policy and IT systems management procedures, all of which are documented and available to the client. The processing of personal data carried out through Blendee has undergone a privacy impact assessment (DPIA), as required by the GDPR. The DPIA is also available to our clients to fulfill their compliance obligations, pursuant to Article 35, GDPR.

The personal data of our customers (and the data of their users) are processed and stored in European territory. Should the data be transferred outside the European territory , in accordance with the GDPR, Blendee will ascertain that the countries to which the data are transferred ensure an adequate level of protection of personal data (and that, therefore, there is an adequacy decision of the European Commission), or that adequate safeguards are in place through contractual means such as "Standard Contractual Clauses" (in accordance with Art. 46(2)(c) and (d), GDPR).

The GDPR wants the principles of privacy by design and privacy by default to be applied from the design of personal data processing. Ultimately, appropriate technical and organizational measures must be put in place to effectively implement data protection principles, such as minimization, and to integrate the necessary safeguards into the processing in order to protect the rights of users and to ensure that only necessary data are processed-by default.

There are heavy administrative fines for violations of the GDPR and Legislative Decree 196/2003 (the so-called "Privacy Code") of up to 20mln euros or 4 percent of companies' turnover, whichever is higher. In the internal regulations (Legislative Decree 196/2003), there are also criminal penalties for specific and peremptory violations.

The new accountability rules are instrumental in ensuring that anyone processing personal data has taken organizational and technological security measures appropriate to the risk posed by the data and is able to demonstrate that its processing is done in accordance with the GDPR.

Data traceability is a declination of the principle of accountability. In fact, only by acquiring traceability and evidence of how the data were collected, consents, operations performed on the data and their deletion, will the owner be able to demonstrate that he or she has correctly acted with respect to the data.

Anyone who processes personal data must be prepared to detect and handle any personal data breaches (data breaches) and notify the Data Protection Authority within 72 hours of becoming aware of them. In cases where the breach may involve serious harm to the rights and freedoms of users, the breach must also be communicated to them by appropriate means. A personal data breach occurs in the case of a security breach that accidentally or unlawfully results in the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data. For notification to the Data Protection Authority, there is a special online procedure available on the Authority's official website.

Anyone processing personal data must take security measures appropriate to the level of risk to which the data are exposed. Physical, logical, and organizational security measures must ensure confidentiality, availability, and integrity of personal data processed by the owner and manager. The risk assessment must be periodically updated, as must the security measures that serve to mitigate the risks encountered. These are security measures, among others: pseudonymization, encryption, the ability to ensure on a permanent basis the resilience of data (through backups, disaster recovery plans) and procedures to test, regularly evaluate the effectiveness of technical and organizational measures in order to ensure the security of processing.

It is advisable to adopt and document a specific procedure for data breach notification and, more generally, for handling IT incidents. The procedure should be given wide dissemination in the client's business environment. Even if the security incident does not require notification to the Authority, since the prerequisites for notification are not met, it should be noted in a specially prepared internal log so that it remains documented in the event of audits by the Authority.

It is advisable to have a specific procedure for handling requests for the exercise of users' rights, making specific documentation available to them and preparing specific forms to facilitate the exercise of rights. In the case of processing that relies on users' consent, specifically, they must be guaranteed to exercise revocation of consent or to object to processing as easily as they were asked to express it.

Among the documents required to demonstrate corporate privacy compliance, mention should also be made of the controller's register of processing activities, in which all processing carried out, the types of data processed, the categories of data subjects to whom the data relate, the purposes of processing, the categories of recipients to whom the data are disclosed, whether the data are transferred to a country outside Europe and, where possible, the time limits for deletion of the data and the security measures taken should be noted. In the event that personal data are also processed in the capacity of a data controller, the controller's register must also be implemented, in which all activities carried out on behalf of one or more data controllers are documented. The register of the controller contains details of the name and contact details of the controller on whose behalf the controller processes the data, the categories of processing carried out, whether the data are transferred to countries outside Europe, and, where possible, a a description of the security measures taken.

For certain processing activities that involve the use of new technologies and present a high risk to the rights and freedoms of users, it is necessary to conduct specific data protection impact assessment of the processing. Specific measures of the Data Protection Authority and the European Data Protection Board identify the processing operations to be subject to impact assessment.
In the event that, as a result of the impact assessment, risks to the rights and freedoms of data subjects remain significant, the Data Protection Authority must be consulted for appropriate action.

When the main personal data processing activities consist of regular and systematic large-scale monitoring of data subjects, or large-scale processing of data belonging to special categories, it is necessary to appoint a Data Protection Officer (DPO). The DPO is appointed on the basis of his or her professional qualities and specialized knowledge in the field of personal data protection and cybersecurity.
The DPO reports to senior management on the activities carried out and monitors the actual implementation by the owner or manager of the measures prescribed by the GDPR and internal regulations. The DPO serves as the point of contact for requests from data subjects and requests from the Data Protection Authority.