GDPR: The EU Data Protection Law

Learn about our obligations under the GDPR, and how My Future Business is achieving GDPR compliance.

Overview

My Future Business has always made security and privacy among its highest priorities. That's why we've committed to making sure we are compliant with the GDPR. 

As the GDPR's scope is broad, and the potential penalties for noncompliance are significant, we've ensured that our tools are available to all of our customers, at no additional cost.

This page will outline some of the key GDPR principles and terms and present how they apply to your use of My Future Business products and services. 

General Data Protection Regulation (“GDPR”)

The GDPR is a unified regulation that supersedes and universalizes previous privacy laws in Europe, offering citizens and residents of the European Union (EU) greater transparency and controls over how their personal data is used by others. The GDPR requires the compliance of businesses which transact in Europe, or which facilitate transactions in Europe.

Controllers and Processors

There are two key roles defined in the GDPR with respect to personal data: Controller and Processor. The Controller is the business -- My Future Business.

My Future Business operates as the Controller when managing your personal data. We have the responsibility for ensuring that the personal data we are collecting is being processed in a lawful manner pursuant to the GDPR and that we [My Future Business] as 'processors', are committed to handling the data in a compliant manner.

My Future Business is also considered a Processor. We act on the instructions of the Controller (My Future Business), which come in the form of in-house and or external data requests. Like Controllers, as Processors, we have an obligation to explain what we do with your personal data. As Processor, we ensure that there is a lawful basis for processing.

Processors may, in the performance of their service, use other third-parties in the processing of personal data. These entities are known as sub-processors. For example, My Future Business leverages cloud infrastructure providers like Amazon Web Services.

With the implementation of the GDPR, we’re updating our privacy policy and End User License Agreements to include data processing sections that ensure that My Future Business remains a GDPR-compliant processor.

Processing of Personal Data

In order to process personal data, you need a lawful basis for processing. There are several methods to establish a lawful basis for GDPR compliance, but the most likely mechanisms we will rely on when communicating with you as a customer and or a lead, is one of the following:

1. Consent – Much of the GDPR revolves around the concept that our leads and customers have consented to us collecting their personal data, to using (e.g. processing) their data, or to receiving communications from us. According to the ICO, the following criteria must be met to show valid consent:11.

A. Consent must be freely given. This means giving people genuine, ongoing choice and control over how we use their data.

B. Consent should be obvious and require positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise, user-friendly, and easy to understand.

C. Consent must specifically cover the data Controller’s name, the purposes of the processing, and the types of processing activity.

D. Explicit consent must be expressly confirmed in words, rather than by any other positive action.

E. There is no set time limit for consent. How long it lasts will depend on the context. We will review and refresh consent as appropriate.

In short, under the GDPR (which is a good idea in general), consent must be obtained by a “clear affirmative act”. In contrast to ‘clear affirmative acts’ pre-checked boxes or implicit consent are inadequate to establish consent.

As we rely on consent as the lawful basis for processing your data, the GDPR requires us to maintain and make available when requested, recorded evidence that consent has been given. Thus we need in our business the ability to record proper consent for each customer and lead.

When we enable the GDPR functionality, My Future Business has the ability to obtain the lead's consent at the point of opt-in, and that consent will be registered as a tag or other appropriate identification associated with that lead.

My Future Business controls what it does with its leads. Thus, My Future Business ensures that, when My Future Business is acting as a processor, we will comply with the GDPR.

2. Contract – In addition to consent, another lawful basis for processing data is if the processing of personal data is necessary for the performance of a contract. Password reset, billing notifications, and onboarding communication would likely fall under this lawful basis. In other words, if it’s a customer who transacts with you, there are certain processing tasks that must be undertaken for us to provide the service. Likewise, to keep its commitments under its EULA and provide service to our customers, My Future Business has to perform certain processing activities.

How My Future Business Uses Personal Data

My Future Business is committed to maintaining full transparency in the handling and processing of our customers personal data.

The User Data My Future Business collects: Name, Email, Phone, Address, Country, IP, and Username (if not by a user, may be automatically generated).

