Below are the tools Táve has put in place in order to help our users be compliant with the EU's General Data Protection Regulation law that goes into affect May 25, 2018.
All contacts in your Táve address book now have two fields to specifically indicate whether that contact is subject to Europe's GDPR and requires strict privacy as well as opt-in to your marketing and processing. You can find and edit these values manually by editing the profile of a contact in your address book.
Contacts from the European Economic Area must opt-in to receive any marketing communication or to have their personal information used in a way that goes beyond the reason that they gave you their personal information in the first place (for instance, if a European submits a request for information about a wedding, you can't later send them a message about a special offer or email them about a portrait session without their explicit permission). In addition, the opt-in form cannot default to opt-in and you must record exactly what you said to them and the wording of their opt-in acceptance.
We've designed two new features to meet these strict opt-in requirements:
Opt-in Specific Contact Form Field
All Táve contact forms now have a field you can add that allows your clients to opt-in at the moment of inquiry on your contact form. You can head to Settings › Contact Forms to enable this field.
You can edit the label as well as the text of the options but we provide some text to help you get started. Be aware that you must describe exactly what you want to do with their personal information and how you intend to contact them.
Opt-in Specific Questionnaire Field
In addition to the contact form field, there is now an advanced form field for Privacy Opt-In. This field automatically binds to the recipient of the questionnaire. Much like the Contact Form field, we provide text to get you started but you can edit the label and options to what you need.
Strict Privacy refers to privacy requirements more restrictive than found in the U.S., such as the requirements enumerated in the European GDPR.
As with the the Marketing Opt-In field on the address book profile, every contact in your Táve address book has a checkbox to indicate if that person is subject to strict privacy.
It can be set manually by you by editing the address book profile. Táve will however set this value automatically if a contact has an email address that ends with
.eu or an EEA country code extension (i.e.
.de ) or if their address is in one of the EEA countries (i.e. France or Germany).
Messaging Contacts who have opted out and are subject to Strict Privacy
If a contact has opted out of your marketing and is subject to strict privacy, we'll display a little reminder when composing a message to them:
Privacy Compliance Log
On the overview tab of an address book contact there is a box for
Privacy Compliance. This box appears for contacts who have opted in or out of your marketing as well as if Strict Privacy was enabled due to the criteria mentioned above:
In addition to explicit marketing opt-in, GDPR requires the business to provide a way for the client to take the "personal information concerning them, which they have previously provided in a 'commonly used and machine readable format' and have the right to transmit that data to another controller."
You can do this by using the 'Export vCard' button on the contact's address book profile.
The Right to Be Forgotten
Another major requirement for GDPR compliance is the right to be forgotten. This entitles your clients to request the erasure of his/her personal data. See Article 17 of GDPR for more information.
While Táve has always had the ability to purge contacts or jobs from the system, which complies with the right to be forgotten, we've created a middle-ground tool that anonymizes the contact while keeping your history and financials intact.
If your client requests that you erase their personal identifying information from your account, you can do so by going to the contact's address book profile and use the 'Anonymize' button. In addition to the single contact anonymize button, you can also do so in bulk from your address book lists by selecting the contacts you wish to anonymize and using the bulk action that appears.
You'll be presented with a warning screen showing the contact(s) you're about to anonymize as well as a detailed description of what will and will NOT be erased. Certain data is excluded from the 'right to be forgotten' due to legitimate business interests.
Your contact will now appear throughout Táve as
[redacted]. Their personal information is gone forever but their jobs and financial data remain intact for your reporting purposes.
WARNING: This cannot be undone. It's extremely important to remember that the right to be forgotten means that the data is permanently and irrevocably erased.
Right to Prompt Personal Data Breach Notification
The last of the major new rights introduced by the GDPR is the right to receive timely notice, within 72 hours, of any data breach resulting in the loss of personal data of a European. Táve takes data and system security very seriously. In the unlikely event of a qualifying data breach (there are some exclusions, such as when the stolen data is encrypted), our own compliance with the GDPR requires us to notify you within this window so you can then in turn notify affected contacts.
Cross-Border Data Transfer
The GDPR requires any company that receives personal data of Europeans to be bound by no less than the requirements of the GDPR. Since Táve's servers are located in the United States, which does not have laws matching the GDPR, you must execute a contract with Táve to ensure that we handle the data in accordance with the GDPR. Unlike the Táve Terms of Service, both parties must sign the agreement.
If you receive the personal data of any European, no matter your location, you must download and execute the Táve Data Processing Addendum, which contractually obligates us to comply with the GDPR by adding the Model Clauses and other contractual language to our standard Terms Of Service. All of the third-party subprocessors Táve uses to handle personal data are bound by similar DPAs.
Táve is Privacy Shield Certified.
This discussion of the GDPR is not legal advice. Please consult a lawyer if you have questions about the GDPR and your business.