GDPR Compliance at Justuno

Justuno is taking the EU General Data Protection Regulations (GDPR) very seriously and have created several tools, forms and processes to help you stay compliant.

What Justuno has been doing to prepare

To better facilitate compliance, we have been implementing both product and non-product-related updates before the GDPR commences. Not only will these updates ensure our compliance, but they will also make it easier for all of our customers to comply. Below is the list of relevant updates we will be making:

Product Updates
  • (Complete) Improve contact deletion capabilities to comply with right to be forgotten requests.
  • (Complete) Improve site tracking so it can complement your website’s compliance needs.
  • (Complete) Address cookie compliance for www.justuno.com via site functionality.
  • (Complete) Add cookie banner themes to promotion wizard.
  • (Complete) Add ability to show consent checkboxes only for EU visitors as an option.
  • (Complete) Add EU to the list of Countries in our advanced targeting rule country condition.
Non-Product Updates
  • (Complete) To help with your GDPR preparation, we have an updated Data Processing Agreement available for you to use for your compliance needs. You can request to use our DPA through this form.
  • (Complete) Update our Privacy Policy and other website documents to reflect GDPR-related changes.
  • (In progress) Create new education & training content that relates to how users can use Justuno to best comply with the tenets of the GDPR.

Note: In accordance with GDPR, as our customer, you can exercise your data subject rights by contacting privacy@justuno.com.

While the purpose of these updates is to help our customers stay GDPR compliant without sacrificing usability of the platform, we suggest that customers consult an attorney if they have any questions about how the GDPR will impact their business.

Going forward, we will develop the product with the GDPR in mind—this means an emphasis on flexibility in regards to data. We will announce GDPR-related changes on a rolling basis, so check back here for updates.

Consent

We have created a checkbox option in our promotion designer. This can be used for general terms of services or for more explicit consent regarding your visitors opting into your campaigns. For more info on how to use this new layer click here

Data Processing Agreement

Our Data Processing Agreement (DPA) offers contractual terms that meet GDPR requirements and reflect our data privacy and security commitments to our customers. Each customer processing personal data on behalf of EU/EEA individuals is now able to sign this agreement here.

GDPR Audit Help

Are you being audited? If that happens to you, we are here to help and will get you any data we have that can help you comply with the audit. You can go here to fill out a form and get in touch with our audit concierge team.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), which will be enforceable on May 25th, 2018, is a regulation from the European Parliament, the Council of the European Union and the European Commission that attempts to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. When the GDPR takes effect, it will replace the data protection directive of 1995.

This page will address how Justuno is compliant with the GDPR. Please note that this page is for informational purposes only, and should not be used for legal advice. We at Justuno encourage you to work with legal counsel to determine precisely how the GDPR might impact your business. The GDPR website also has good FAQs, which covers who it affects, changes, penalties, and more.

Justuno already takes great measures to protect your data. The GDPR adds some new privacy protections for individuals within the EU:

  1. Expansion of scope: The GDPR applies to all organizations established in the EU or processing data of EU citizens
  2. Expansion of definitions of personal and sensitive data: any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual.
  3. Expansion of individual rights: EU citizens will have several important new rights under the GDPR, including:
    1. Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
    2. Right to object: An individual may prohibit certain data uses.
    3. Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
    4. Right of access: Individuals have the right to know what data about them is being processed and how.
    5. Right of portability: Individuals may request that personal data held by one organization be transported to another.
  4. Stricter consent requirements: You will need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis. Keep in mind that:
    1. Consent must be specific to distinct purposes.
    2. Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
    3. Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
  5. Stricter processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
    1. Contact details for the data controller
    2. Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
    3. Retention period: This should be as short as possible (“storage limitation”).
    4. Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization’s “legitimate interest.”

How does Justuno help you comply with the GDPR?

The below will cover both explicit ways that Justuno complies, as well as best practices for how you pass over data and use our platform.

  1. GDPR user rights
    1. Right to be forgotten: You may delete individual subscribers upon their request at any time.
    2. Right to object: You may opt out of inclusion of your subscribers in communication types (or simply unsubscribe them or delete them)
    3. Right to rectification: You may update your subscribers within your Justuno account to correct or complete subscriber/contact information upon their request at any time.
    4. Right of access: You may access your subscribers’ data within your Justuno account upon their request at any time.
    5. Right of portability: You may export any of your lists of subscribers in CSV format at any time
  2. Email capture forms: For any information you collect via your forms on your website or app, it is your responsibility to ensure that you obtain consent from your customers and contacts to send their information to Justuno for processing. You should ensure that all of your pop-up windows, forms, etc. include language that provides this consent.
  3. Unsubscribing: Please ensure that all emails sent to subscribers acquired via your Justuno account include unsubscribe links, and test the links to ensure they work. If you are passing unsubscribe information via imports, please test these imports regularly and check counts within our application.
  4. You should also ensure that you are keeping accurate records, especially of your subscribers’ and contacts’ consent permitting you to send them marketing emails, store and use their personal data, and any other processing activities. Justuno can help you obtain proof of consent and will store a record of the date of your subscribers’ signup, as well as date of their removal of consent. We recommend consulting with legal counsel to determine if consents obtained prior to the GDPR comply with its requirements, or whether you should instead contact your subscribers and contacts to re-request consent in accordance with the GDPR requirements, or rely on a different lawful basis for your processing under the GDPR.
  5. You should review any Justuno integrations or add-ons that you are using (or plan to use), and any terms associated with those, to ensure that you have adequately disclosed potential data processing activities associated with your use of those services to your subscribers and contacts.
  6. You may want to consider updating your privacy statement to include language that specifically identifies Justuno as one of your processors and delineates the applicable processing activities performed by Justuno, such as the collection (e.g., via sign-up forms) and storage and processing of personal data, and the transfer of personal data for your own purposes (e.g., reporting).

This document was last updated May 11, 2018