- 6 minutes to read
How are the services we buy from Cxense affected by GDPR?
Cxense services collect and process data which may be considered personal data under the GDPR. Cxense acts as a data processor on your behalf, and the Data Processing Addendum to your service agreement clarifies the obligations of both parties with regards to GDPR compliance.
One major consequence of the new regulation is that processing of personal data for the personalization services offered by Cxense requires the informed consent of individual persons.
What is personal data? We do not collect any emails or names.
The GDPR defines personal data rather broadly, as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
To provide you with an example: At the end of 2016 the European Court of Justice decided that even dynamic IP addresses in a web server log file have to be considered personal data.
Do we need consent even though we don’t collect names or email addresses or other personally identifying information?
The GDPR covers personal data even if they are not immediately identifiable, and mandates that all personal data processing must only be performed on a sound legal basis. For the services of the kind offered by Cxense, informed individual consent is the appropriate legal basis under the GDPR.
Cxense is prepared to operate as a GDPR compliant data processor, but advises customers to obtain the advice of legal counsel to determine the applicability of regulation to their operations.
What role will Cxense take in order to help customers prepare for the GDPR? Will Cxense assist in supporting us to comply with data subject rights?
Cxense is making product changes to simplify GDPR compliance for our users. We do this by enabling a “consent-aware” Cxense tag, and by adding compliance APIs to simplify fulfilling individuals’ requests for their rights as data subjects under the GDPR to be fulfilled, such as the right to see their data or for their data to be erased.
Cxense will also provide the necessary information in order for the customer to fulfill the level of transparency required by the GDPR (e.g. retention periods, data types).
How does the GDPR affect us if we do not own the sites where we have had the Cxense tag placed?
The GDPR defines the data controller, somewhat simplified, as the entity that determines the purposes and the means of processing of personal data. In most cases, this is likely to be the site operator, possibly jointly with you. Cxense and possibly you would then be acting as data processors on their behalf.
The GDPR places some obligations on the data controller, such as that of obtaining consent and having data processing agreements in place with their data processors, and we advise you to work closely with site operators to clarify your respective obligations and responsibilities in this relationship.
What steps has Cxense taken to implement the requirements of the new ePrivacy Regulation of the EU?
The ePrivacy Regulation of the EU is not yet applicable and still has to pass EU regulatory procedures in order to enter into force. By now (Jan 2018) a draft is available and Cxense analyzes the requirements for the Cxense tag that may result from the ePrivacy Regulation. It is assumed that the ePrivacy Regulation will enter into force at around the end of 2018 or the beginning of 2019.
We would like to point out that until the ePrivacy Regulation becomes applicable the national law(s) based on the ePrivacy Directive (2002/58/EC) have to be taken into consideration by all of Cxense’s customers. Although the national law in this regard should be harmonized with the ePrivacy Directive, slightly different requirements may be present in the different Member States of the EU.
Nevertheless based on the existing ePrivacy Directive and also based on the draft of the ePrivacy Regulation, customers will in almost all cases need to obtain valid consent for using the Cxense tag. There may be some exceptions to this rule with the coming ePrivacy regulation and we will provide information on how Cxense wants to make use of those exceptions once the final version of the ePrivacy regulation is known.
How do we obtain consent?
User consent must be explicitly requested, by the data controller, from individuals who must be informed about what kind of personal data processing they are asked to agree to in a transparent and honest manner.
Do we need to ask for consent in general or for every activity where we will use the data collected?
As the site owner, you are the data controller for data collected on your site. This includes the obligation to only process data on a proper legal basis - most likely by user consent. This applies to all personal data collection on your site - not just the Cxense tag, but any other instrumentation or advertising providers embedded on your site.
The request for consent should cover all processing activities performed by you and your data processors on your behalf.
Cxense will provide a template text for requesting consent in compliance with articles 6 and 7 in the GDPR but customers are obliged to check if the information in the consent template reflects the individual use of the Cxense tag by the customer.
How can our users access their user profiles and delete Cxense data?
Cxense will work with customers to fulfill the rights of individuals under the GDPR, and aim to offer APIs for customers to quickly and easily comply with Data Subjects’ requests.
It may be worth noting that in general the individual’s rights to control their data are not new under the GDPR.
How do we delete 1st party data that we have pushed into Cxense DMP?
Cxense APIs offer functionality for deleting 1st party data, and we will add additional API support for customers’ handling of Data Subject rights under the GDPR.
Infrastructure & Data Security
Can we store data outside of the EU? Where exactly will our data be hosted?
The GDPR does not generally prohibit data transfers to third countries. Nevertheless, it has to be ensured that guarantees for an adequate level of data protection are in place on the receiver’s side.
Cxense ensures that adequate guarantees on the receiver’s side are available and has agreements according to the EU Model Clauses in place with providers to ensure that Cxense data processing on our customers’ behalf is compliant with the GDPR.
The servers hosting the data are located in the EU, US, and Japan. Disaster recovery backups are hosted in the EU. We also offer the possibility of hosting the data only within the EU – please reach out to your account manager for details.
Is data encrypted at rest / in transit?
Disaster Recovery backups are encrypted at rest, serving data are not, except the cases where storage media are configured with encryption keys.
Data is encrypted in transit between facilities, but not on local networks within one facility. Also, page view events sent to us from sites served with unencrypted HTTP will be sent unencrypted to us, as we match the protocol used by the site when transmitting page view data.
How are the encryption keys protected?
Encryption keys are managed separately from our other configuration and software and are deployed only on an as-needed basis by persons authorized to operate our services.
Are systems and networks that host, process and or transfer our data ‘protected’ (isolated or separated) from other systems and/or networks?
All serving systems involved in hosting the Cxense services run independent firewalls and require authorization via specific access control lists, except for specific endpoints that are defined as public facing, i.e. the public HTTP(s) ports used for services.
Is our data stored or will be stored on a different backup media to other customer’s data?
Data is separated logically in cloud storage buckets and organised separately by the originating site. We do not manage backup media ourselves.