|Consent||In order for Bob to grant consent under the GDPR, a few things need to happen:
• He needs to be told what he’s opting into. That’s called “notice.”
• He needs to affirmatively opt-in (pre-checking checkboxes are not valid). His filling out a form alone cannot implicitly opt him into everything you plan to send.
• Consent needs to be granular, meaning it needs to cover the various ways you process and use Bob’s personal data (e.g. marketing email or sales calls). Please note that to be safe you should check with legal counsel as to how to confirm data usage to create FB Pixel look-alike audiences.
You must log auditable evidence of what Bob consented to, what he was told (notice), and when he consented
|In bucket.io, we're adding Opt-in checkboxes with customizable text, which will include a date/time stamp to make collecting, tracking, and managing consent in a GDPR-compliant way as straightforward as possible.
In your opt-in, you’ll be able to provide granular notice to Bob before he provides information to you as well as collect the appropriate consent when he’s ready to grant it.
Once Bob submits his information, we will store a copy of the opt-in text notice that Bob was provided, information about which consent he provided, and the timestamp of the interaction.
|Withdrawal of consent (or opt out)||Bob needs the ability (as data subject) to see what he’s signed up for, and withdraw his consent (or object to how you’re processing his data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.
This is done via your Email Service Provider, or via other means that are outside the area of bucket.io. bucket.io only will handle the Opt-in portion of the process currently. As bucket.io provides no direct means of communicating or using this data, this opt-out functionality is not currently implemented in bucket.io.
|Cookies||Bob needs to be given notice that you're using cookies to track him (in simple language) and needs to consent to being tracked by cookies.
As bucket.io does not provide direct cookie tracking, this messaging is your responsibility to provide on any websites you present to Bob.
|Deletion||Bob has the right to request that you delete all the personal data you have about him. The GDPR requires the permanent removal of Bob’s contact from your database, including email tracking history, call records, form submissions and more.
You’ll need to respond to Bob’s request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply. For instance, someone who is actively using your service can not request full deletion, or you could not effectively bill them.
To delete records within bucket.io, you simply have to delete them from within the funnels they have participated in.
|Access / Portability||Not only can Bob request that you delete his data, he can request access to the personal data you have about him. Personal data is anything identifiable, like a name and email address. If he requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).
Bob can also request to see and verify the lawfulness of processing.
Bucket.io enables you to fulfill any access/portability request by exporting details from a funnel, and then filtering only Bob’s data out. Note that if you are passing 100% of data into an Email Service Provider that should fulfill all obligations in this regard.
|Modification||ust as he can request to delete or access his data, Bob can ask your company to modify his personal data if it’s inaccurate or incomplete. If and when he does, you need to be able to accommodate that modification request.
In rare cases like this, you can currently make this request of bucket.io support.
|Security Measures||The GDPR requires data protection safeguards.
As part of bucket.io’s approach to the GDPR, we’re enhancing all facets of our security controls.
In addition to industry standard practices around encryption, bucket.io's infrastructure team is also improving our systems for auditing to better protect our customer's data.
We will provide additional details on these security measures as they are implemented