The MTMO General Data Protection Rules Policy
May 25, 2018.
MTMO is a digital advertising and marketing platform with SEO capabilities. As such we process, share and control client data on their behalf as a result of contracts they enter with us for our services. Those clients give us authority to do so.
As MTMO is a digital platform end users looking for information about our client’s businesses, services, communities or community projects, enter the site to search and as search activate a cookie banner that asks for permission for us to collect certain data about them via their movements around the MTMO platform.
As a business we work with other businesses and clients and as such the General Data Protection Regulation (GDPR) (the EU’s new regulation) applies to us. GDPR are a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organisations like ours to deal with that data in transparent and secure way. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes the data of EU citizens.
If you have any questions about our GDPR Policy, please contact the MTMO team at firstname.lastname@example.org
- Example to assist the understanding of GPRP and how it affects you
To help you understand what that means we have broken down the core definitions.
If John is an EU citizen and a contact of ours he is known as the ‘Data Subject’ from the GDRP legislation point of view.
We at MTMO are known as the ‘Controller’ of that data.
The MTMO platform would also be known as the ‘Processor’ of John’s data in accordance with the services we offer to him, but it also means that Johns customers who may choose to reach out to him through the direct messaging service offered by MTMO as part of our service offer to him, also become a ‘Data Subject’ to us and John.
We may also electronically store John’s data in files on computers/servers whilst he is a client of ours so that we may deliver the services he has contracted us to do. This would be another way we ‘process’ John’s data.
With the introduction of GDPR, ‘Data Subjects’ like John are given an enhanced set of rights, and controllers and processors like MTMO, an enhanced set of regulations.
What we have to think about
As a Processor we have legal obligations to the Data Subject.
Withdrawal of consent (or opt out)
Modification of Data
MTMO Security Measures
What it means
This means we need to have a legal reason to use John’s data.
That reason in MTMO’s case will normally be through consent (he opted in by accepting our services) with notice (he was told what he was opting into), performance of a contract (e.g. he’s our client and we want to send him a bill for the services we have agreed to supply by agreement between us and him and that involves creating MTMO web pages that tell the World what his business or community does).
Or what the GDPR calls ‘legitimate interest’ (e.g. John is a customer, and he has agreed to the products and services and how we send/deliver them to him, even if they are additional services/products to the ones he originally contracted/signed up for and currently receives).
We need to be able to track that reason (also known as ‘lawful basis’) for a given contact – which in our case will be clients who sign up for our services/products through a string of emails and telephone calls or via direct messages from the MTMO platform.
We also provide a service to John through his MTMO pages for his potential customers to send him direct messages, this will be their decision and a lawful basis but it also means MTMO processes that data as part of a service offered to John.
The most important type of ‘lawful basis’ would be processing data with consent and proper notice.
In order for John to grant consent under the GDPR, a few things need to happen:
– He needs to be told what he’s opting into. That’s called ‘notice.’
– He needs to affirmatively opt-in (pre-checked checkboxes will no longer be valid). John filling out a form alone will not implicitly opt him into everything we as a company send/deliver/share.
– The consent needs to be obvious, which means it needs to cover the various ways we process and use John’s personal data (e.g. marketing, provision of our contracted services on his behalf, email or sales calls). We must log auditable evidence of what John has consented to, what he was told (notice), and when he consented.
John needs the ability (as a ‘Data Subject’) to see what he’s signed up for, and he can withdraw his consent (or object to how we process his data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.
Just as John can request that you delete his data, he can also request access to the personal data we have about him.
Personal data is anything identifiable, like John’s name and email address. If he requests us (as the controller) to provide a copy of the data we hold on him, we must do so in a readable format.
John can also request to see and verify the reasons and lawfulness of us processing his data.
John can also ask us to modify/update his personal data if it’s inaccurate or incomplete. If and when he does, we need to be able to accommodate his modification request.
The GDPR provides for many data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymisation and anonymisation.
How does MTMO process and control data
MTMO will engage with their clients like John on a contractual basis, where we offer services that include distribution of information and data about John’s business as part of an agreement that he agrees to with us BEFORE we undertake any work or process the data he provides willingly to us.
It would be John who requests our services and invites us to contract with him.
At all times John will be reminded that the GDPR rules apply and will be prompted to confirm his understanding.
Automated tracking of information on the MTMO website will be through SEO & Analytic reports and will be shared with clients like John as part of the contract he makes with us at the outset. These will be accessed via a secure client login.
