Growmatik – The General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) took effect on the 25th of May, 2018, and Growmatik offers features that help you completely comply with this regulation.

Data collection is common for most businesses that run online revenue streams, and GDPR governs rules on how to store and manage someone’s data. For an online business to keep a record of customers and build effective marketing strategies, you will need a data processor like Growmatik, which stores customer data securely and runs marketing campaigns. Here we will learn about the following topics:

How to Be GDPR Compliant Business?

Please note that when we talk about being GDPR compliant, we only talk about the features offered within Growmatik and not all of your business data flow. So you must consult with a legal expert to make sure your whole data process follows the terms.

What GDPR Is Trying to Protect

GDPR requires any business that collects personal data to follow four essential matters :

  • Get consent
  • Store securely
  • Export personal data when asked
  • Right to be forgotten when asked

“Personal data” according to GDPR, has a broader definition.

Any data point associated with a person, whether alone or in combination, is considered personal data. 

This includes the visitors: 

  • Name
  • Physical address
  • Demographic data (age, location, etc.)
  • Email address
  • IP address

While you should always get explicit consent from everyone you send emails to in Growmatik, the way to get and record consent for people in the EU is a bit different.

Growmatik has built-in features to help you gain and record consent through your opt-in forms. This consent checkbox is present in the following areas : 

  1. In Popup’s Form element
  2. In the WordPress checkout form
  3. In Growmatik Open API as contact predefined attribute
  4. Embed forms (coming soon)

Growmatik offers this consent in every built-in feature. If you would like to import your contacts from other platforms, you should know the responsibility of mapping their consent to the predefined attribute while importing.

Growmatik records the consent checkbox intent within the user’s predefined attributes so you would be able to filter customers in automation who have explicitly provided their consent.

In Growmatik, a person can hold one of the following consent statuses: granted, rejected, or unknown. 

Someone’s consent status is not static and immediately updates based on their most recent consent action. This means that if someone previously granted consent fails to do so when subscribing in the future, we will update their status to Rejected.

Once someone’s status is set, Growmatik records it in the customer profile.

If a customer’s consent status does not get recorded, we’ll set their consent status to unknown. Other common ways a person’s status becomes unknown are when they’re created through a third-party integration or you have imported contacts without mapping a respective column to the EU consent attribute.

Store Personal Data Securely

You must protect the user’s personal data adequately.

If a user does consent to your storing and processing of their personal data, you are obligated to make sure that that data is securely stored and protected. According to the GDPR, businesses should appoint a Data Protection Officer (DPO), who ensures adequate security for personal data.

It simply states that DPOs are required for companies that process large amounts of personal data, so smaller eCommerce stores should be in the clear.

However, it’s still crucial that you have someone in your organization who controls data protection.

Exercising Peoples’ Data Subject Rights

The GDPR grants several rights to EU residents regarding their data. While it is your responsibility as the controller to exercise these, you may need assistance from Growmatik to do so, depending on the request. Please note that, as a data processor, we can only assist on behalf of people on your list if the Growmatik account owner directly requests it via the app dashboard -> support section. People on your list are not allowed to reach out to Growmatik directly.

Right of Access and Portability (GDPR Article 15)

A person may request access to all data you have stored on them, including data stored in Growmatik.

If you receive a legitimate request for this from someone on your list, you may contact our support team. We will export every data we possess from that person and send it to you.

Right of Rectification (GDPR Article 16)

People from the EU have the right to update the information you have stored on them. You can update their personal data from Growmatik -> People page. If you still need help with anything, you can always contact us.

Right to Be Forgotten (GDPR Article 16)

A person may request to have all data you have stored on them erased, including data stored in Growmatik.

If you receive a legitimate request for this from someone, contact our support team to have the complete deletion of their data expedited.

Right to Restrict Processing (GDPR Article 18)

A person may request that their data no longer be processed by you.
If you receive a legitimate request for this from someone on your list, contact our support team to delete their data and prevent their information from being processed.

Right to Object to Processing (GDPR Article 21)

Not to be confused with the Right to Restrict Processing, this article relates to the legal basis on which you collect their data (for example, if that legal basis is something other than that person’s consent).

This objection will most likely be focused on you as a controller, not Growmatik as a processor. As such, you will need to involve your legal counsel to determine the legitimacy of the person’s request and facilitate a resolution with them.

Current Growmatik Sub Processors

Below you can find our current list of subcontractors for sub-processing personal data covered by the GDPR under agreement. 

  • Amazon Web Services
  • Atlassian
  • Cloudflare
  • Sparkpost
  • Dropbox
  • G2
  • Google
  • Facebook
  • Shopify
  • Slack
  • Stripe
  • Zoom
  • Marketo

Is an Abandoned Cart email GDPR compliant?

The answer is unclear; however, many organizations believe you can still send abandoned cart emails without explicit consent for marketing communications based on legitimate interest. For example, you may be able to consider an abandoned cart email as a communication relevant to the explicit intent to complete a transaction with your business.
That said, the applicability of legitimate interests or any other legal basis will depend on the particular circumstances, including, for example, the number and frequency of emails and the amount of time that has elapsed since the cart was abandoned. Therefore, we strongly recommend that you consult your legal team about your email campaigns to confirm they comply with applicable law.

Where Does Growmatik Store Data, and Does Data Storage for European Customers Transfer to Growmatik?

Growmatik stores customer data in Amazon Web services data centers that are located within the United States of America. That being said, It’s legal for European customers to transfer their data to Growmatik. The GDPR recognizes some legal mechanisms for transferring data out of the EU. Following the invalidation of the EU-US Privacy Shield Framework, Growmatik has incorporated the European Commission’s Standard Contractual Clauses into our Data Protection Addendum. We recommend consulting your legal team to determine the appropriate transfer mechanism for any data transfers your organization may make.

GDPR also requires you to get cookie and tracking consent before collecting “Personal Data”’ while they are visiting your site. As Growmatik also offers website tracking, personalization, and other features on your website, you will need to get explicit consent before storing cookies and/or tracking personally identifiable data.

Growmatik does not offer cookie consent for your website as you may have numerous scripts intended to store cookies and collect identifiable data. You must install plugins that are offered for this purpose which would selectively block scripts from tracking and storing. If your site visitor declines accepting the cookie consent we will not be able to track user activity.

Depending on your platform (WordPress, Shopify,..) you can search for such addons that offer cookie consents for your website.

Was this article helpful?YesNo