Legal
General Data Protection Regulation (GDPR) FAQ – Ending July 16, 2018
Urban Airship welcomes the General Data Protection Regulation (GDPR) as an opportunity to reaffirm our commitment to data protection and privacy rights. Urban Airship is GDPR compliant, and as your trusted provider, we are committed to supporting your GDPR-compliant use of the Urban Airship platform. We also understand that data privacy and compliance with the GDPR is a shared responsibility between Urban Airship and you, as our customer. To support your GDPR compliance, we have outlined in this FAQ the most common questions asked about the GDPR and your use of the Urban Airship platform.
What is the GDPR?
The GDPR is a new comprehensive EU data protection law that regulates the processing of personal data of EU individuals and takes effect on May 25, 2018. The objective of the GDPR is to strengthen the personal data rights of EU individuals through tighter limits on processing of personal data, providing increased transparency into the nature, purpose and use of personal data, and increasing the individual’s rights over their data. The GDPR will replace the existing Data Protection Directive, also known as Directive 95/46/EC.
Does the GDPR affect my organization?
The GDPR regulates the processing of personal data of EU individuals. If you are established in the EU and processing personal data, then GDPR applies to you. If you are not established in the EU and you offer goods or services to EU individuals or monitoring behaviour of EU individuals, then GDPR applies to you. If your use of the Urban Airship platform includes processing personal data of EU individuals, the GDPR applies to such EU personal data.
What is processing of personal data?
Data processing is a broadly defined term under the GDPR and includes collection, storage, transfer, use or deletion of personal data. Personal data is data that relates to identified or identifiable natural person, referred to in the GDPR as data subjects. Natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Are there different categories of personal data?
Pseudonymous data. The GDPR defines certain categories of personal data as less sensitive pseudonymous data and recognizes that pseudonymization can protect the rights of individuals and encourages the use of such measures. The GDPR defines pseudonymization as the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information, where the additional information is kept separately and subject to technical and organizational measures so that the individual is not identified. The Urban Airship platform supports use of pseudonymized data as best practice in implementing channel IDs and use of pseudonymized or hashed IDs as the “named contact” value.
Special classes of data. The GDPR also defines certain classes of personal data as extra sensitive and provides that sensitive personal data should not be processed unless a special exception applies, such as the individual providing explicit consent. These special categories of data are personal data revealing race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership, genetic data, health data or data concerning an individual’s sex life or sexual orientation. Urban Airship contractually prohibits processing these special classes of data using the Urban Airship platform as well as any individual financial data, credit or debit card numbers, government issued identification numbers, or data relating to criminal history.
Does the GDPR require EU personal data to remain in the EU?
The GDPR does not require EU personal data to remain in the EU. However, it does require that EU personal data may only be transferred outside the EU if the country to which the data is transferred has been deemed by the EU Commission to have adequate data protection laws. If the country has not been deemed adequate, there must be some other approved mechanism for transfer of EU personal data to that county. The Urban Airship platform is operated from and the data is stored in cloud data centres located in the United States.
For US based data processing operations, such as Urban Airship’s, two commonly-used mechanisms for personal data transfer from the EU to the US are the EU-US Privacy Shield and the EU Standard Contractual Clauses. Urban Airship is in the process of certifying to the EU-US Privacy Shield and once certified, will offer this mechanism to our customers. Additionally, Urban Airship uses the EU Standard Contractual Clauses for transferring EU personal data from the EU to the US. If your use of the Urban Airship platform includes processing of EU personal data that is transferred from the EU to the US, the Urban Airship Data Processing Addendum incorporates the EU Standard Contractual Clauses for that purpose. The Urban Airship Data Processing Addendum is available here for execution.
Who are the data controllers and data processors under the GDPR?
Under the GDPR, a data controller is the organization that determines the purposes, conditions, and means of the processing of personal data. A data processor is an organization that processes personal data on behalf of the data controller. When you use the Urban Airship platform to process personal data, your organization is the data controller and Urban Airship is the data processor under the GDPR.
As the data controller, you determine the personal data we process on your behalf through your use of the Urban Airship platform. Depending on your specific configuration and use of the Urban Airship platform, we may process EU personal data for you. As the data controller, you provide privacy notices to individuals who engage with your digital assets detailing how you plan to message them and how you collect and use information, and obtain any required consents.
As the data processor, we process data on your behalf based on instructions you provide, which include your configuration and use of the Urban Airship platform and terms set out in your agreement with us.
Which privacy policy applies?
As the data controller, you provide privacy notices to individuals who engage with your business and your digital assets detailing how you plan to message them and how you collect and use information, and obtain any required consents. The GDPR requires that you communicate to individuals in a clear and understandable way describing what you are going to be doing with their personal data and how they can exercise their rights in relation to the personal data you collect. In addition to the general privacy policy, consider putting mini privacy notices at the time you collect personal data to help your users understand the purpose for which you are collecting their personal data.
