The EU's General Data Protection Regulation (GDPR) sets a new standard for how companies use and protect EU citizens’ data. It took effect from May 25, 2018. Later, the Schrems II judgement on July 16, 2020, affected how GDPR compliance was handled by companies.
At Zinrelo, we’ve worked hard to comply with GDPR, to ensure that we fulfil its obligations and maintain our transparency about customer messaging and how we use data.
In GDPR terminology, Zinrelo clients who launch a loyalty program for their end customers are data controllers. They control what data is collected from the end-customer. Zinrelo is a data processor that processes data when explicitly instructed by the data controller. Zinrelo does store EU customer data on servers in the United States.
We worked with our teams and lawyers to figure out how to convert GDPR legal provisions into tangible actions. We’ve been asking lots of questions, and our clients have been asking us questions.
Here’s an overview of GDPR and how we, at Zinrelo, are ensuring GDPR compliance:
The EU General Data Protection Regulation ("GDPR") is a new comprehensive data protection law that came into effect on May 25, 2018. It replaced an earlier EU Data Protection law to strengthen the protection of "personal data" and the rights of the individual. It is a single set of rules which governs the processing and monitoring of EU data.
Yes, most likely. If you hold or process the data of any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not.
Yes, Zinrelo is GDPR compliant. All EU clients are covered by a Data Processing Addendum that includes exact Standard Contractual Clauses (SCCs) approved by the European Commission on June 4, 2021.
When GDPR came into effect, the EU-US and Swiss-US Privacy Shield Framework that was approved by the European Commission on July 12, 2016 was considered adequate to comply with the data protection requirements for transferring data from the EU to the United States. This framework is important to protect EU/Swiss companies who are transferring data to US companies holding EU data on servers in the US.
However, on July 16, 2020, the Court of Justice of the European Union issued a judgement declaring as "invalid" the European Commission’s Decision (EU) 2016/1250 of July 12, 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield Framework. This was called the Schrems II judgment.
As a result of the Schrems II judgement, on June 4, 2021, The European Commission published the final version of the standard contractual clauses ("SCCs") that completely satisfy the GDPR requirements of the Schrems II judgement. These SCCs ensure GDPR compliance in the case of data being transferred from a Controller-Processor from the US to non-EU countries such as the USA.
Our teams have worked hard to comply with GDPR. There has been a massive overhaul of processes to make sure we’re meeting our legal obligations, and doing the best thing for our clients while still letting us move fast, scale and build great products.
Here are the main things we have done to ensure that we are setting ourselves and our clients up to meet GDPR obligations:
Our teams have built the necessary features that will enable our clients to easily meet their GDPR obligations.
Zinrelo can help you meet your data portability requirements for GDPR. You can easily export all of your data or granular subsets linked to an individual and permanently all data linked to an individual user.
- added new choices for users to manage their privacy, and
- provides more details about data collection and your choices.
Strong data protection commitments are a key part of GDPR’s requirements. To clearly outline our obligations to our Clients as a data processor, we have added a Data Processing Agreement to our Terms of Service. This DPA shares our privacy commitments and sets out the terms for Zinrelo and our Clients to meet GDPR requirements. This DPA also includes all Standard Contractual Clauses approved by the European Commission on June 4, 2021 to ensure GDPR compliance in case of Data being transferred from a Controller-Processor from US to Non-EU Countries such as the USA.
We’ve a dedicated Data Protection Officer to oversee and advise on our data management. Get in touch by emailing [email protected].
We have reviewed our vendors and arranged GDPR-ready data processing agreements with them.
Data security is a priority for us. We have regular external audits, penetration tests, and bug bounties.
Zinrelo is SOC 2 Type 1 Compliant. System and Organization Controls (SOC) are developed by the American Institute of CPAs (AICPA). SOC 2 defines criteria for managing customer data based on five "trust service principles"—security, availability, processing integrity, confidentiality, and privacy. Zinrelo's SOC Compliance indicates that Zinrelo follows the highest standards for protecting customer data.
Zinrelo also employs a detailed Information Security Policy to ensure best practises for the protection of data. While we do not have official ISO certification, our Information Security Policy is modelled on the guidelines of ISO 27001 and ISO 27002 requirements. A copy of our Information Security Policy document is available upon request.
We are working hard to help our clients and prospective clients be GDPR compliant. Feel free to reach out to us at [email protected] if you have any questions about GDPR – we would be happy to chat about it.
Add the following verbiage or something similar to clearly indicate to your users that you are using Zinrelo as a data processor for your loyalty program and passing information to Zinrelo. We recommend adding this verbiage in the section “Will my personal information be shared?” or “Do you plan to share my personal information?”
Add the following verbiage to your Terms of Service to let your users know that when they log in or register on your website, they will receive the rewards program as an integral part of your site’s offering. This will eliminate the need to have a separate opt-in for the rewards program. It will also let the users know that the rewards program is powered by Zinrelo. When the users explicitly accept your terms of service, they also agree to the terms of the Rewards program, because that program is an integral part of your site. The understanding is that every user whether already registered or new registration, will be sent the updated Terms of Service.
Updated about 1 year ago