The General Data Protection Act (GDPR):
All That You Need To Know

EngageBay is a provider of all-in-one marketing solution for online businesses, globally. As a responsible customer focused organization, we are totally committed to consumer privacy, and we take every measure to protect the data of our customers and their subscribers (view our Privacy Policy).

For that purpose, we considered it important to let you know about the new General Data Protection Regulation (GDPR) that will take effect from May 25, 2018 for all businesses who maintain the data of EU residents.

Businesses of all sizes are required to be in compliance with the GDPR, going forward. The GDPR is very broad in scope and can apply to businesses both in and outside of the EU.

Businesses that don’t comply with the GDPR could face heavy fines.

Disclaimer: Please note that EngageBay is offering you this content for informational purposes only and should not be relied upon as legal advice. We encourage you to consult legal and other professional counsel to fully understand how GDPR applies to your organization and business activities.

What is GDPR?


The General Data Protection Regulation, also known as the GDPR, was introduced on April 27, 2016, but has yet to go into effect. It involves those who are part of the European Union or EU and their personal data exporting to other parts of the world.

Essentially, the 1995 Data Protection Directive, also known as Directive 95/46/EC, will now be out of date. There’s no legislation required with the GDPR, which is different from Directive 95/46/EC. Any laws or rules under the GDPR are thus effective immediately.

Those EU member states will follow a single set of rules that mandate they have an independent supervisory authority or SA. This SA is in charge of managing and resolving administrative offenses and complaints.

Companies with a strong business presence across and outside of the EU will rely on a lead authority SA at its main headquarters. This SA becomes a one-stop shop and has all data from said company. There will also be a European Data Protection Board or EDPB that supersedes the Article 29 Working Party.

In all other instances, the GDPR has a data controller, which will oversee cloud service provider data for organizations, processors, and residents within the EU.

These processes are installed so personal data is protected, which is “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address,” by European Commission standards.

What does GDPR do?


The goal of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. The GDPR protects the following key rights:

  • Right to be informed: You or your subscribers can ask about personal data, how it is used, and why it is being used at any time.
  • Right of access: You or your subscribers can request a copy of personal information at any time.
  • Right of rectification: You or your subscribers can update (or request updates to) personal information at any time.
  • Right of erasure: You may cancel your EngageBay account at any time and request that EngageBay erase your personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Your subscribers may also request that you or EngageBay do the same for their personal data.
  • Right to restrict processing: You may put your account on hold at any time.
  • Right to data portability: You may export any of your data, or selected information within any data set, at any time by accessing your EngageBay account.
  • Right to object: Your subscribers may unsubscribe from any of your emails at any time.

How does GDPR affect you?


It’s worth keeping in mind that before GDPR, you still had to meet regulations when processing personal data.

GDPR simply means data controllers must make a greater effort to process personal data within the law. They also have to make it clear how data will be processed – and ask for consent. And if there’s a personal data breach, they need to notify the supervisory authorities and data subjects as soon as possible.

Unlike past laws, GDPR also refers directly to data processors – and outlines how they must now comply.

If you have an EngageBay account, you’re the controller of your contacts’ personal data. That’s because you decide why and how their information will be used. And that means you’re responsible and liable under GDPR.

Who does GDPR apply to?


GDPR may apply if you’re a data controller or a data processor:

  • based in the EU, even if you process data outside the EU.
  • based outside the EU, but process personal data of EU residents. This applies if you sell goods or services (or offer them for free), or monitor people’s behavior within the EU.

What is a Data Controller?

A data controller is a natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (See Article 4, GDPR)

What is a Data Processor?

A data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. (See Article 4, GDPR)

So, what does this mean?

EngageBay is the controller in relation to your personal data provided to us as a customer. You are the controller in the relation to the contact data you upload and use in your EngageBay account.

EngageBay is your processor when we provide our services to you. For example, when facilitating the sending of emails to contacts and providing tools to manage your contact lists, we are acting as a processor on your behalf.

