The following is our, Sendmate’s, very own take on the GDPR (DSGVO in German), as we interpret it, as of the date of publication. Please note that we, Sendmate, make no warranties, expressed or implied, as to the information on this page. Instead we very much encourage you to seek legal advice and counsel from trained and certified professionals. You may copy and use this information for your internal, reference purposes only.

We first learned about the GDPR at the tailend of 2017. Since then we have been spending a lot of time reading, researching online, talking to lawyers and other startups about it as well as thought and discussed the rules, their intent and meaning at length and how we can best accommodate them through our service. In the end we believe we have acted not only responsibly, but with great care when it comes to handling, storing and processing all of our clients’, their fans’ and customers’ data.

What is GDPR?
The EU General Data Protection Regulation (Wikipedia, actual legal text), GDPR for short, replaces the 1995 EU Data Protection Directive (Wikipedia, actual legal text) and will come into effect on 25 May 2018. Its main purpose is to strengthen the rights that European citizens have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is collected, processed or stored.

If your business is based in the European Union (EU), or you process the personal data of EU citizens, the GDPR affects you. Essentially it obliges you to obtain freely given, specific, informed, and unambiguous consent from your fans, users or customers. You also must clearly explain how you plan to use their personal data and only ever ask for what is truly being used for the better of their experience with your service. Finally, your subscribers must be able to easily send you a request to download, change and even completely remove all their personal data from your account.

With those ground rules in mind please read on how we, Sendmate, are committed to providing a genuinely safe, conversational and overall awesome experience for everyone interacting with our Messenger experiences. Please read on to find out how we comply with GDPR.

What is Sendmate doing to comply?
Sendmate is based in Vienna the capital of Austria, which is sometimes referred to as the heart of Europe. Austria has been a European Union (EU) member state since 1995. Regardless, we believe firmly in user privacy and data protection as a matter of principle and hence are applying the GDPR rules, recommendations and best practices across all of Sendmate, as processors of personal data, on a global basis. This means, that as a client you share data with us, in order to use our service. We do not own your data, nor do we combine your data with someone else’s. We do not share or sell your data. Most importantly, we happily delete all data from our servers and backups upon your instruction and without undue delay. Furthermore, we have implemented all legal, technical and organizational measures in order to ensure maximum data privacy and security in compliance with GDPR:

From a legal standpoint, our Terms of Use, Privacy Policy as well as our Cookie Policy are fully GDPR compliant. Everyone wishing to continue using Sendmate after the 25th May 2018 must accept those terms on or before that date.

In addition, we require every Facebook page administrator using Sendmate’s services to sign our Data Processing Agreement, which can be found here
Please print, sign and send to us via privacy@sendmate.io - thanks!
Similarly, we made sure that we have the appropriate agreements in place with each of our data sub-processors such as cloud service and analytics providers.

On the technical front our team of experienced engineers are using state of the art security measures and following best data protection practices.
On the organisational side, we have established internal checks and created a dedicated role to oversee and manage all data and privacy protection initiatives and to ensure 100% compliance with all the recommended GDPR best practices.

Q: What is personal data?

Any information relating to an identified or identifiable natural person. In the US the term Personally Identifiable Information (PII) is commonly used to mean the same thing. Essentially, we’re talking about an identifiable person as someone who can be identified, directly or indirectly, in particular by reference to any identifier such as - name, email address or location, as well as online identifiers like IP address, types of website cookies and other device identifiers.

Q: What are data controllers, processors and sub-processors?

A data controller is the one in charge of the data, the one that primarily collects data and exercises ultimate control over it i.e. decides what should happen with this data. E.g.: Sendmate is a data processor, whereas our clients (Facebook page Administrators) on behalf of those we process data are the controllers in relation to their users with regards to the GDPR.
Data processors provide services to the controller in accordance with each controller's instructions.Finally, sub-processors or third-party businesses performing data processing for other companies are also accountable for protection of personal data, according to the GDPR.

Q: Does the GDPR require EU data to stay (be hosted/stored) in the EU?

No, however the following rules apply under the GDPR for international data transfers:
Contractual standards determined by the European Commission are in effect between the two parties. For more information please visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
Transfers within international corporations into countries not covered above can alternatively be OK in case of applicable Binding Corporate Rules (BCR). For more information please visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_en
Data exports / transfers into EU member states and countries within the European Economic Area (EEA) are all bound by the GDPR

In addition, the European Commission counts the following countries as ones that uphold similar data protection standards as within the EU. These are (as of October 2017): Andorra, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, the Jersey Islands, New Zealand, Uruguay and the USA as long as the US company in question has a Privacy Shield certification. For more information please visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en and for the full list please consult: https://www.privacyshield.gov/list
Outside of the above countries, a few exceptional rules apply.

Q: Does GDPR apply only to the EU residents’ personal data?

GDPR covers anyone handling EU resident’s data as well as any other citizen’s data to the extent an EU-established entity processes such data in the EU.

Q: Does the GDPR only apply EU countries / members?

No, GDPR can apply any time personally identifiable information of any EU resident is stored and processed. Therefore, it does not depend on the physical location / territory. Also, European legal entities are subject to GDPR regardless of where personal data comes from.

Q: How do I handle user data deletion requests?

In case your users ask you to delete their personal data, please note that you can delete them from your audience table on your Sendmate dashboard by first clicking the little cogwheel on the right hand side, then selecting the relevant user and finally hitting delete and confirming the action. Please also note that you must contact us immediately via privacy@sendmate.io so that we can remove any backups of their data.

Q: Will I be able to continue using Sendmate after the 25th May 2018 and rest easy in the knowledge that I’m in compliance with GDPR requirements?

Yes, to the first part of that question, as long as you have accepted our Terms of Use, Privacy Policy and our Data Processing Agreement. Additionally, and in answer to the second part of your question, we recommend that you talk to your legal counsel.

Additional Resources
Seeing as we have built Sendmate on top of the wonderful Facebook Messenger platform please also refer to Facebook’s GDPR Portal as well as their GDPR guidance from the Messenger Platform for additional resources and FAQs.

If you have any additional questions or concerns, please let us know by writing to us via this email address: privacy@sendmate.io

Thank you and all the very best,
Your friends at Sendmate