GDPR Compliance and EU Data Protection
*Note: We are not lawyers and this is not considered legal advice. Please consult a legal professional for details on how GDPR impacts your business.
Introduction to GDPR
The General Data Protection Regulation (GDPR) is a set of regulations that was updated and enacted on May 25th, 2018. Per the GDPR’s website, “GDPR is designed to harmonize data privacy regulations across Europe, protect and empower EU citizens data privacy rights and reshape the way organizations across the region approach data privacy.”
GDPR replaces the Data Protection Directive 95/46/EC and reshapes the way personal data is defined and managed. These new regulations broaden the scope of what defines personal data and the responsibilities of the controller and processor. It also increases the legal fine for penalty of non-compliance.
DeCort Interactive’s Role
DeCort Interactive is a third-party, independent, web developer. We offer a range of services from website build/migration, consulting, design, e-commerce and hosting. By engaging in services with DeCort Interactive, we act as the Processor if we create, manage, and/or support your website or your website’s hosting. While we utilize a variety of third-party processors such as WooCommerce, WordFence, CloudFlare, etc., DeCort Interactive does not actively seek to obtain or store user personal data.
Our intention at DeCort Interactive is to help our partners achieve GDPR compliance as directed by our customers (Controller).
As the Processor
At DeCort Interactive, we act as a processor in the following ways, per Chapter 4 Article 28:
- We process user personal data as directed by the controller through the Controller’s WordPress website(s).
- We also may process and store personal data through our hosting providers Tonaquint Data Center and/or WP Engine, as directed and approved by the controller.
- We do not mine or sell user data.
- We utilize sub-processors for essential tools within the website like plugins, API’s, hosting, etc.
Other ways we collect personal data will be through our ticket service, Freshdesk where the controller can email service requests about a website we support. In most cases, EU personal data is not collected via these services. However, in the instance EU personal data may be collected outside of the DeCort services, proper GDPR compliance guidelines will be implemented.
Assistance for the Controller
While we act as a data processor, we also provide consulting and assistance to the controller. In Our Approach, we describe how we work with you (the controller) to evaluate the necessity of your personal data collection processes. We will provide recommendations, additional development work to ensure there is an appropriate level of risk. We provide supporting documentation to be approved via your legal department and will continue to work with you until you are comfortable with your site’s compliance.
Legal Basis for Data Collection
Our legal basis for personal data collection as a processor is to rely on our customers (the controller) to ensure that personal data are collected on the basis of one of the GDPR lawful grounds for processing. A controller can collect personal data based on one of the following legal basis: (i) consent; (ii) processing is the necessary for the performance of a contract you have with the data subject; (iii) processing is necessary for compliance with a legal obligation; (iv) you need to protect the vital interest of the data subject or of another person; (vi) you (or another third party) have a legitimate interest to process personal data and this is not overridden by the interests, rights and freedoms of the data subject.
DeCort Interactive and Personal Data
We utilize sub-processors such as Freshdesk, Gmail, Trello and Slack for internal project management. While it is unlikely that user personal data be obtained via one of these channels, in the event that it is (i.e. for troubleshooting an account issue), the user data will be deleted after it is no longer essential to hold.
DeCort Interactive and Signing a Data Processing Addendum
In the event that a customer engages services with DeCort Interactive and is not GDPR compliant already, DeCort Interactive will provide recommendations for compliance but requires approval from the Controller prior to performing work. A DPA may not be signed, in this instance, until work has been performed to make the Controller’s website GDPR compliant.
DeCort Interactive is service based so our ability to provide a GDPR compliant product is dependent on the Controller’s approval. For example, DeCort Interactive may have built a custom plugin that collects personal data outside the new scope of what is appropriate but we cannot amend it until we have approval from the Controller.
Each client’s (the Controller) website has individualistic needs and legal requirements for GDPR. DeCort Interactive relies on the Controller’s GDPR requirement specifications.
DeCort Interactive will provide all necessary supporting documentation throughout the compliance process and is committed to uphold the Privacy by Design method.
DeCort Interactive utilizes an array of third-party sub-processors in accordance with GDPR Compliance. We have put together appropriate measures for compliance for our customer’s website’s that are required to be GDPR compliant. We are happy to provide a list of our sub-processors if needed.
Please Contact Us for this list.
Transfer of Data Outside the EEA
DeCort Interactive is based in the United States. Our services and sub-processors transfer data outside of the EEA. For instance, our local hosting provider Dreamwire.net, Inc. has their primary point of presence in Utah. So, all data transferred to those clients will be hosting outside the EEA.
While DeCort Interactive is not a member of the Privacy Shield, many of our sub-processors are. We are committed to maintaining transparency and will fully cooperate to the best of our abilities to provide information regarding your personal data upon request.
Please reference our sub-processor list for full details. Contact us to obtain a copy of this list.
Data Subject Rights
As part of the GDPR, EU data subjects can access their personal data, correct, remove or export them. They also have the right to restrict the processing of their personal data.
To obtain, correct or remove your personal data from https://decort.net or one of our customer’s website’s, please email us with your request. In the event that your request is in regards to a website we host or manage, the data Controller will be notified immediately and will contact you directly.
DeCort Interactive provides regularly scheduled updates and patches and also provides immediate/emergency update/patches when potential vulnerabilities arise. Contact us if you need specifics as it relates to your information.
If you contacted us directly through https://decort.net, you will be notified directly from DeCort Interactive within 72hrs of breach. In all other instances, DeCort Interactive will notify the Controller within 72hrs.