However, please note that it is your responsibility to ensure that you have the necessary notices and/or consents in place in order to transfer personal data to us for use.

How do you know if you offer goods or services to people in the EU?


  • You use a language or currency common in one or more EU countries, to help people who live there take up your offer.
  • You mention customers or users who are in the EU.
  • You clearly target your offer to people in the EU.

In the scenarios listed above, your compliance with GDPR is mandatory.

On the other hand, you probably won’t need to comply if you simply have a website, email address, or other contact details that can be accessed in the EU – and the language is common to your country (and not to any EU member state).

What happens if you don’t comply?


Failure to comply could result in hefty fines. You will definitely want to be sure you’re in compliance ahead of the May 25, 2018 deadline. This is not something you can ignore and you wouldn’t want to put off preparing until the last minute.

What is EngageBay doing to comply with GDPR?


EngageBay will comply with GDPR by the May 25, 2018 deadline. As a customer of EngageBay, GDPR grants you expanded privacy protections and rights. We will be prepared to comply with these regulations and handle requests from you so that you are also in compliance.

Right to rectification – You’re able to edit account information at any time through your EngageBay account settings. You can also reach out to us directly to edit or update your information. See our Privacy Policy for more information on what data we collect and how that data is being used.

Right to be forgotten – You may cancel and terminate your EngageBay account at any time. After receiving a request to be forgotten, we will permanently delete your account and all data associated with it within 30 days of receiving the request.

Right to portability – If requested, we will export your data so it can be transferred to a third party. You’re able to do this now.

Right to object – At any time, you may object (via opt out) to your personal data being used for specific purposes such as direct marketing, research, etc.

Right of access – We’re transparent about the data we have and how we use it. Refer to our Privacy Policy for information on what data we collect and how that data is used. You can contact us at gdpr@engagebay.com at any time if you’d like to access or edit your data or if you have any questions about your data and how we’re using it. When we make changes to our Terms of Service, we’ll send you an update to review and sign.

How EngageBay will help you comply with GDPR requests from your Customers


GDPR grants expands privacy protections and rights to your customers. EngageBay’s GDPR compliance program will help you comply with requests you receive from your customers.

Right to rectification – You can update your contact’s information at any time. Your contacts can reach out to EngageBay directly and we’ll correct or delete that information for them.

Right to be forgotten – If you receive a request to be forgotten, you’re able to delete a contact, which permanently removes his or her information from your account. If your contact reaches out to us directly with a valid request, we’ll notify you about the request and delete the contact’s data from your account, or across all EngageBay accounts, if requested, in order to comply with GDPR.

Right to portability – If your contact requests their personal data, you can export their data as a .csv file, which we will make available to you via a secure connection.

Right of access – Make sure that your existing Privacy Policy addresses how you’ll use and manage data. If your contact requests their personal data, you can export their data as a .csv file.

In addition, we are reviewing and updating, as necessary, our agreements with you and with our subcontractors (to include the necessary GDPR terms), as well as notices, policies and internal processes, features, and templates to assure our compliance and help you achieve compliance.

Please note that EngageBay is also working toward being certified under the EU-US and Swiss-US Privacy Shields, which means we transfer and protect the personal data from the EU and Switzerland consistent with the requirements of the Privacy Shield program, governed by the Federal Trade Commission and approved by the EU Commission so that you can transfer your data and that of your customer to us in compliance with the data transfer restrictions in the GDPR.

What is Privacy Shield?


Privacy Shield is an agreement between the EU, Swiss and US government to allow US companies to comply with EU and Swiss data regulations.

Privacy Shield was created specifically for US companies, and may have a different set of regulations or requirements than a company operating in the EU.

We are working toward our Privacy Shield certification and once we have it, we will have what is considered "adequate privacy protection for the transfer of personal data outside of the EU and Switzerland".

You can read more on their official website.

For any questions, feel free to write to us at: gdpr@engagebay.com

You can find our privacy policy here and cookie policy here

This website uses cookies to ensure you get the best experience on our website. Learn more