Appticles and GDPR
The General Data Protection Regulation (GDPR) takes effect on May 25, 2018. The resources below are to inform and equip Appticles customers, business owners, and developers who build mobile products and/or extend any of our PWAs or AMPs, with regards to the GDPR.
This applies to all Appticles products: WPMobilePack.com, PWACommerce.com, PWAThemes.com and AMPThemes.io.
What is GDPR?
On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
As a result of this change, many organizations that have access to and process the personal data of EU-based users are subject to the rules and regulations that come into effect along with GDPR. Since many of our customers are based in the EU & our company, Webcrumbz LTD, is headquartered in the EU, we need to address these rules and regulations accordingly.
In short, as an individual, you need to be able to get proper insights into what personal data of yours is processed by for instance Appticles, for what purpose and how. And you have the right to have old and irrelevant data deleted (“forgotten”) as well. So if you want your personal data removed from our systems, we must act on that request. This applies to every company that has EU customers or stores any other personal data of EU residents.
What is Appticles doing to comply?
At Appticles, we take privacy very seriously. Always have, and that is why we store and process as little details as we can to be able to work with/for you. You’ll rarely find us asking excessive details that we really don’t need for that.
As a general rule, do not give us personal data. Not your own, not your customers’ and not your visitors’. This may sound strange but for most things, we just do not need personal data. And under the GDPR, you should not give us personal data if it is not needed. If we do need personal data, we will ask first.
One of the things that we will be more strict on, for instance, is that we won’t accept people’s own personal login details. You’ll be amazed how many people simply send their own login details over email. This isn’t secure in any way, as you will understand.
With the GDPR, we need you to be in the driving seat in these cases. It’s your (customer’s/employee’s) data. You need to be able to control our access to your website, which means you need to create a login for your website especially for us, for the time of the assignment (so just to fix something in support, or for us to be able to configure our plugin). When that assignment is done, we will let you know and we’ll insist that you remove our login details as they are no longer needed. It’s your responsibility to remove these, as that isn’t something we can control. On our side, we will make sure to remove these login details from our records.
What are we doing to ensure data protection for all our customers?
- Appticles signup and login services are completed through a secure server (HTTPS/SSL).
- Appticles uses cryptography hash functions to protect your information. Your password is stored as a hash digest and, in the event of a security breach, your original password cannot be recovered from our servers.
- In accordance with the GDPR, site visitors have the right to access their data or "be forgotten" (to be permanently deleted from your databases). Right to access - click here for instructions. Right to be forgotten - click here for instructions.
- Setting up a Data Processing Agreement for third parties we work with.
- Updating our Terms of Service and other legal documents to align with any GDPR related changes.
- Reaching out to third parties we work with, to make sure these align with and are prepared for the GDPR as well.
This is about personal data, not website data
Please note, that most details we do have access to in our line of work, relate to website data, not personal data. The login details procedure as described in the previous section is especially needed in case of an online shop that stores customer data as well. As we want a solid procedure for this, we apply this procedure to all websites, just to make sure we and you are not overlooking that tiny piece of personal information you stored and made accessible for us by that login.
GDPR targets that personal data. Where it comes to website data: we need that data to further optimize your website. No personal data is needed for that, so please don’t make this data accessible to us. If you really have to, follow the procedure as described. Of course, we promise not to touch that data in any way that’s not agreed on. For instance, if we need to use the data for testing purposes, we’ll need to agree to this use in writing. And we’ll agree on what happens with that data after testing if needed.
Frequently Asked Questions
What is personal data?
Any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as - name, email address or location, and also online identifiers like IP address, types of website cookies and other device identifiers.
Who are data controllers, processors, and sub-processors?
A data controller is the entity/person that determines purposes and means of processing personal data of the EU resident. Depending on their function, our customers can be either controllers or primary processors in relation to personal data subject to GDPR.
The GDPR applies to both data controllers and processors. Controllers collect data from the end-user who is, in most cases, the EU resident for purposes clearly stated and with appropriate consent. Data processors provide services to the controller in accordance with each controller's instructions.
Another category called sub-processors or third-party businesses performing data processing for other companies are also accountable for protection of personal data, according to the GDPR.
Does the GDPR require EU data to stay (be hosted/stored) in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it materially change the landscape for data transfers outside the EU.
Does GDPR apply only to the EU residents’ personal data?
GDPR does not only cover EU resident’s data. For example, data of US residents would also fall under GDPR to the extent an EU-established entity processes such data in the EU.
Does GDPR apply to territories outside the EU?
GDPR can apply any time personally identifiable information of any EU resident is stored and processed. It does not depend on the physical location / territory. Also, establishments in the EU are subject to GDPR regardless of where personal data comes from.
How to ensure compliance if I am using 3rd party integrations?
If you elect to integrate a 3rd party service in the PWAs or AMPs purchased via Appticles, you need to ensure that the service has taken all the necessary measures to be compliant with GDPR. Talk to your legal counsel to evaluate your exposure to GDPR and any additional steps you need to take to be in compliance.