GDPR Compliance

Diversis Digital sets out to meet all the GDPR requirements that relate to protecting the privacy concerns of our app clients, website and blog visitors, as well as email lists subscribers.

Here's what we are going to do before the regulation becomes binding:

• familiarise ourselves with the full text of the regulation (COMPLETED)
• attended training sessions (COMPLETED)
• nominate Data Protection Specialist (COMPLETED)
• track data flow at Diversis Digital to make sure we can identify where the data is stored in Diversis Digital (COMPLETED)
• assess the threats of the data breach or any other incident at our company (COMPLETED)
• make necessary changes to our Privacy Policy, Cookie Policy and Terms of Service documents (COMPLETED)
• make a list of all the business areas that need to be taken care of to comply with the regulation (COMPLETED)
• implement necessary changes in our business to make sure all staff comply with GDPR when sending emails from Diversis Digital (COMPLETED)
• make a list of all the areas on the website and blog that need to be taken care of to comply with the regulation (COMPLETED)
• implement necessary changes to the website and blog to make sure they abide by all the GDPR rules (COMPLETED)
• make sure the personal data of Diversis Digital clients and email lists subscribers are protected (COMPLETED)
• educate the clients about GDPR in relation to email outreach (COMPLETED)
• prepare a GDPR compliance statement (COMPLETED)
• come up with ways of responding to a data breach (In Progress)
• ensure we provide customers with a secure system for data transfer (In Progress)

Diversis Digital is defined as:

• data administrator in relation to Diversis Digital clients and email lists subscribers
• data processor and data sub-processor in relation to the data owners whose personal data is uploaded to third-party systems offered by Diversis Digital and used in emails sent from third-party systems and by its clients

It means that as a company, we oversee a couple of matters:

• Diversis Digital needs to inform its clients, and email lists subscribers whenever a third party takes part in processing their personal data.
• Diversis Digital is obliged to immediately inform the data administrator (the client) in case a person from the client's prospect list contacts Diversis Digital to stop the marketing
• Diversis Digital openly informs about the 'right to be forgotten and the 'right to assist in data deletion' on a special request. As Diversis Digital client or email list subscriber, you may request your personal data change or deletion. The detailed instruction on how to exercise those rights can be found below in the section Adequacy, relevance, and limitedness of the GDPR Compliance.
• Diversis Digital undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy, and confidentiality practices of proposed sub-processors that will or may have access to or process Service Data. Please find a list of all suppliers we have checked in our GDPR Supplier Check.

EU data protection rules haven't been updated for over two decades. There are at least two reasons why the EU legislative branch decided to improve the existing data protection regulations:

• Technological progress has a global reach – personal data processing is so ubiquitous in today's online sphere that existing regulations are becoming obsolete
• Answering the need of EU citizens – according to Eurobarometer, 75% of people that have been asked in the 2011 survey want to exercise their so-called right to be forgotten. 90%, however, believe that it's necessary to standardize the rights concerning personal data protection (source).

GDPR is supposed to protect natural persons and their rights. It does not protect businesses, entities, or organizations and the processing of their data.

It protects the processing of personal data, such as name, age, address, and phone number, but also indirect identifications that influence their identity, including physiological, mental, physical, genetic, economic, cultural, and social identity. Basically, any information based on which one can identify the individual.

'Processing' relates to personal data "collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction," as in Article 4 (2) of the regulation.

To safely and legally process personal data in the light of GDPR, you should abide by several principles. Those are lawfulness, fairness, transparency, adequacy, relevance, limitedness, accuracy, storage limitation, integrity, and confidentiality.

Below you will read about how Diversis Digital abides by those principles and what actions you should, or shouldn't, take to use Diversis Digital in accordance with GDPR.

As a data processor, Diversis Digital remains transparent and legitimate when processing the data of its clients and subscribers. All Diversis Digital clients and subscribers get notified upon the signup process that the personal data they provide will be processed in ways specified by the Terms of Service and Privacy Policy.

As a data administrator, you should make sure your actions are transparent, and that the purpose of processing data is legitimate. It means you should always be able to prove that you had legitimate reasons to process the personal data of EU citizens. You also need to be able to describe the whole process of obtaining the personal data you use.

As a data processor, Diversis Digital processes only the data necessary in relation to the purposes for which it is processed. We do not collect or process any sensitive data such as gender, race, ethnic background, political views, etc.

Diversis Digital processes its clients' data as long as they have a Diversis Digital account (either a trial account or a premium account) or until they express their wish for their personal data to be removed from our client base.

Diversis Digital clients can also request deletion of their data by contacting the support team at support@pointvisible.us.

If, at Diversis Digital, we decide to contact an EU citizen, who has not been a Diversis Digital client or email list subscriber, we will do so only if we have a clear reason to claim that this is a contact relevant to our business purposes and that at the same time, this contact could be beneficial to the contacted person.

If a person asks us to stop contacting them, Diversis Digital we will always respect that request and stop further contact immediately.

As data administrator, you can process personal data of EU citizens who have granted you permission to process their data by subscribing to one of your mailing lists. GDPR does not forbid cold emailing though, as long as you follow the data processing rules described in the regulation.

If you decide to contact a person who has not subscribed for email correspondence, and has not been in any business relationship with you before (cold email), you should have a clear reason to claim that this will be a contact relevant to your business purposes, and that at the same time this contact could be beneficial to the contacted person. If you place an offer in your cold email, the offer should be logically connected to the specifics of your prospect's business.

You are required to inform your cold email recipient that you're processing their data and how you process it. The email should also contain a clear and easily available information about how your prospect can request change or removal of their personal data.

You are obliged to immediately stop contacting prospects who expressed their wish not to be contacted again. If a prospect of yours demands that their data gets removed from your contact lists, you are obliged to remove it (in accordance with the 'right to be forgotten'.)

You should process only the personal data that are necessary in relation to the purposes for which you process it. That means you should remove from your contact base all the personal data that are irrelevant to your email campaign, or be able to justify why a specific type of data is necessary for the goal you are trying to accomplish.

Diversis Digital will keep every client's personal data no longer than it's necessary for the purposes for which the personal data are processed. At the same time, each data owner can request an exact time limit of their data processing.

As data administrator, you need to make sure you don't keep personal data of your prospects longer than it's necessary for the purposes for which the personal data are processed.

In case of cold email campaigns, you shouldn't process a non-responsive prospect's data longer than it may be assumed to be necessary, namely one month after you tried to contact the person for the first time. That means you should always keep your prospect base updated.