How OneSignal meets GDPR Regulatory Compliance Measures

What is GDPR Compliance?

The European General Data Protection Regulation, or GDPR, is a policy that regulates how organizations can use consumer data. It establishes a baseline for opt-in consent, protects consumers from privacy breaches, and gives them control over their data.

This European Union Policy is known as the strictest data privacy law that exists and has transformed the state of data collection across Europe and the world.  

Officially passed in May 2018, the GDPR marked a dramatic shift from the EU’s prior privacy regulation, the Data Protection Directive 95/46/EC, which came out in the 1990’s.

OneSignal and the GDPR

The GDPR is relevant to all brands that collect or retain personal data in Europe (the EU). This means the policy applies to us as a “data processor” and could apply to you, as a “data controllers” We’ll break down these terms in a bit..

Why must US-based companies comply with GDPR?

The GDPR applies both to companies based in the EU and companies that transact with EU customers. This policy applies to any customer whose data you handle within the EU, whether they’re a resident, citizen, or visitor.  

Is OneSignal considered a “Data Processor” or “Data Controller” under GDPR?

Under the GDPR, a data controller defines the how and why of customer data usage.

A data processor, on the other hand, is a third party that a controller may choose to handle their data. What this means is that processors are not in charge of the purpose or means of data usage.

Under the GDPR, we are considered a data processor and you, our clients, are data controllers. As a processor, we support all of our clients in staying compliant.

What does the GDPR aim to do and what happens if you don’t comply with it?

The GDPR aims to give consumers direct control over who collects their personal data, how it’s handled, and when it’s collected.

Brands need to stay GDPR compliant to avoid steep fines. Violating the policy can incur penalties of up to 20 million euros, or 4 percent of your company’s  turnover in the previous year— whichever amount is higher.

For example, in July of 2021, Amazon was fined  a record-breaking 746 million euros, or 888 million dollars, for not providing informed opt-in consent before setting cookies on users’ devices.

In the same year, Ireland’s Data Privacy Commission slapped WhatApp with a 225 million euro, or 255 million dollar fine after the company neglected to properly disclose its data processing practices in its privacy notice.

How to Stay Compliant with GDPR Requirements

We empower you, our users, to be GDPR compliant. That said, you will need to take steps to ensure that you’re following the rules.

1.Know What Data Privacy Measures are Part of GDPR Compliance

The GDPR is a complicated policy containing 99 separate articles. It requires that companies handle data with seven key principles in mind—  lawfulness, fairness & transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality (security), and accountability.

2.Understand Your Customers’ Privacy Rights

The GDPR protects 8 rights for the customers you collect data on:

1. The Right to Information- Your customers can ask you what type of data you’re processing and why you’re collecting it.
2. The Right of Access- Your customers can access the data you collect on them.
3. The Right to Rectification- Your customers can ask for their data to be altered, corrected, or updated.
4. The Right to Erasure- They can also request that their data is deleted/erased.
5. The Right to Restrict Processing- Your customers can ask that you stop processing their data.
6. The Right to Data Portability- They can also ask that their personal data be sent to a third party in electronic form.
7. The Right to Object- Your customers can object to you processing their data.
8. The Right to Reject Automated Individual Decision-Making- Your customers aren’t subject to decisions based on automated processing.

*Note that you’ll always need a contract  for personal data transferred from the EU to the US for processing purposes.

“Personal data” is outlined in detail by the policy. Let’s get into what qualifies as personal data…

3. Know What Qualifies as Personal Data

What’s personal data under the GDPR?

Under the GDPR, “personal data” is “any information relating to an identified or identifiable natural person (‘data subject’); subject of an ‘identifiable nature’ “

This description sounds vague, because it applies to many types of information. Personal data can be both quantitative and qualitative. Some examples are a customer’s name, number, IP address, ID number, location, social media profile, or even physical or genetic information.It also applies to information about a customer’s economic, social or cultural identity.

When you’re trying to understand whether a piece of information is personal data, a good rule of thumb is to ask yourself whether you can directly identify a customer based on the data in question. Second, if you can’t directly identify someone from that information, ask yourself if that person is still identifiable.

Some key caveats about personal data under the GDPR are..

• Anonymous information isn’t subject to the GDPR, but it needs to be “truly anonymous.” This means that deidentified, encrypted, or pseudonymized data that can be used to identify a customer is still personal data.
• The GDPR protects anything that qualifies as personal data — regardless of how it’s collected and stored. This applies to both automated and manually collected data as well as data stored as video, recorded on paper, or through an IT system.

4. Know When Can You Process Personal Data

Under the GDPR, your company can process personal data on the 6 following conditions:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests
  

Take a look at the full policy to learn more.

OneSignal GDPR FAQ

How We Comply With GDPR

In case you’re wondering, here are some steps we’ve taken to be fully GDPR compliant:

• We’ve been certified by the EU-US and Swiss-US Privacy Shield Frameworks
• Our Data Processing Agreements (DPA's) include GDPR provisions
• Our Terms and Use and Privacy Policy both describe our data processing and data security practices, including the personal data we disclose, how we use it, how we keep it secure, your data control rights, and our responsibilities as a data processer

Data Minimization & Storage Limitations

Data minimization is a key piece of the GDPR framework. It says you shouldn’t collect more personal data on your customers than you need.

How does OneSignal comply with Data Minimization & Storage Limitations?

Within our system, personal information and automated message data is kept for 30 days. After that, we erase it from our servers.  We keep data from the dashboard for the lifetime of your app.

Where are OneSignal’s data centers located?

Our data centers are based in the EU. Learn more about why we made the choice to migrate our data centers.

Can customers use OneSignal to track explicit consent to process personal data in accordance With GDPR requirements?

Consent data is held by you, our clients. It’s not stored in our dashboard.

Does OneSignal Share SDK information?

We use SDK information to deliver a variety of services.

How and why do we share it?

• We sometimes share SDK information to fulfill your orders, do business, communicate with you, and make our services and website available.
• The entities we share SDK data with help us perform certain activities outlined in section 2 of our privacy policy. Some examples include billing and payment, marketing, advertising, email marketing, and other functions.
• We also may share SDK information or Data Segments with website operators and app developers for their advertising, analytics, or for other purposes.

** Importantly, we don’t share SDK information with third parties except those who process the data on our behalf.

We only share third-party data if:

• an end-user or client authorizes it
• the information is used to comply with laws, to enforce our terms of use, or protect our rights
• the disclosure is part of due diligence for a purchase, transfer, or sale, or in the event of bankruptcy

*Even when you no longer access our SDKs, we may continue to use and share your information as described in our Privacy Policy.

Learn More About OneSignal’s GDPR Compliance Measures

We understand the sensitivity surrounding the storage and use of data by our one million users and the billions of devices we deliver messages to each month. You can learn more about our data protection measures in our full privacy policy.

Still have questions? We’ve got answers! Reach out to us at privacy@onesignal.com.