General Data Protection Regulation (GDPR) Resource Center
Privacy
We have released an update to our Privacy Policies which comes into effect starting on May 25th, 2018. Our new policies are more user-friendly and addresses new data protection laws (including the GDPR). The most significant changes in the new policies are explained below:
- Better navigation and user-friendly language. To make the policy easier to understand, we reformatted our Privacy Policy and Cookies Policy pages with active links, so you can quickly find the information that matters most to you.
- Increased transparency around data collection and processing. We made sure to clarify our relationship with you as users of the Website or our Services and clarify your rights under the GDPR.
- More control over your information. Our Privacy Policy and User Policies explain how you can make choices about your information, and the measures we have put in place to keep your information secure.
Please find our updated launchmetrics.com Privacy and Cookies Policies here and our updated augure.com Privacy and Cookies Policies here.
Please find below our Users Policies related to our different products and services:
- For DiscoverSM
- For GPS Radar®
- For EventsSM
- For GalleriesSM
- For SamplesSM
- For ContactsSM
- For Influencers by Style CoalitionSM
- For Influencers by LaunchmetricsSM
- For PublisherSM
Preparing for the GDPR
GDPR is a new piece of European privacy legislation that will be effective May 25, 2018 and will replace the current EU Data Protection Directive (“Directive 95/46/EC”). It harmonizes and modernizes data protection requirements across the European Union.
The new Regulation has a broad definition of Personal Data and a wide reach, affecting any companies that manage or hold Personal Data of EEA residents (that is, residents of the EU, Iceland, Liechtenstein, and Norway) regardless of where the companies themselves are located.
GDPR Glossary
Controller and Processor
From a privacy perspective, the data controller determines the purposes for which and the means by which Personal Data is processed. So if someone is collecting Personal Data and is determining how it will be processed, he is the controller of that data and must comply with applicable data privacy legislation accordingly.
The data processor processes Personal Data only on behalf of the controller.
Data subject
A person who lives in the EU or EEA. For example, if Julie is one of your contacts and an EU resident. She can be called a data subject and your company will be a controller of Julie’s data. If you are a Launchmetrics customer, then for certain services, Launchmetrics will act as the processor of Julie’s data on behalf of your company. With the introduction of the GDPR, data subjects like Julie are given an enhanced set of rights that are represented in our policies.
Data Protection Officer (DPO)
A representative within a company or organisation (either a controller or processor) who oversees GDPR compliance ensuring that the company or organisation is correctly protecting data subject’s Personal Data.
Personal Data
Personal Data is any information that relates to an identified or identifiable living individual such as but not limited to first name and last name, email address, IP address, a cookie ID. Other pieces of information, which collected together can lead to the identification of a particular person, also constitute Personal Data.
Processing
Any operation or set of operations which is performed on Personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (Art 4. GDPR)
Supervisory Authority
It is an independent public authority which is established by a Member State and who oversees that country’s data privacy enforcement (e.g., United Kingdom’s Information Commissioner’s Office, France’s Commission nationale de l'informatique et des libertés etc.). Such authorities were formerly called “data protection authorities”.
How does Launchmetrics ensure its services comply with the GDPR?
We built a cross-functional team that is tasked with incorporating privacy by design principles to Launchmetrics’ product offerings. Our team will keep monitoring the guidance around GDPR compliance from supervisory authorities as it moves to become more clearly defined over the next few months, and will continue to inform you on our strategy for GDPR.
Our team has established a comprehensive plan to achieve compliance before May 25, 2018. This plan includes the following measures:
- Update our privacy policies to reflect the additional rights granted to data subjects under the GDPR;
- Update our contractual terms so they are in line with the GDPR new requirements (please find here our Data Processing Addendum);
- Upgrade our contracts with our trusted vendors, to ensure that everyone who processes our customers’ data are respecting their obligations under the GDPR and hold them to the same data management, security, and privacy practices and standards to which we hold ourselves.
- Review data security controls to ensure that we only use data in accordance with our customers’ instructions;
- Commit to having the appropriate data transfer mechanisms in place where we are transferring data outside of the EU;
- Review our current product features and practices to ensure we support our customers with their GDPR compliance requirements and include new product tools for data portability and data management;
- Keep raising internal awareness regarding security and data protection.
At Launchmetrics, we will continue to make additional required operational changes resulting from the new regulation, and will keep our customers and partners, as well as supervisory authorities informed throughout this process.
GDPR: The basics
Are you a controller or a processor?
While Launchmetrics operates the majority of its Services as a data processor, there are some instances in which we operate as a data controller, this can change according to the Services we are providing to you and we will make sure to keep you abreast of our specific duties in our future communications or in each User Privacy Policy for specific products. When it is determined that we act as controller, or joint controller, we will define our respective responsibilities for compliance with the obligations imposed by the GDPR so it will reflect our roles and relationships toward the data subjects.
