Letter from Gobot’s CEO
As CEO, I am personally serving as Gobot’s Data Protection Officer (DPO). Any questions or concerns in this regard please contact me directly at email@example.com.
Not only is Gobot compliant with privacy laws as it relates to our customer data, we literally designed Gobot with the intent of facilitating your compliance with privacy laws. In other words, this first-party data platform will help you get it right! Gobot makes it very easy for you to delete your customer or visitor data upon request and also to send your customers and visitors a report as to their personal data. Gobot also documents your visitors’ consents and removal of consent, which you might be required to produce upon request by the authorities. You can also leverage Gobot to provide your visitors necessary notices, which is key. Long story short, use Gobot to facilitate your privacy compliance!
We are also offering our EU and EAA based customers a Data Processing Agreement (DPA), which includes the EU approved model clauses, for our quiz and chatbot offerings. The DPA clarifies exactly how Gobot handles the data we process for you and provides the information and assurances you may need under GDPR. Click here to access the DPA.
While I am not a lawyer, and don’t pretend to be, below you will find some background information about GDPR and some useful information as to how you can leverage Gobot to comply with GDPR for our quiz and chatbot offerings.
CEO and Founder
This website is not intended to provide legal advice. You should not rely on this website for such, nor as a recommendation as to a particular legal understanding. Our goal is to provide background information to help you understand how Gobot has addressed some important legal points. This information is not the same as legal advice where a lawyer applies the law to your particular circumstance. Therefore, we suggest that you consult a lawyer to seek assistance in the interpretation of this information including its accuracy.
Can you help me understand the legal context around automated abandonment emails?
Absolutely. Take a look at our Legal Context document here.
CCPA Background Information
We detail in Exhibit B the categories of information we collect about CA Consumers, who we share this information with, the purposes for which we use the information, and whether we’ve sold this information in the past 12 months.
How do I access Gobot’s Data Processing Agreement?
We are also offering our EU and EAA based quiz and chatbot customers a Data Processing Agreement (DPA), which includes the EU approved model clauses. The DPA clarifies exactly how Gobot handles the data we process for you and provides the information and assurances you need under GDPR. Click here for Gobot’s DPA.
What is GDPR?
The GDPR (General Data Protection Regulation) is an EU Regulation that replaces the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It came into force on May 25, 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
The full text of the GDPR can be found here.
Does GDPR apply to me?
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
Will data now have to be stored in the EU?
No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is "adequately protected", data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as "white listed countries"), so it is permissible to transfer data to those countries from the EU. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g., the Model Clauses in Gobot’s Data Processing Agreement) or one of the other alternative measures provided for in Law.
Why should I care about GDPR?
The aim of GDPR is a positive one: to protect the privacy of EU citizens. However, violation of GDPR may result in a serious fine. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater).
Rights under GDPR and how Gobot’s quiz and chatbot offerings facilitate compliance:
Whenever a data subject, e.g., your customer or website visitor, is about to submit their personal information, the data controller, e.g., your company, has to make sure the data subject has given their consent. The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters”. Further, GDPR requires the data subject to signal agreement by "a statement or a clear affirmative action."
In connection with our conversational experiences, Gobot provides the flexibility you need to seek consent and, if necessary, process withdrawn consent. With Gobot, how you script your conversational experiences is up to you. To play it safe, however, we suggest that when interacting with European citizens your experiences be drafted to seek consent such that what you get is “freely given, specific, informed and unambiguous.” In other words, make sure to have your conversational experiences ask for permission to use the information you collect in a specific and very clear way. Also, allow your visitors and customers to respond in a very specific and clear way, e.g., using specific and well thought out multiple choice options that avoid subjective responses.
Finally, if your customer or visitor opts to withdraw consent as to a chatbot or quiz related email, Gobot’s emails include an optional opt-out button you can use for European citizens.
Gobot also makes it very easy for you to provide the notice required under GDPR. When collecting data, consider including notice in your conversational experience script clarifying exactly how long you will hold onto the data, what you will use it for, who you will share it with, how the visitor can seek to opt out later, whether the visitor’s data will be used to make automated decisions, the relevant legal bases for processing, and means to communicate with you. Gobot’s notice functionality makes it real easy for you to provide the required notices in a clear and trackable manner.
Above and beyond allowing for scripting of a conversational experience that seeks consent in a clear and unambiguous way, providing the requisite notice, and allowing for easy opt-out when your customer or visitor changes their mind, Gobot has simplified and added additional control over retention. Consistent with GDPR, Gobot makes it easy to hold onto data you collect only for a period reasonably necessary to accomplish the purpose for which the data was collected for in the first place.
Right to be forgotten:
GDPR also grants European citizens the “right to be forgotten,” which requires that controllers delete all personal data stored about the citizen and also that the controllers alert downstream recipients of the deletion request. Gobot makes it easy to delete all information you have about a particular contact with the press of a button.
Right to data portability:
GDPR also grants European citizens the “right to data portability,” which allows data subjects to demand a copy of their personal data in a common format. Gobot makes it easy to print a report including personal data Gobot has collected from a particular contact.
Controllers will also be required to provide evidence that their processes are compliant and followed in each case. Gobot’s consent log and transcript feature facilitates compliance in this regard. If you are ever questioned as to whether a particular visitor or customer provided consent to use of their personal data, e.g., email address, you can point the customer or authorities to your Gobot consent log, which clearly documents the consent provided. The log references the conversational experience transcript showing exactly the authorization you requested and the notice you provided, and importantly, the consent your visitor or customer responded with.
Where can I find additional information about GDPR and CCPA?
Click here for the full text of the GDPR in English.
Here it is in German.
The EU’s GDPR page.
The EU’s Data Protection Supervisor.
Find your Supervisory Authority here.
Click here for the CCPA.