Consumer information management
The General Data Protection Regulation (GDPR) is the European Privacy law, applicable to all people and companies that use personal data in a professional context. This implies that you must be able to explain what personal data is collected, how it is used and how the data is secured. The GDPR is applicable since May 2018.
The Californian Consumer Privacy Act (CCPA) is the Californian bill that enhances privacy rights and consumer protection for residents of California , applicable from January 2020. The bill applies to all businesses that either buy, sell or share personal information of 50.000 consumers or more, or that have a gross revenue above $25M or derive 50% of their annual revenue from sharing personal information.
Personal data is every piece of data that can be used to uniquely identify a person or data relating to an already identified person. It is data that a person has explicitly provided, but also data obtained through third parties or website activity.
The following issues are discussed in this document on Consumer Information Management on Personal Data Processing:
- Right of access by data subject
- Right of rectification
- Right of erasure
- Right of restricting of processing
- Notification obligation
- Right to data portability
- Right to object
- Automated Individual Decision-Making
Each one of the above topics is explained in detail.
We will refer to the person whose data is collected as the 'data subject' under the GDPR and as 'consumer' under the CCPA. The client (person, company) collecting and using the personal data is referred to as the 'data controller'. The 'Data processor' is Marigold. The tool provided by Marigold is referred to as the CIM tool (Consumer Information Management).
Right of Access by Subject (GDPR and CCPA)
The data subject/consumer shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed, and, where that is the case, access to the personal data and a copy of that data.
| PREREQUISITE | The data controller must make sure that the data is physically stored (a physical data table - not a database view) on the Marigold platform |
| PROCESS | A webpage (CIM tool) allows the data controller to look up a specific data subject/ consumer by filling out one or more form fields with identifying values. Lookup of a data subject/consumer can be done on all user lists or a subset of user lists (e.g. all lists of a brand). |
| RESULT | Assuming a match is found, a JSON file will be generated by an asynchronous process. This file contains all the user data and linked data gathered in different modules that might be part of the subscription services. Once generated, the file can be downloaded using the same CIM tool. |
| ARCHIVED DATA |
The CIM tool works on both the production and the archived data. Marigold stores System and Custom(er) data respectively, in separate archive databases to avoid mixing System Data with personal data. The data controller can decide whether or not they want to archive any of this data. Logging data is not archived and will be deleted. |
| BACKUP DATA |
Due to database’s size management’s requirement, Archive database is regularly moved to a back-up disk (tape) for storage. Backup data is not directly accessible via the CIM tool. If the Data Controller executes a Data Subject/Consumer Requests on the production database via the CIM tool, the CIM tool allows tracking of such Data Subject/Consumer Requests. In case backup data from the disk is restored on the production database, it is possible to execute the Data Subject/Consumer Request via the CIM tool. If the Data Controller doesn’t execute a Data Subject/consumer Request via the CIM tool, it is important that the Data Controller manages the tracking of such CIM requests so that, in case of a restore of the backup data, prior requests may be processed at the moment of restore. The backup data has a maximum retention period of 2 years. |
Right to Rectification (GDPR only)
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her.
| PREREQUISITE | N/A |
| PROCESS | Option #1: The data controller has the option of manually updating the data that needs to be rectified on the Marigold Platform.
Option #2: The data controller can automatically push the updates using Marigold data-loading capabilities. |
| RESULT | The recipient's data is rectified. |
Right to Erasure(GDPR)/ Right to Be Forgotten (CCPA)
The data subject/consumer shall have the right to obtain from the controller the erasure of personal data concerning him or her and the controller shall have the obligation to erase personal data
| PREREQUISITES | The data controller must make sure that the data is physically stored (a physical data table - not a database view) on the Marigold platform.
The data controller must erase the data in its own environment before deleting it on the Marigold platform to avoid data being synced back. The data controller is responsible for the blacklist table and makes sure that “erased” data is not synced back unless the data subject/consumer has given his or her consent again. |
| PROCESS |
The CIM tool allows the data controller to look up a specific data subject/consumer by filling out one or more form fields with identifying values. Lookup of a data subject/consumer can be done on all user lists or a subset of user lists (e.g. all lists of a brand).
|
| RESULT | Assuming a match is found, this data subject's/consumer's personal and identifiable data will be removed.
This includes all the user data and linked data gathered in different modules that might be part of the subscription services. Marigold will also make sure there are logs on these erasures to ensure that when databases are restored, this data is removed again. These logs will be removed after 30 days. |
Right to Restriction of Processing (GDPR) / Right to opt out of Sales information (CCPA)
The right to restriction of processing can only be applied under the GDPR by the data subject if one or more of the conditions as defined in article 18 of the GDPR are applicable (prior objection, data accuracy is contested, etc.)
The data subject/consumer shall have the right to obtain from the controller restriction of processing
/ an opt out of Sales information
Methods by which to restrict the processing of personal data or opt the consumer out could include temporarily moving the selected data to another system where no processing takes place on that personal data, making the selected personal data unavailable to users, or temporarily removing published data from a website.
In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data is not subject to further processing operations and cannot be changed
| PREREQUISITES | The data controller must make sure that the data is physically stored (a physical data table - not a database view) on the Marigold platform. |
| PROCESS | Option #1: the CIM tool allows the data controller to look up a specific data subject/consumer by filling out one or more form fields with identifying values. If there is a match, a custom OPTOUT value (20180525) is set. Lookup of a data subject/consumer can be done on all user lists or a subset of user lists (e.g. all lists of a brand).
Option #2: the data controller can set up an exclusion segment that can be used for each channel allowing the data controller to add data to its segment and use this exclusion segment in each target group for that channel. Option #3: if a separate optout has been implemented by the data controller for each channel, the data controller can modify the optout manually for a specific channel. |
| RESULT | Option #1: Recipient is excluded from all communication until the custom optout is lifted
Option #2-3: Recipient is excluded for a specific channel. |
| COMMENT | Right to restriction of processing is not applicable to storage. Therefore, archived data is out of scope as far as the right to restriction of processing is concerned.
|
Notification Obligation (GDPR only)
The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
The controller shall inform the data subject about these recipients if the data subject requests this.
| PREREQUISITES | The data controller has executed the rectification, erasure or restriction of processing
|
| PROCESS | N/A
|
| RESULT | The data controller notifies the data subject. The data controller must make sure that – by notifying the data subject, it does not keep the data in breach of the data subject’s request. |
Right to Data Portability (GDPR only)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
| PREREQUISITES | Client must consult and execute the prerequisites and process described in the “right to access” section. |
| PROCESS | After executing the “right of access” process, the data controller retrieves the data subject's personal data in the generated JSON file and combines it with all other information gathered on the data subject. It is up to the data controller to filter out the data that is required to be ported to another controller as the JSON file will often contain too much information. |
| RESULT | The data controller transmits the data to another controller.
|
Right to Object (GDPR only)
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
| PREREQUISITES | NA
|
| PROCESS | Data controller will check the content of the objection and act upon this objection. |
| RESULT | Depending on the subject matter of the objection, a specific data subject right process can be executed.
|
Automated Individual Decision-Making (GDPR only)
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her
| PREREQUISITES | N/A |
| PROCESS | N/A
|
| RESULT | N/A |
| COMMENT | Automated individual decision-making which produces legal effects or similar effects is not available on the platform. The Machine Learning allows automated processes based on profiling to a certain extent, which shall then trigger targeted promotions, but it does not include automated decision-making which produces legal effects for a person, as such profiling applies to drive direct marketing. |
