The Orbiter Project and GDPR — An FAQ
GDPR (The General Data Protection Regulation) takes effect on May 25, 2018 and implements a standard across Europe for personal data security and protection. The Orbiter Project takes data protection extremely seriously and we know that our customers do as well.
Q: My business is an Orbiter customer and we are based in the United States — does this regulation apply to my firm?
One of the most unique things about GDPR is that it’s designed to protect Europe’s citizens, NOT it’s geography. So no matter where your business is located, GDPR is still applicable if you control or process any personal data about European residents/citizens. So the answer for many companies, regardless of location, is YES. Violations can be €10,000,000 (nearly $12MM) or more.
Q: What is The Orbiter Project doing to comply with GDPR?
We have made a number of important changes, including:
- Updated our Terms of Service, effective immediately for all customers and users of any Orbiter Project products
- Updated our Privacy Policy
- Created an updated, simple, and streamlined opt-out process for any individuals who do not wish to be tracked by The Orbiter Project software
- Identified and audited all third-party vendors and services that have access to the personal data of The Orbiter Project customers
- Identified and audited all third-party vendors and services that have access to the personal data of individuals being tracked by The Orbiter Project software
- Audited data storage, security, and retention policies
- We have notified all Orbiter Project customers to remind them about the importance of GDPR compliance and the changes required to their websites
Q: If my business uses The Orbiter Project, do I need to do anything to my site to comply with GDPR?
While we can not tell you everything your business might need to do to comply with GDPR, we are requiring all Orbiter Project customers to add the following text to their online privacy policy as per our updated Terms of Service:
As you use this website, cookies will be placed on your device by our software partner, The Orbiter Project, so that we can better understand what you are interested in on our website. This software serves the legitimate interest of helping us personalize content and better serve you as a customer. The Orbiter Project software monitors your activity on this website (The Orbiter Project cookies do not track your movements beyond this site) completely anonymously until such time as you voluntarily supply our company with personal information such as your name, email address, postal address, or telephone number. Methods of providing contact information may include filling out a form, making a purchase on this website, commenting on our blog, or participating in our email marketing. This information is for our company’s use only, it not used by The Orbiter Project or their partner companies in any way except to serve our account. The Orbiter Project will not sell/share/rent your information to any other Orbiter Project customers/clients, nor will they sell/share/rent your information to any third party. If you wish to opt-out of this tracking, please visit https://orbiterproject.org/opt-out.
Q: Is The Orbiter Project a processor or controller under the GDPR regulations and what legal basis is used for processing?
A controller, per GDPR article 4, is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” and a processor is
“a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” The Orbiter Project acts as both.
There are 6 legal bases for processing data under the GDPR (source, ICO):
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The Orbiter Project (which does not directly enable direct marketing or email marketing but rather integrates with other tools which perform those tasks) provides the ability for businesses to personalize content and serve customers more effectively based on their needs and preferences, both legitimate business interests — and The Orbiter Project’s storage of personal data is related to these functions. Combining The Orbiter Project data with other tools to facilitate functions like email or SMS marketing would require explicit consent.
Q: Who does The Orbiter Project share personal data with?
The Orbiter Project never shares data between The Orbiter Project customers, personal data is only shared with the administrators of the customer website where the data was collected. Outside of the customer relationship, the only entities with access to personal data on The Orbiter Project servers are trusted third party partner companies charged with helping The Orbiter Project manage and secure that data. The Orbiter Project never shares/sells/rents personal data to outside organizations.
Q: If I have more questions about The Orbiter Project and GDPR, how can I get answers?
Start by checking out the following resources on our website:
And if you can’t find what you’re looking for there, just email us.