Commitment to GDPR

Last updated: 15th of September 2019

What is GDPR

The GDPR (General Data Protection Regulation) is a new European privacy law adopted by the European Commission in 2016 designed to strengthen, modernize and unify the data protection laws for ALL individuals within the European Union.

GDPR will replace the prior EU privacy directive (95/46/EC) as well as all the local nation-state laws relating to it. This directive has been the basis of European data protection law since 1995.

The GDPR will be enforceable starting with the 25th May 2018.

There's a rather high chance GDPR will apply to you too as GDPR applies to:

  • all organizations established in the EU
  • organizations not established in the EU that are targeting & offering goods or services to individuals located in the EU or monitoring their behaviour in the EU.

This means GDPR could apply to any organization anywhere in the world and thus it sets a high bar for privacy rights and compliance all around the world.

You can read the legislation at https://gdpr-info.eu/.

What we're doing to be compliant

123Metrics being a privacy-first product fits like a glove to the strong data privacy principles and rules that GDPR establishes.

We've thoroughly read the EU documentation on the GDPR, ran through most material available on the GDPR, and discussed with our legal counsel to understand its impact. The privacy and security of our customers (and their customers) are of utmost importance to us.

We are proud to be compliant in respect to:

  1. the data we collect FROM individuals signing up for 123Metrics accounts, as data controller
  2. the data we collect FROM individuals visiting our website, through Apache logs, as data controller
  3. the data we receive FROM our reseller, Paddle.com Market Ltd, about customers, when subscribing, as data controller
  4. the data we process FOR our clients in their use of the 123Metrics service as data processor.

Compliance as data controller

In summary, here are the key elements that make us compliant as data controllers in regards to the personal data we process.

  • 123Metrics accounts can view & edit all the personal data we collect & store (name, email).
  • 123Metrics accounts can be instantly deleted together with all the related data (account user invites, website data and page visits data).
  • Set up a retention policy for our website's Apache logs (1 month). Apache logs contain the IP, visited page, GET parameters and the user agent.
  • Appointed a Data Protection Officer.
  • Our Privacy Policy mentions all the data that is collected along with your rights under GDPR.
  • All personal data is stored in the EU by US organizations (Amazon Web Services, DigitalOcean) for which there's an "adequacy decision" like participating in the EU-US Privacy Shield.
  • Reviewed our relation with Paddle.com Market Ltd, our reseller, in terms of data they pass on to us, data we used as controllers, to show clients where their invoices will be sent by Paddle.
  • 123Metrics has a complete data retention policy. Expired trial accounts and canceled subscriptions that have not manually deleted their account, will automatically have all their data deleted after 90 days. Deletion is permanent and all the data is truly deleted, it is not just marked as deleted.

How is 123Metrics helping you achieve compliance

123Metrics is a privacy-centered analytics product that does not collect, track or store in anyway personal data about your website visitors. All of the measurements for your site performance and efficiency are done with non-intrusive metrics.

What this means is that right from the start, 123Metrics is a GDPR compliant service. You can read about the data we gather in our documentation.

Do you need to comply with the GDPR?

You should consult with legal counsel regarding the full scope of your compliance obligations but generally speaking, if you are an organization established in the EU or that processes personal data of EU citizens, you have to comply with GDPR.

If you're selling to businesses your EU customers might have a hard requirement for you to comply with GDPR depending on the nature of your business.

What happens if you do not comply?

Non-compliance with GDPR can result in fines:

  1. as high as 20 Million Euros or 4% of annual global turnover for blatant violations of the individual's rights, the basic principles for processing including consent rules and the rules for data transfers to international organizations set forth in the GDPR legislation
  2. as high as 10 Million Euros or 2% of annual global turnover for blatant violations of your obligations as a data controller or processor.

Controller or Processor?

In the context of the 123Metrics platform and the data we collect and process for you as our customer, you are a controller and we are a processor for your data.

Explicit consent

GDPR defines 2 types of consent:

  1. unambiguous consent
  2. explicit consent

As a data controller, you need explicit consent for processing sensitive data. There are 6 categories of sensitive data:

  • health records
  • racial or ethnic origin
  • political opinions
  • membership of trade unions
  • sex life and sexual orientation
  • genetic and biometric data