GDPRLast updated: May 24, 2018
Effective date: May 25, 2018
What is GDPR and who does it apply to?
The GDPR is EU regulation designed to protect the privacy of EU citizens and impacts all organizations that process the personal data of such citizens, regardless of whether an organization itself is based in the EU.
The GDPR is effective from May 25, 2018 and aims to give EU citizens and residents greater control over their personal data, while simultaneously simplifying the regulatory environment for international business that takes place in the EU.
The GDPR describes different requirements depending on how an organization handles data subjects' personal data.
- "Data Controllers" are businesses that collect customer data and also decide how, when and why that customer data is processed.
- "Data Processors" are businesses that carry out the processing of customer data on behalf of a Data Controller.
Check Cherry is both a Data Controller in our relationship with our own customers, and a Data Processor in our role as an organization that helps other businesses (merchants) process their customer data (we generally refer to this as End User Data).
Check Cherry's GDPR compliance
In line with our commitment to GDPR compliance, we have reviewed, updated and modified many of our internal practices and policies to ensure we meet GDPR requirements as Data Controller and Data Processor.
Below is an overview of several key things we've put in place to ensure such compliance.
Data Processing Addendum
We offer a data processing addendum (DPA) for our customers who collect data from data subjects in the EU. Our DPA offers contractual terms that meet GDPR requirements. A copy of our DPA is available upon request, please email us at firstname.lastname@example.org to begin the process of executing the agreement.
To ensure that no terms are imposed on Check Cherry beyond what is reflected in our DPA and Terms of Service, in most scenarios we cannot agree to sign customers' DPAs. We are a small team and do not have an in-house legal team. Changes to our standard DPA require legal counsel and this is typically cost-prohibitive for our team. If you are unable to comply with our standard DPA, please email us at email@example.com – we are happy to discuss your concerns and our options.
We maintain an internal matrix identifying all data subject with which Check Cherry interacts and the categories of data collected about each of these data subjects. This matrix has been built in response to the GDPR deadline and will be maintained going forward whenever changes to Check Cherry's product, infrastructure, marketing or other organizational elements occur.
Using this matrix we are able to review and validate the legal basis for collecting and processing personal data and ensure that we have in place the appropriate security and privacy safeguards across our infrastructure and software ecosystem.
Third Party Vendors
A list of third pary vendors is available upon request.
We maintain an internal Breach Management Policy that outlines the process our team should follow in the event of a suspected data breach. We have updated this document in response to the GDPR and other relevant data privacy regulations.
Data Subject Rights in our role as Processor
Ways in which Check Cherry helps you comply with GDPR as a Processor
If you are working with EU customers, you need to be able to provide them with the ability to access, update, retrieve and remove personal data. We've offered self-service features that help support these requirements from day one.
As part of providing Check Cherry's software and services, we offer the following features that will help you fulfil the rights of data subjects in your role as a Data Controller:
- "Delete" requests ("Right to be forgotten", "Right to the restriction of processing"). Directly within the UI you can remove the customer and all of their data from Check Cherry's systems., or raise a request via our helpdesk at firstname.lastname@example.org.
- Updating customer data ("Right to rectification", "Right to object"). Directly within the UI you can update user data, enabling you to respond to customer requests to ensure accuracy in the data you have about them.
- Exporting customer data ("Right to data portability"). You can download a copy of all user details (user properties) as part of a segment export in Check Cherry. If you would like to export a user, or users', full event history, please email us at email@example.com with the ID / name of the event to export.
A note on consent
Under GDPR you must have a legal basis for all data processing. As a Data Controller using Check Cherry, it is likely that consent will be one of the legal bases used to ensure compliance for the data you send us.
In order to be valid, this consent must be verifiable. As the Data Controller, it is your obligation to ensure you have researched and reviewed your consent-gathering processes. The following does not constitute legal or compliance advice, but provides some suggestions as to how we have seen Data Controllers manage consent:
Unambiguous and explicit consent requires that data subjects take an action to affirmatively consent to the data being processed. An example of this is actively ticking a box as part of a signup or subscription process. This opt-in process must include a message that clearly (in plain language) states the ways in which the data subject's personal data will be used. Examples of ways in which you are likely to use data when using Check Cherry include:
- Transferring the user's contact data to Check Cherry
- Sending the user email messages using Check Cherry
- Tracking behavioural interactions for email marketing purposes
If you rely on consent to process customers' personal data, double check where and why your contacts shared their data with you to make sure that the consent you obtained meets the GDPR's standards.
Data Subject Rights in our role as Controller
If you are a customer of Check Cherry based in the EU, you should be able to access, update, retrieve and remove your own personal data.
We have also implemented cookie preferences. Please refer to our Cookie Notice for further details and access to your preferences.
We are here to assist
We take data privacy seriously and think the GDPR is a great step forward for data subjects. If you have any questions regarding GDPR or data privacy, please don't hesitate to email us at firstname.lastname@example.org .