The General Data Protection Regulation (GDPR) is a regulation as of 2018 in the European Union. As a new regulation, there is a lot of information and misinformation about it because the law is written in very general and vague terms and many aspects of it are unclear at this time.  As best practices emerge and as litigation takes place we expect things around the GDPR to be clarified.  As best practices become clear this document and our recommendations may change.

Please note that the information provided herein is for general informational purposes only and does not constitute legal advice.  Your decision to comply or not comply with the GDPR is your decision alone based on your specific business and use case.

WHAT IS THE GDPR?

The GDPR is an European Union (EU) regulation that is intended to protect the privacy of EU citizens.

While the GDPR is an EU regulation, it expands the territorial scope of EU data privacy law. 

WHO IS AFFECTED?

Businesses based in the EU

Businesses outside of the EU offering goods or services to, or monitoring, EU residents

If you are doing business with or collecting any kind of personal data from individuals located in the European Union, we strongly recommend that you comply with the new General Data Protection Regulation (GDPR) (https://gdpr-info.eu) that went into effect on May 25, 2018. To help you comply, FASO can add a cookie notification banner to your site, if you would like, and provide a sample privacy policy. In addition, we have prepared this FAQ that includes other useful information to help you prepare for GDPR.

SIMPLY: If EU citizens sign up for your newsletter, post comments on your blog, contact you through your FASO website, or purchase artwork (or other goods) from you then, technically, you would be expected to comply with the GDPR.

WHAT IS YOUR ROLE UNDER THE GDPR?

If you need to comply with the GDPR, then, in regards to your relationship with FASO, you are the "data controller" for the data your users provide to you.  FASO is your "data processor" and you authorize us to process that data, through your contract with us to host your website and other services.

SIMPLY:  For your FASO website:  You are the data controller, FASO is your data processor.

WHAT IS PERSONAL DATA?

Personal data under GDPR includes any information about an identified or identifiable individual that you may collect directly or indirectly through your website. Some examples of personal data you might obtain directly are a person’s name, address, or email address.  You might obtain such information through a form on your website, such as a contact form, email subsription form, or blog comment. Personal data that may be transmitted indirectly includes things like a user’s IP address or the information stored in a browser cookie.

SIMPLY: In normal operations on a FASO website, personal data is name, email address, address, phone, contact messages, blog comments and possibly IP Address of your site visitors. You may also hold personal data on your customers outside of FASO.

WHAT RIGHTS DO MY WEBSITE VISITORS HAVE?

The GDPR allows individuals in the EU greater control over their personal data and grants them a number of rights with regard to how that data is processed, stored, and accessed. The section below covers the two situations that you, as a website owner, are most likely to see, but you should also carefully review the full list of data subject rights here: https://gdpr-info.eu/chapter-3/

The right to be forgotten: A person can request to be “forgotten”; that is, to have all of their personal data removed from your possession. If you are asked to do this, you will need to remove any personal data you have collected from the requester. You will also need to contact any third parties, such as FASO, that process personal data on your behalf. To ensure that any personal data in FASO's possession can be removed in a timely manner, you can relay any request to be “forgotten” to us by submitting a request at [email protected], let us know the name and email address of the person who made the request and we will remove the user's data from blog comments, your email newsletter subscribers, contact form submissions and anywhere else we have sotred it on your behalf.

Data portability: Under GDPR, an individual located in the EU may request that you send them any personal data in your possession. In this case, you would need to provide the requester with any personal data that you have in a commonly used, machine-readable format. You would also need to contact FASO at [email protected] to obtain any personal data stored on our end.

Access: Any data subject can ask the controller of their information to confirm how and where their personal data is being stored and processed. The data subject also has a right to know how that data is shared with third parties.

Rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

If a user approaches you with a request to avail themselves of any of the rights mentioned above, please note that you have 30 days to do so. You can contact FASO at support.boldbrush.com/faso  and email or chat with our artist support agents about your responsibilities and how we can help.

SIMPLY:  If your site visitor is in the EU, they can ask you to delete their data, export their data, ask how their data is stored, or ask to correct errors in their data.

HOW DOES FASO HELP ME COMPLY WITH THE GDPR?

We've done several things to ensure your FASO site is GDPR compliant.

* We've ensured that our analytics partner is GDPR compliant.  FASO Analytics provided by Clicky no longer store any personal data, such as full IP addresses, and thus are no longer storing any personal data as defined by the GDPR.  

* We've verified that our primary partners are all GDPR compliant.  

* You can request from us that we add a cookie banner to your site, so that uers know that your site uses cookies.  FASO cookies do not store any personal data about your site visitors but other services you utilize might.  

* We've created a sample privacy policy for artists that you may use on your website.

* We now require that all FASO Newsletter Subscribers that are added to your list, whether subscribed from your FASO website, or whether added by you in the FASO control panel are required to verify their consent to receive promotional newsletters from you by clicking an opt-in link to demonstrate consent.

SIMPLY:  We've done what we can to ensure your site GDPR compliant and will help how we can with other things you request.

HOW ELSE CAN I ENSURE MY FASO WEBSITE COMPLIES WITH THE GDPR?

Apart from promptly responding to requests from EU data subjects as described above, there are other things you can and should do to help ensure compliance. Here are some suggestions to get you started:

Add a Privacy Policy to your website. If you already have one, you should review the terms to make sure it complies with the expanded requirements under GDPR. If you don’t have one, we’ve created sample privacy policy [link] that you may copy and utilize as part of your process to become GDPR compliant.

Alert visitors to the use of cookies on your website. You may request we add a cookie banner to your website if you want to turn this feature on.

Inform your visitors and get their consent. Whenever you need to collect data from a user, make sure to clearly state, among other things, why you need it, what you plan to use the data for, whether it may be shared and with whom, and the lawful basis on which you are relying to collect such data. For example, if you have a newsletter or mailing list, make sure that the purpose of your sign up form is very obvious so they know what they are signing up for.

Obtain consent from existing subscribers.  If you have subscribers on your list who have never explicitly opted in to your list, particularly if you know you have EU based subscribers, you should send your whole newsletter list a re-engagement email requiring them to consent to continue to receive promotional newsletters from you.  After a reasonable period of time, remove the subscribers who did not provide new consent.

Evaluate third-party apps and vendors for compliance. If you are using any third-party services or widgets to gather or process customer data, you will need to check with those companies to verify they are GDPR compliant and will assist you with, among other things, users’ data removal and portability requests.

SIMPLY:  Add a privacy policy, get consent for newsletters, make sure third party widget providers are GDPR compliant.

BESIDES FASO-PROVIDED SERVICES, WHAT ELSE DO I NEED TO DO TO BE GDPR COMPLIANT?

While we can’t offer legal advice, here are some best practices that will help you get started with your GDPR compliance.

Some other questions to consider:

Do you collect personal data on your site using third-party, non-FASO services?  
(e.g., Google Analytics, MailChimp, Facebook Pixel, Other widgets or scripts).  
You should read the privacy policies of those services.

Do you download or export data from your site into another system? 
If so, don't forget to delete that data and/or provide that data if you receive a deletion or export request from an EU citizen.

Are you gathering information you don’t need? 
If so, you might consider not gathering that data in the first place.

Can you do things differently to reduce the amount of data you are responsible for? 
As an example, by disabling comments on your blog and moving the discussion to a Facebook post.  That would shift the responsibility for GDPR compliance regarding those comments to Facebook.

SIMPLY: Don't forget places besides FASO where you store data and don't collect data you aren't using or don't need.

Click here for a Sample Privacy Policy for Artists

02292024