General Data Protection Regulation

Announcement Date: 05/07/2018

Overview

On May 25th, the EU General Data Protection Regulation (GDPR) will come into effect. These new regulations enforce new principles and guidelines for how companies and individuals can collect, use, and disclose personal data from EU residents.

We believe the GDPR represents a positive step forward in protecting individual privacy and establishes a new standard for obtaining clear consent when collecting personal data.

Legal Disclaimer

The following information is provided for general information purposes only and may not be relied upon as legal advice. You should talk to a qualified, licensed attorney before relying on any information in this announcement.

Who the New GDPR Rules Affect

The GDPR applies to any company that collects, retains, and/or otherwise processes personal data from residents in the European Economic Area (“EEA” or “EU”). That includes Merge Mobile Inc, the provider of FastField, and you as our customer.

Stated plainly, anyone or any organization who hosts a website that can have even a single EU visitor is impacted by this law. Therefore, any company that acts as a data Controller or data Processor of any EU residents’ personal data is subject to these new laws.

Our goal in this document is to avoid the typical legal jargon and state in plain English our approach to addressing GDPR as well as preparing you as a Collector of data.

Definition of Personal Data

GDPR has a broad definition for the term Personal Data. The law states that it generally encompasses all information about a specific person, including:

  • Name
  • Email Address
  • Date of Birth
  • Physical Address
  • Personal Photo
  • Social Media Username

    • Or any other information that can lead to identifying a real person.

    Definition of a Data Controller

    A data Controller is a person or company that collects personal data and decides:

  • What information is collected
  • How that information is collected
  • How that information is used or distributed in a downstream process

    • Merge Mobile is a data Controller of FastField users’ account data. This includes phone number, email, and physical address. Our customers are the data Controllers of information gathered through the forms they create and distribute using our system.

    The data Controllers have the most responsibilities under GDPR, and must make sure that proper consent, where necessary, is obtained before collecting, storing or using personal data.

    Data Processer Definition

    A data Processor is a person or company that processes personal data on behalf of a data Controller.

    Because we do not define or control the forms that our customer setup or dictate how they collect data using those forms, Merge Mobile is considered the data Processor of personal data collected via forms setup in our system. As Processors, we’re committed to supporting your GDPR compliance.

    What We've Done to Get Ready for GDPR

    We’ve been doing a lot of work behind the scenes to get ourselves ready for GDPR and to help our customers meet their new obligations under the GDPR.

    The following list outlines the steps we've taken to prepare for GDRP:

  • We've applied for certification with the EU-US and Swiss-US Privacy Shield Frameworks. The Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. We are in the final stages of this process and are awaiting approval.
  • We're reviewing all our vendors that store or process personal data to ensure they’re on track with preparing for the GDPR.
  • We're reviewing and updating our vendor agreements, where necessary, to accommodate GDPR provisions.
  • We're updating and documenting our internal processes and governance structure for handling requests from data subjects, including requests for data access and deletion.
  • We've implemented an internal security and privacy training program to ensure that we continue to protect and secure personal data.
  • We've undergone a third-party security review and penetration testing.
  • We're pursuing an ISO-27001 certification.
  • We're updating our Terms of Service and Privacy Policy to clarify how we collect, use, and disclose personal data as required by the GDPR.

    • What You Should Do to Prepare for GDPR

    If you have created forms to collect personal data from EU residents, you have responsibilities as a data Controller. The following list outlines some important steps to take to ensure your compliance with GDRP:

  • Understand your responsibilities as a data Controller, and take steps to abide by the GDPR. This data protection self-assessment checklist is a good guide.
  • If you've created forms that request/collect personal data using our Services, please make sure to clearly request and get consent, unless another lawful basis for processing applies.
  • If you’re building forms for your customers or clients that collect personal data using our Services, ensure your clients understand their responsibilities as a controller of that personal data.
  • If you’re using third-party integration services such as Zapier, DropBox or Google Docs to distribute your form personal data using those integrations, make sure to review your responsibilities as a data Controller.
  • If you include third-party services on your website that use cookies to track website visitors, you should consider creating a GDPR-compliant cookie policy for your website.

    • Please be sure to review the full GDPR regulation to understand all the obligations that you may have as a data collector.

    What's Next

    On May 25th, we’ll be updating our Terms of Use and Privacy policy to include additional data processing terms which will include the following:

  • What personal data we collect
  • What we use the data for
  • How we keep it secure
  • Your rights to access and control your data
  • Merge Mobile's responsibilities as a data processor
  • Your responsibilities as a data controller

    • These new terms will come into effect on May 25th, so we encourage you to review the updated Terms and Privacy Notice(s) as they are updated in the next coming weeks, which will apply to you if you continue to use our products and services on and after May 25, 2018.