The European Union implemented the General Data Protection Regulation (GDPR) on 25 May 2018.
Since then, two significant developments have impacted the GDPR: the European Court of Justice’s decision in a case known as Schrems II, and the United Kingdom’s exit from the European Union.
This article will detail how Constant Contact protects the information and data of European Union and European Economic Area (EU/EEA) customers and how Constant Contact supports its customers with compliance under the GDPR, even in light of the Schrems II decision. This article will also address the impact of the United Kingdom’s departure from the European Union on GDPR. This article does not require action.
Administrators | ✓ | |
Company Managers | ||
Marketing Managers | ||
Sales Managers | ||
Salespersons | ||
Jr. Salespersons |
![]() | Tip: Are you looking for information about Constant Contact’s Email and Digital Marketing product? This article is for Constant Contact’s Lead Gen & CRM product. Head on over to the Email and Digital Marketing articles by clicking here. Not sure what the difference is? Read this article. |
Prior to the enactment of the GDPR, the European Union adopted the Data Protection Directive (officially known as Directive 95/46/EC) in 1995, which dealt with how individuals were protected in regards to how personal data was processed and moved. Under Directive 95/46/EC, personal data could be transferred to organizations in countries outside the European Union only if the organization provided an adequate level of protection.
Directive 95/46/EC was repealed and replaced with the GDPR. The GDPR is a law which expands on original European Union data protection laws. The law was enacted 27 April 2016 and was implemented 25 May 2018.
On 16 July 2020, the European Court of Justice issued its decision in the Schrems II case, which impacted how companies transferred personal data internationally. The decision removed the United States’ Privacy Shield certification as a mechanism on which entities may rely when transferring data from the European Union to the United States. The decision, however, did leave intact reliance on the Standard Contractual Clauses as a mechanism to make such international data transfers.
On 31 January 2020, the United Kingdom left the European Union, and, as a result, is no longer governed by the GDPR. The United Kingdom adopted its own version of the GDPR (known as the UK GDPR), which substantially mirrors the requirements and penalties of the GDPR discussed herein. The United Kingdom also adopted and subsequently revised the Standard Contractual Clauses. The United Kingdom's Standard Contractual Clauses reflect that the United Kingdom is the country of origin when governing data transfers from the United Kingdom to the United States.
The GDPR impacts organizations and individuals in similar ways. There are several important differences to consider, however.
Constant Contact, as well as all marketing automation providers that have European Union customers, are impacted by the GDPR. These regulations are meant to regulate the flow, procurement, and use of data between data controllers and data processors. Article Four of the GDPR states the following:
The GDPR impacts organizations that fulfill at least one of the following situations:
As stated, the GDPR applies not only to organizations within the European Union. It may also apply to customers or organizations located outside of the European Union, depending on how they interact with EU/EEA individuals. This interaction includes—but is not limited to—offering standard goods or services to monitoring individuals' the data and behavior. Refer to the Recommended Customer Actions section of How the GDPR Impacts Constant Contact and You for more information.
Constant Contact updated terms, privacy policies, software, and infrastructure when the GDPR went into effect 25 May 2018. Refer to How the GDPR Impacts Constant Contact and You for more information on Constant Contact's changes to software and policies.
For European Union and United Kingdom customers, Constant Contact does transfer data outside of the European Union. Data is mainly stored in data centers in the United States, and this data can be accessed by both the United States and international resources working for Constant Contact during the course of the customer relationship. When required by law, Constant Contact subsidiaries supporting Constant Contact's global customer base shall enter into the Standard Contractual Clause agreements with the EU/EEA subsidiary. For the Constant Contact subsidiaries supporting Constant Contact's UK customer base, these subsidiaries shall enter into Standard Contractual Clause agreements that comply with the UK GDPR when required by law.
Failure to comply with the GDPR will result in monetary penalties. There are two levels of fines related to noncompliance. These fines relate to the severity of the violation:
In addition, if an organization violates multiple rules in the GDPR, the organization will be fined for only the most egregious violation, and not for each separate violation.
The GDPR was crafted with privacy rights in mind. The regulation's core tenets reflect this. These protected rights include, but are not limited to:
These rights and protections are expanded upon below.
With the GDPR, protections for consent were considered paramount. As a result, conditions and qualifications for consent were vastly improved and otherwise strengthened. The GDPR requires the following for consent:
The GDPR provides rights and securities for individuals in regards to access. Specifically, the GDPR does the following:
Data erasure, known also as the right to be forgotten, entitles individuals to the following rights in certain circumstances:
Data erasure is conditional, however. Conditions include—but are not limited to—the data no longer being relevant to original purposes for processing or individuals withdrawing consent.
Under the GDPR, notifications on data breaches that are likely to harm individuals are mandatory and must be reported to regulatory authorities within 72 hours of an organization first having become aware of the breach. In addition, data processors will also be required to notify data controllers without delay after first becoming aware of a data breach.
Data portability is the right for an individual to receive their personal data and all associated data in which they are affiliated in certain circumstances. This data must be provided in a common and easily readable electronic format. With data portability, individuals have the right to transmit that data as needed.
Privacy by design requires data protection as a core feature when designing systems, as opposed to being a later addition. Additionally, data controllers can retain and process only the data for which they have a legitimate basis for processing. Privacy by design also installs limits for who has access to personal data.
Data protection officers (DPOs), also known as data privacy officers, are security officials. DPOs are a key requirement for GDPR compliance. While not necessary for all organizations, the GDPR states that these roles are mandatory for any organization that processes or stores large amounts or personal data. This personal data can deal with an organization's employees, an organization's customers or providers, or any other individuals covered by the GDPR.
DPOs primarily audit organizations to ensure compliance, and should be treated as any other auditor. As such, per the GDPR, DPOs require operational independence. This means that organizations may interact with their DPOs in very specific manners. The GDPR requires the following for DPOs:
The primary duties of the DPO are to ensure that an organization is in compliance with and acting in full faith towards the GDPR. The individual aspects of these duties include the following:
Copyright © 2025 · All Rights Reserved · Constant Contact · Privacy Center