I am not based in the EU, why should I be concerned?
The GDPR has a worldwide applicability. No matter where your organization is located, if it processes or controls the Personal Data of EEA residents, the GDPR likely applies to your company, too, so you need to be ready.
Do you offer your customers a Data Processing Addendum?
Yes, we offer our customers and in particular, our European customers, a new Data Processing Addendum (“DPA”), governing the relationship between the customer (acting as a data controller) and us (acting as a data processor). These additional terms meet the GDPR obligations with respect to the processing of that EU Personal Data. This DPA has been updated to confirm our compliance with the GDPR as and from May 25, 2018.
Can I make changes to the Data Processing Addendum?
Our DPA is an extension of our Service Provider Agreement and reflects our compliance with GDPR requirements as applicable to our products and services. We are unable to make any changes to our DPA on a customer-by-customer basis.
Does the GDPR require Personal Data be stored in the EU? What does Launchmetrics do to ensure lawful data transfers from the EU?
The GDPR permits transfers of Personal Data outside of the EEA subject to certain conditions. This means that, as long as the Personal Data is "adequately protected", data may be transferred outside the EEA. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection, so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example: the USA), the controller must rely on use of approved contractual provisions (e.g. EU Standard Contractual Clauses) or one of the other alternative measures, provided for in law, such as the EU-US Privacy Shield certification.
So the EU-US Privacy Shield continues to be one valid way to ensure adequate safeguards are in place for Personal Data transfer from the EU to the US.
And the EU Standard Contractual Clauses (“Model Clauses”) also remain a valid mechanism to lawfully transfer Personal Data. As stated above, we offer a Data Processing Agreement that incorporates the Model Clauses to our EU/EEA customers.
We are making sure that for these transfers our subprocessors (including members of the Launchmetrics Group and third parties), subcontractors and database providers are using recognized mechanisms such as the EU-US Privacy Shield or when appropriate execute the EU Standard Contractual Clauses (“Model Clauses”) that are appended to our Vendor Data Processing Addendum.
Will Launchmetrics sign Model Clauses?
In case of transfer of Personal Data outside the EEA we will evaluate all available adequate transfer mechanisms. Our DPA for our customers and for our vendors includes the Model Clauses.
Do I need to do anything to be compliant with the GDPR?
You are responsible for legal compliance under the guidelines of the GDPR for any Personal Data you provide to Launchmetrics and you should ensure you have a legal basis and right to provide Launchmetrics with any Personal Data.
While Launchmetrics is committed to helping you successfully comply with the GDPR, it is important to recognize that compliance is a shared responsibility, but remember we recommend our customers to get advice from their own counsel regarding the applicability of the GDPR as it relates to their activities. Some requirements will mean changes for your company as well.
What steps does Launchmetrics take to secure Service Data?
At Launchmetrics we treat data and application security very seriously. Providing excellent services like strong security, high SLA and prompt resolution of client issues are key priorities driving our day to day activities as well as long term strategy. Our Support team is on call 24/7 to respond to security alerts and events.
Stay Informed
Stay abreast of updated regulatory guidance as it becomes available and consider consulting legal counsel to obtain guidance applicable to you.
This page will be revised to reflect GDPR-related information as it becomes available.
Resources
- Launchmetrics’ privacy policy here
- Launchmetrics’ cookies policy here
- Launchmetrics’ data processing Addendum here
- Augure’s data processing Addendum here
- Security Policy and Practices here
- Augure’s privacy policy here
- Augure’s cookies policy here
User Policies
- Discover User Policy here
- Events, Samples, Contacts and Galleries User Policy here
- Publisher User Policy here
- Radar User Policy here
- IRM influencer User Policy here and Advertiser User Policy here
Vendor Resources
- Vendor Data Processing Agreement here
Third Party Resources
In addition to our own resources, we have compiled a list of additional sites for more information around the new regulation below.
- launchmetrics.com Privacy and Cookies Policies here
- augure.com Privacy and Cookies Policies here
- Discover User Policy here
- GPS Radar User Policy here
- Events User Policy here
- Galleries User Policy here
- Samples User Policy here
- Contacts User Policy here
- Influencers by Style Coalition User Policy here
- Influencers by Launchmetrics User Policy here
- Publisher User Policy here
- GDPR Glossary
- Controller and Processor
- Data Subject
- Data Protection Officer
- Personal Data
- Processing
- Supervisory Authority
- How does Launchmetrics ensure its services comply with the GDPR?
- Are you a controller or a processor?
- I am not based in the EU, why should I be concerned?
- Do you offer your customers a Data Processing Addendum?
- Can I make changes to the DPA?
- Does the GDPR require Personal Data be stored in the EU? What does Launchmetrics do to ensure lawful data transfers from the EU?
- Will Launchmetrics sign Model Clauses
- Do I need to do anything to be compliant with the GDPR?