The European Union General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how entities operating in the EU, targeting products and services to individuals in the EU or monitoring the behavior of EU citizens, handle personal information. The GDPR is intended to unify and strengthen the protection of personal data of people residing within the member states of the European Union. More information is available at the EU GDPR website. The GDPR regulations will come into effect on May 25, 2018.
The GDPR defines three primary entities who are involved in the processing of personal data: Data Controllers, Data Subjects, and Data Processors. Each group has different roles and requirements regarding their interactions with customer personal data:
- A Data Subject is an end user whose personal data is being processed by the Data Processor on behalf of the Data Controller.
- A Data Controller is the entity that determines the purposes and means of the processing of personal data.
- A Data Processor is an entity which processes personal data on behalf and on the instructions of the controller (i.e., a service provider such as WebEngage).
In relation to the WebEngage services:
- The Data Subjects are the end users, customers or other individuals who provide their personal data to you.
- You are the Data Controller who decides how and why the personal data of the Data Subjects will be processed.
- WebEngage is a Data Processor that processes personal data on your behalf and in accordance with the instructions that we receive from you.
WebEngage is fully GDPR compliant. This page explains features that will enable you, as Data Controllers, to comply with your users’ requests to exercise their rights as defined by the GDPR.
Under GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed;
- Access to their personal data; and
- Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see GDPR Article 15).
WebEngage enables you to issue a request to export user profile containing personal data using REST API. You can export personal data of any of the Known users using their User ID shown on their respective profile pages on WebEngage dashboard. You can then provide this personal data to the Data Subject in response to their request to access any personal data being processed by WebEngage as a Data Processor on your behalf.
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible.
If a Data Subject requests that you rectify inaccuracies within the personal data being processed by WebEngage on your behalf, you can use the WebEngage SDKs to send the correct data going ahead, and the WebEngage
/users REST API to correct existing personal data.
Individuals have the right to get personal data concerning them erased by the controllers. The right to erasure is also known as ‘the right to be forgotten’.
WebEngage offers APIs to erase personal data if Data Subjects request so. But before deleting user data, you should recommend the Data Subjects to uninstall or log out from all of your applications that use the WebEngage SDK to make sure additional processing of data by WebEngage is stopped.
Once you have halted data collection, you can create an erasure request using WebEngage REST API to delete an end user profile, which will remove all personal data as well as events data records associated with that user from WebEngage data stores.
Deleting an end user from the WebEngage services will permanently delete WebEngage's user profile for that user along with events data stored in WebEngage. As a result, there will be a change in numbers wherever this data is reported on the WebEngage dashboard or in other reports sent by WebEngage or downloaded from WebEngage dashboard.
Data Subjects have the right to ‘block’ or suppress processing of certain subsets of their personal data in the event of inaccurate or improperly obtained data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
If you have been asked by the Data Subject to restrict processing of certain subsets of that Data Subject's personal data, WebEngage allows you to mark certain end user profiles as restricted using the restriction REST API request. You can only mark the whole user profile as restricted, and not just some subsets of the profile data.
If the end user allows you to process the restricted subsets of its personal data, you can re-enable the processing using the re-enable REST API request.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
You may use the WebEngage REST API to export an end user’s personal data and furnish it to the Data Subject pursuant to his/her request.
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
WebEngage provides the ability to mark a user as being unsubscribed from Push, In-app, SMS, Web Push, or Email via our REST APIs and via the iOS, Android, and Web SDKs. Customers who receive objections from Data Subjects to receiving such messages can use WebEngage APIs to unsubscribe those end users.
If that is not sufficient, to avoid processing of end user personal data by WebEngage, the end user profile should be marked as restricted in the same manner as specified under the ‘Right to Restriction of Processing’ section above.
The GDPR prevents automated decision-making without human intervention in certain circumstances, in particular for decisions that “produce a legal effect or a similarly significant effect on the individual.”
WebEngage does not perform any automated profiling or decision making actions with legal or equivalent ramifications for end users. If you believe that your own usage of the WebEngage platform will have legal or equivalent impacts based upon your own usage, you may choose to delete the User Profile in the same manner as under the “Right to Erasure.”