Got a GDPR Headache? We’ll Sort Out the Essentials
You and Your Audience
- Every time you process a person’s information – such as names, phone numbers etc. relating to a person – you will process personal data.
- Processing of personal data for direct marketing purposes is generally permitted - even without the consent of the person whose personal data is processed. Why? The commercial interest in marketing products and services usually balance out the person's interest in protecting its personal integrity. In other words: it’s regarded as a legitimate interest.
However, the distinction of legitimate interest is hardly a generalised one-size-fits-all. The assessment of legitimate interest must be made on a case-by-case basis. Resultantly, there might be situations where processing of personal data for direct marketing purposes does not constitute a legitimate interest. In general, direct marketing is easier to motivate when the marketing is targeted at the person in his or her professional role, rather than the person as a consumer.
- The person has the right to object your marketing activities and you must inform the person of their right to opt out. Upon notice of objection, the processing for direct marketing purposes must cease. So, ensure that the person can object your marketing, e.g. by ensuring the person can opt-out in the emails that you send (Note: default in APSIS).
- To enable further transparency, the GDPR provides a list of information that should be provided by you to the person to enable transparency in relation to your processing, so make sure to shine some light on your processing to build trust.
The GDPR targets all of your company’s processing of personal data – not solely your marketing activities – and needs to be handled by your company with a holistic approach. This means that your data shouldn't be processed in separate siloes with the marketing department stand-alone.
For example: if you extract data from your CRM for your marketing activities, the CRM should be the main focus for your GDPR compliance work. How did the personal data end up in the CRM to start off with and what are the legal justification(s) for such processing? In general – if the CRM is OK, your processing of data for direct marketing purposes will be OK.
You and APSIS
- You are the “Controller” and will own the relationship with the persons whose personal data is processed (your audience).
- APSIS is your "Processor", your extended arm, who will process the personal data on your behalf for the sole purpose of enabling you to work your digital marketing magic by leveraging the APSIS platform.
- The APSIS Terms of Services (regulating your usage of the APSIS platform and forming your documented instruction to APSIS how to handle your data) incorporates the Personal Data Processor Agreement specifically regulating our relationship – as “Controller” and “Processor”.
- The Personal Data Processor Agreement complies with the requirements under the GDPR (cf. Art 28) and is drafted in the light of how the APSIS platform works and is provided to APSIS' thousands of users such as yourself.
- In line with privacy by design and default, the APSIS platform is self-served and you can upload, extract, delete and/or change the data being processed yourself, and thus comply with any request from a potential person who wants to exercise his or her rights.
- The security of your data is a core of APSIS' business and we have implemented technical and organisational measures to ensure the protection of your data. To the limited extent your data is accessed by us, such access will be made solely by authorised staff on a confidential need to know basis for purposes in line with the agreement (i.e. to enable your digital marketing magic).
- The APSIS platform is hosted on infrastructure located within the EU/EEA.
- If you in the future decide to leave us (now why would you ever do that?), your data in the APSIS platform will be deleted.
The APSIS platform is continuously developed to meet the demands of the market and to provide the best UX possible, including but not limited to facilitating your company’s work as Controller.