Is consent needed to send notifications using the Urban Airship platform?
The Urban Airship platform supports opt-in consents and withdrawal of consents for mobile application push notifications, web notifications, email and SMS. As the data controller, you must implement your integration with the Urban Airship platform with the legally appropriate level of consent enabled. Since consent under the GDPR must be freely given by an affirmative act that is specific, informed and unambiguous, if consent is the basis for lawful processing, a separate opt-in notice and consent for each specific channel, such as for push notifications, web notifications, email etc,. is required. Also, the individual has to be able to easily withdraw their consent at any time.
Legitimate interest is another basis for lawful processing under the GDPR. If you process personal data based on a legitimate business interest, then you need to balance those business interests against the right of the EU individual to not have you process their personal data.
How does Urban Airship help meet data minimisation requirements?
The data minimization principle under the GDPR requires that you only process personal data that’s adequate, relevant and limited to what is necessary to achieve the purpose. At default settings, the Urban Airship platform processes anonymous data, such as time-zone, browser version and type, SDK version; and pseudonymous data, such as tokenized ID specific to each separate installation of your mobile application on a device. In addition, Urban Airship supports processing of anonymous data triggered by activity or tags, and pseudonymous data such as hashed or tokenized identifiers that may tie back to additional personal data in your systems that is not accessible to Urban Airship. A current list of data collected in the default settings of the Urban Airship platform is available to customers upon request. Processing of any data by Urban Airship in addition to such list is determined by you and is automated based on your configuration and use of the Urban Airship platform. Use of the Urban Airship platform for email or SMS will require processing of email addresses and mobile phone numbers.
How does Urban Airship help meet storage limitation requirements?
The GDPR requires that EU personal data must be stored no longer than necessary to achieve the purpose for which it was collected. The storage limitation principle with the data minimization principle taken together means that you should not collect personal data you don’t need in the first place, and securely delete personal data you no longer need. Urban Airship supports you in this requirement by implementing a Data Retention Schedule. For data elements not listed on that schedule, Urban Airship holds the data during the term of your contract, including any renewals. Urban Airship’s Privacy by Design Committee continues to evaluate the Data Retention Schedule in light of the GDPR storage limitation principle. Additionally, after 90 days from a termination of your contract without a renewal, Urban Airship will delete your data stored in the production systems of the Urban Airship platform.
What security measures are in place for the Urban Airship platform?
The GDPR requires appropriate technical and organizational measures to be in place for processing of personal data to ensure a level of security appropriate to the risks associated with the specific processing activity. The security measures for the Urban Airship platform include physical access controls, logical and data access controls, network security, applicational security, personnel security, security incident management, third party conducted PEN tests and SOC2 audit of such controls as further described in the Urban Airship Security Measures document.
How does Urban Airship support data subject rights in relation to EU personal data?
The GDPR provides EU individuals with certain rights regarding their personal data, including:
- Right of access
- Right to rectification
- Right to be forgotten
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to object to automated decision making
Urban Airship provides you with a number of APIs that you may use to retrieve, correct, delete or restrict EU personal data, as well as opt-out features you can implement to respond to data subject requests. These controls and features are described in Urban Airship’s documentation for the Urban Airship platform.
How does Urban Airship meet obligations for privacy by design and data protection by default?
Urban Airship’s Privacy by Design Committee is comprised of a core team of senior members of the Engineering, Operations, Security, Product Development and Legal teams that meet regularly to proactively apply the Privacy by Design and Data Protection by Default principles to our product enhancement, development and operations activities. These data privacy standards, controls and features are available to all Urban Airship customers and not just to customers processing EU personal data. This means that as other countries implement GDPR-inspired privacy regulations, you will be well positioned for future privacy compliance efforts in other parts of the world.
Is a Privacy Impact Assessment required for use of the Urban Airship platform?
Under the GDPR, Privacy Impact Assessments are needed where personal data processing, particularly processing using new technologies, would likely result in high risk to the rights and freedoms of data subjects. As Urban Airship prohibits processing via the Urban Airship platform any sensitive personal data or “special classes of data” as defined in the GDPR as well as any individual financial data, credit or debit card numbers, government issued identification numbers, or data relating to criminal history, use of the Urban Airship platform would not likely result in high risk to the rights and freedoms of data subjects.
As a data processor, Urban Airship relies on our customers’ decision on whether to conduct a Privacy Impact Assessment for their current and intended use of the Urban Airship platform, and Urban Airship commits to supporting our customers in that process.
This FAQ is meant as a general set of questions and answers based on Urban Airship’s interpretation of GDPR requirements as of the date of publication. This FAQ should not be relied upon as legal advice or to determine how GDPR applies to your business or organization. We urge you to consult with your professional advisors with regard to requirements that govern your specific situation to ensure compliance. The information contained in this FAQ is provided “as is” and may be updated or changed without notice. This FAQ is not an amendment or supplement to any agreement between Urban Airship.
May 15, 2018