My Future Business tracks the following activities: transactions, help desk tickets, memberships, associated lists, and associated sequences.

Data is stored or deleted at the customers request. When a person ceases to be an active My Future Business customer, their accumulated data is retired to a storage cluster of servers with no front-facing access. After an arbitrary period of time, the data is deleted.

Data Subject Rights

Under the GDPR, EU data subjects are certain rights regarding their data.

These include:

The Right to Data Portability and the Right to Access:

My Future Business offers tools to answer customer queries about what data we have collected and what's been done with it.

The Right to be Forgotten and The Right to Restriction of Processing

If we have a lead or customer who wants their personal data out of our database, this is no problem. We will remove that contact from any list or sequence -- or even delete them entirely. However, transaction records will remain intact for bookkeeping purposes (though personal data will be redacted (e.g. ‘blacked out’ from view).

Unless otherwise required by law, in the event that My Future Business receives any type of request from a data subject, we will engage the respective customer within seven days to respond to the data subject request.

Data Processing Addendum

Our GDPR data processing addendum (DPA) to our End-User Licensing Agreement formalizes many of the details described on this site in specific legal language. As part of the EULA, the DPA will govern the terms by which My Future Business, as a data processor, processes data on behalf of its customers (who are typically data controllers) in accordance with Article 28 of the GDPR.

These include:

  • sub-processors engaged in delivering our services
  • countries through which the data is passed (cross-border protocol)
  • security measures undertaken to ensure that your data is kept private
  • breach notification protocol

FREQUENTLY ASKED QUESTIONS

Does the GDPR impact businesses outside of the EU?

In many cases, yes. Even businesses that are not based in the EU are considered to be subject to the GDPR if they are collecting personal data on EU residents. Enforcement of the GDPR outside of the EU will be by EU authorities and it remains to be seen how aggressive they will be. It is widely accepted that companies that collect personal data from EU residents will be subject to the requirements of the GDPR.

Does the GDPR require data to be stored in the EU?

The GDPR does not require that data processing (including storage of data) be limited to the EU. The EU-US Privacy Shield is one of several valid lawful mechanisms to transfer data between the EU and the US. In addition to Privacy Shield, My Future Business’s Data Processing Addendum includes the EU Model Clauses, which is also a valid mechanism for the lawful transfer of data between the EU and US.

How does the GDPR impact personal data collected before May 25th? Will I need to get consent for all of my leads again?

The GDPR applies to all personal data, even if it was collected before May 25, 2018. As My Future Business is preparing for the implementation of the GDPR, we will be making sure to we can properly audit the consent records for the EU-residing members on our email list, or that we can obtain and record evidence of consent going forward.

Does My Future Business have a Privacy Policy?

Yes! It contains information on our policies and efforts to comply with all applicable regulations and to guarantee the privacy of your data. It can be found here.

Does My Future Business have a Data Processing Policy?

Yes! Our Data Processing Addendum to our EULA contains the details of our data processing and how we work with Controllers and Sub-Processors to comply with the applicable regulations and to ensure the privacy of your data. You can obtain a copy of the My Future Business DPA by making a written request by email to our Data Protection Officer.

Who is My Future Business’s Data Protection Officer (DPO)?

My Future Business DPO is: Rick Nuske
Contact:  myfuturebusiness.com/contact

In accordance with Article 38 of the GDPR, members of the public may contact the DPO with regard to issues related to processing of their personal data and to exercise their rights under the GDPR – for example, to object to the processing of their data in cases where the data processor (i.e., My Future Business) does not provide an adequate response.

Is My Future Business PCI Compliant?

My Future Business adheres to, and is subject to audit for compliance with, the Payment Card Industry Data Security Standard, which is a rigorous data protection framework oriented towards the protection of payment card data.

Questions? Contact Us

If there are any questions regarding this policy you may contact us using the information below.

27 Dressage Avenue - Adelaide, South Australia 5162, Australia

www.myfuturebusiness.com/contact

Last Edited on 2018-06-07