General Data Protection Regulation (GDPR)

What you need to know about the EU and UK General Data Protection Regulation (GDPR)

While we cannot provide legal advice, we feel it is important to provide you with our thoughts on how GDPR may affect you. This is a summary of some provisions of the law and is not a full analysis of how it may apply to you. If you believe you may be affected, you should consult with your own attorney.

• What is the GDPR?
• What is considered personal data?
• How does this affect me?
• What rights does the GDPR provide to EU and UK residents? 
• What is Constant Contact doing to comply with the GDPR?
• What do I need to do differently to be compliant with the GDPR?
• What if I have additional questions?

Be a better marketer: For more information, please read GDPR: What You Need to Know and How Constant Contact Helps You Comply.

What is the GDPR?

GDPR is short for the General Data Protection Regulation. The EU GDPR went into effect on May 25, 2018 and the UK GDPR went into effect on January 1, 2021 after the end of the Brexit transition period. The purpose of the GDPR is to support privacy as a fundamental human right and therefore give EU and UK residents rights over how their personal data is processed or otherwise used.

What is considered personal data?

The GDPR defines personal data as '... any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.'

Additionally, the GDPR notes that online identifiers can constitute personal data. The GDPR explains, '... natural persons may be identified with online identifiers which are provided by:

• Devices
• Applications
• Tools
• Protocols, such as IP (Internet Protocol) addresses
• Cookie identifiers (and similar web tracking technologies)
• Radio Frequency Identification (RFID) tags (the Internet of Things)'

How does this affect me?

Individuals, companies, or businesses providing services to EU or UK residents may need to comply with the EU or UK GDPR. To the extent you collect EU or UK residents' personal data (including the collection, processing, storage or transmittal of such data), GDPR requires you to comply with its terms. If you are an EU or UK resident, this law will apply to your personal data in your Constant Contact account.

The Constant Contact Privacy Statement explains what we collect and how we handle your personal data. This statement includes many examples of how personal data may be used by Constant Contact. We suggest that you take the time to understand how this applies to you.

What rights does the GDPR provide to EU and UK residents?

The rights of an EU or UK resident under the GDPR, and how you can exercise those rights with respect to Constant Contact, are:

• Right of access: You, or your customer, can ask us what personal data is being processed (used), why, and where.
• Right to rectification: If you, or your customer, want to correct, revise, or remove any of the data we retain on you - as explained in our Privacy Statement - you may do so at any time.
• Right to be forgotten: If you, or your customer, need to cancel your Constant Contact account at any time, we will permanently remove your account and all information associated with it.
• Right to restrict processing: If you, or your customer, believe your personal data is inaccurate or collected unlawfully, you may request limited use of your personal data.
• Right of portability: We provide you with the ability to move any of your account data to a third party at any time.
• Right to object: If you, or your customer, decide that you no longer wish to allow your data to be included in our analytics or for us to provide personalized (targeted) marketing content at any time, you may contact us to request removal of this data.

Constant Contact will provide the necessary mechanism to comply with requests from you and will support you in fulfilling GDPR requests from your customers.

What is Constant Contact doing to comply with the GDPR?

Constant Contact has implemented an Information Security Program to secure customer data and we continuously review these security measures to make sure they are up-to-date. We have incorporated the EU Standard Contractual Clauses and the UK Addendum into our Data Processing Addendum and we also ensure that our third-party vendor agreements are compliant with GDPR. While we do not currently rely on Privacy Shield for cross-border data transfers, our privacy program has been certified to the obligations and standards of the EU-US and Swiss-US Privacy Shields and we continue to adhere to the Privacy Shield principles.

What do I need to do differently to be compliant with the GDPR?

Please understand that both you and Constant Contact have obligations and requirements for GDPR compliance.

Our Terms of Service require you to lawfully obtain and process all personal data appropriately. You will need to continue to do this to be compliant with the GDPR.

If you collect EU or UK residents' personal data, you are likely to be classified as a data controller under the GDPR. This means you will have some additional obligations around such things as data subject rights. We urge you to understand this and seek legal advice where you think necessary.

We've created a GDPR email template so that you can document express consent to email your current contacts. We will provide you with additional features, such as updated consent tools and the ability to respond to a customer data subject request.

What if I have additional questions?

If you, or your customers, have any additional questions, please do not hesitate to contact us:
Email: privacy@constantcontact.com
www.constantcontact.com

Questions?