For direct messaging by John’s customers from his MTMO web pages (Controller & Processor), the data will be kept and included in the analytic reports. When John receives a direct email to his own business email through his MTMO web pages, he will become the ‘Data Controller’ for that potential customer and he will become subject to the GDPR rules himself as a data controller and potential data processor. John would then have to adopt his own GDRP policy to comply with the legislation.
The most common ways MTMO collects data will be:
– Messaging services
– Telephone calls
– Networking events
These are the different channels in which John chooses to engage with us. The same could apply to end users of the MTMO platform. In each case we will provide proper notice to John for example, before he provides information to us by using text boxes on forms, and collecting the appropriate consent when he’s ready to grant it.
We will also add links to additional notice provisions (like privacy notices, T&C’s where applicable) via hyperlinks in forms where necessary. Once John submits his information, we will store a copy of the notice that he was provided with the information he provided consent for and the date of the interaction.
We’ll make this level of consent tracking available for other forms of contact too – usually through the client dashboard or analytics/SEO reports.
Any MTMO pages that involve a subscription of services (emails/newsletters/core MTMO products ect…) will support the needs of the GDPR. In other words John will be able to opt in to the types of communications/services he wants to receive from MTMO.
In the case of responses by the public using the MTMO Platform, we will ensure that the user is made of GDPR before they leave a message online (say as a blog response) and confirming that they opt in and understand the implications of leaving a response.
For example, John can withdraw his consent from receiving certain communications from us – telephone calls, emails, newsletters – but as a client he would also be subject to his contractual obligations (T&C’s) with us which will depend upon on what he agreed and signed up for at the outset in terms of the services we agreed to provide under that contract.
For any MTMO free subscription preferences pages, John and all end users of the MTMO platform will be able to opt out at any time and this can be done through email via email@example.com if there is no set form or opt out tick box scenario on a particular page. Any emails and newsletters sent via Mailchimp or other automated email programme will have opt out/unsubscribe buttons to activate.
In terms of emails sent personally from one of the MTMO Team, a clause within their email signatures invites a recipient of an email to confirm by return email that they do not wish to receive any further emails from the writer or anyone else at MTMO.
At other times on MTMO web landing pages, there will be specific invitation tick boxes for opting in or out of receiving specific MTMO contact.
Throughout the sign up process by MTMO clients for contractual services and the provision of their information for the purposes of MTMO performing their duties under any contract made with them, reminders regarding the processing and controlling of data under GDPR will be made obvious.
A ‘Cookie’ banner will pop up every time a new end user uses the MTMO platform so that they can consent or not.
MTMO Privacy and Cookies Policy offers further explanation on how information and data is used when collected via the MTMO digital platform.
Over time we will endeavour to update the default language of English to reflect the language of the user through translation software, making it clear to users in their own language to opt-in.
We will also evaluate making the cookie-consent message in the right language, based on John’s location through technological development.
If John is a client of MTMO, he has consented to certain information being processed by the very nature of the contract he will have entered into with us before we have started work on the contracted services. This will be in accordance with our T&C’s, with prompts & reminders throughout his dealings with us that reflects his acceptance of the way we process his data.
MTMO will provide clients like John access through their secure MTMO dashboard reached via their personal login sequence. As a client John will be able to see and access his own data and inform the MTMO Team if he wishes it to be deleted, updated, or changed by an automated process or direct messaging service.
Any request for data to be exported by either a client such as John, or an end user of the MTMO website will be provided a readable format that we will sent/provided electronically.
An end user (not a client) who engages with the MTMO platform will be able to make a written request via email to team@makethemostof for a copy of any personal information the platform holds on them, if any. This maybe relevant if they have sent a message via the MTMO platform or left a comment in a blog.
John will be able to change his information via his secure MTMO dashboard and/or via a direct message to the MTMO team member from the MTMO platform or via email to firstname.lastname@example.org.
A person using the MTMO platform as an end user may make a request to update their contact information if they wish us to stay in touch with them via email to email@example.com
As part of MTMO’s approach to GDPR, we will continually look at ways to strengthen our security controls across the MTMO platform and throughout our internal management processes. This will be an ongoing process that moves and adapts with current technology and laws.
Currently payments for MTMO services will not be taken through the MTMO platform, but via invoices sent via PayPal or email. All payments to MTMO will be via PayPal or bank transfer. This allows client’s personal financial data to be processed by financial institutions that have their own API’s and GDRP compliance policy. If this changes, then the MTMO GDRP Policy will be updated here, along with the MTMO T&C’s.
MTMO will continually monitor and update practices around improving systems for authentication, authorisation, and auditing to better protect our clients data. We will provide additional details on these security measures as they are implemented in the MTMO GDRP Policy web page.