How to comply with General Data Protection Regulation (GDPR) using Convertful

If you’re located in the European Union or collect data originated from European Union, you have to comply with the General Data Protection Law. If so, you’re a Data Controller, and we’re a Data Processor acting on your behalf.

Here’s what you need to do to make sure you’re GDPR compliant regarding usage of Convertful.

Disclaimer  #

This manual is provided for information purposes only and should not be treated as a legal advice.

Step 1. Sign the Data Processing Agreement #

Art.28 of the law requires us to sign an agreement which defines our relations and your instructions to us as a Data Processor. Go to your site’s setting in the Convertful application, fill the fields, generate, read and sign electronically the Data Processing Agreement. If you need more info on how to do this, here’s the illustrated manual.

Step 2. Update Your Privacy Policy #

Describe there which data you collect from your subscribers, how you collect it, how you use it, to whom you disclose it, where it’s located and some other details required by the law. Here’s a good checklist which could guide you through the process.

In short: we collect and process the personal data of your visitors on your behalf based on the instructions that you provide to us via the Sites. Except for the data types you explicitly define to collect, we shall also collect data about the first visit (like time and source), technical data (like IP and browser type), behavioral data (like which widgets a visitor viewed, closed and submitted).

Here’s a text snippet that you can use as a sample to be added to your Privacy Policy:

We collect (i) contact details, such as email address and full name; (ii) technical data such as IP address, browser language; and (iii) behavioral and navigation information, such as visit source, duration of your visit and others. We collect this data for promotional and marketing purposes. This data is stored and processed securely via our data processor, Convertful in accordance with their Privacy Policy

Step 3. Get Informed Consent from Your Subscribers #

Art.7 of the law requires you to have a proof of a informed consent for every subscriber whose personal data you use (for example when sending him/her a newsletter).

There are several ways to have it:

  • add a mandatory agreement checkbox to each of your subscription forms with links to your terms of service and privacy policy, and we’ll store the consent details in a separate field;
  • set-up a double opt-in in your email service provider (“ESP”) and add explicit links to your terms and privacy policy in the confirmation email, and your ESP will store IP and timestamp of confirmation as the consent details;
  • design your subscription form in a way it clearly describes how the entered data will be used and with the clear relevant call-to-action on the button (for example, if you subscribe a person for a newsletter, it should be “Subscribe Now” not “Download Now”).

Additional Information #

If you have any specific questions, regarding the GDPR, or you need us to perform some additional actions in according to it, please feel free to create a private support ticket for this.