How MarketingPlatform complies with GDPR

First and foremost, all our data is securely located within the borders of EU. Therefore your business is on a very safe footing when you choose MarketingPlatform as the supplier of your Marketing Automation platform.

MarketingPlatform more than meets the EU GDPR and the Danish Data Protection Act. No one else has access to the data you import, collect and thus store in MarketingPlatform.

The GDPR legislation states that it is important to avoid storing data outside the EU unless it is absolutely necessary. At MarketingPlatform, we help your business comply with these laws.

Secure servers – located in the Netherlands

All data is stored and processed on our dedicated, secure Google Cloud Platform servers which are themselves physically located in the Netherlands.

These servers stand behind high-performance firewalls, are regularly updated with the latest versions of operating systems, and are scanned daily for vulnerabilities.

Delivery of emails to recipients

In addition, we handle ourselves the actual delivery of your emails to the recipient’s server or service (eg Gmail, TDC or Hotmail / Outlook.com). This is something the vast majority of our competitors have outsourced to foreign companies. Our servers are located in Ballerup (Denmark) with the hosting company Sentia in the Interxion facility (will be moved to Google Cloud upon correct support of BYOIP – Bring Your Own IP – in large scale).

View form the delivery engine in MarketingPlatform (MTA) – a small look behind the technology that ensures the optimal delivery capacity for sent campaigns

This means that the sensitive delivery information and statistics in the MTA itself (the special SMTP server for outgoing emails) are under our sole control and resident on their own servers.

GDPR features in MarketingPlatform

As your data processor, it is our most important task to ensure your business can live up to your responsibility as the data controller in as worry-free a way as possible. Therefore, we have developed a range of special features that aligns with the Danish Data Protection Act the EU’s GDPR directive.

The dilemma is the documentation requirement versus the right to be forgotten and data deleted – not to be confused with the possibility of unsubscribing from a newsletter. In addition, all persons also have a right to receive detailed information of what has been collected and recorded about them.

It is easy to download a contact’s registered data. Choose Export info in the upper right corner and request exports in JSON or Excel format

A contact card in MarketingPlatform contains a wide range of information that the person either entered themselves, has been enriched from integrations with other systems – or derived from the behaviour of the recipient. A behaviour can be the opening of a newsletter, a click, update of information, or other underlying processes such as geographical location and much more.

The MarketingPlatform contact card is threefold, with mandatory fields like email and mobile number in the upper left. You can add your own fields to the customer at the top right and collected behaviour at the bottom. Pay special attention to our MailRating system, which measures the contact’s “commitment” – here’s the contact VIP.

If someone wants to be deleted according to GDPR, simply select Delete. Delete removes all unnecessary fields on the contact card, removes the contact from all lists, exports, and other data sets. However, it will always be possible to search the contact card again if you know the full email address. That way, MarketingPlatform makes it easy for you to meet the documentation requirement.

The same contact as above, here subjected to GDPR deletion. Email Permission is added to ‘Deleted’ and the only information stored is the permission field – when the person has signed up and confirmed sign up, as well as from which IP address the actions were taken

Imagine a situation where a person has requested to be deleted. As a data controller, you make sure it happens and delete any communication with the person. The following day, the person elects to accuse your company of SPAM. By making a search on the person’s email address in MarketingPlatform, the deleted profile shown above will appear and your company can comply with the documentation requirement.

The Data Inspectorate has approved the process of keeping an absolute minimum of information in order to comply with documentation requirements.

Function for re-subscribing a GDPR deleted contact.

If a GDPR deleted person is to be re-registered, select Resubscribe at the top left of the contact card. A popup box then says that this requires a confirmed sign-up. We have done so to protect you and your company from unintentional re-enrollment.

Upon re-enrollment, the person will receive a confirmation email (SMS if the permission is on SMS), where the recipient must actively click on a confirmation link. This is the same procedure as the familiar process you know from any other confirmed sign-up.

After the recipient has confirmed the registration, a new contact card will be generated with a new unique SubscriberID.

Re-subscribed contact card which has email address as the only information that the person wanted to re-enter during confirmed signing in.

The redirected contact has a completely average MailRating and no other information. Subscriber Source will be Resubscribed and thus very easily identifiable.

In MarketingPlatform, the original permission, ie the GDPR deleted contact, will still be preserved. Most of all, this is in order to document the original permission, but also to avoid doubt that the requested deletion has been completed.

Flow from a sign-up to a re-enrollment

A contact can be recorded in MarketingPlatform in several different ways. Either through a web form created in MarketingPlatform and inserted on your company website or webshop, through an integration with CMS, webshop, popup solution or the like – or by import from Excel, CSV, or as an import through DataSync that can handle very large and complicated data volumes.

The contact can either be verified before it is inserted into MarketingPlatform or confirmed via a web form or automation flows in MarketingPlatform. After the contact is confirmed, they can begin to receive campaigns.

If the person unsubscribes via a received newsletter, their status will change to Unsubscribed. Thus, the contact will no longer receive campaigns or automated flows that send out campaigns.

There is a difference between a completely standard unsubscribe, in which the person has not expressed a wish to be deleted, and an explicit request for data deletion, and perhaps at the same time, the retrieval of registered information.

The “pause” simply breaks the contact card, whereas an “erase” removes all unnecessary information and directly blocks that email address from signing up to other lists. It is important to distinguish between unsubscribing and a GDPR approved deletion. When operating your business with multiple lists, for example, required by multiple brands, unsubscribing from one list does not necessarily mean unsubscribing from all other lists – the other brand(s).

We have chosen this procedure because an unsubscribed person at a later date can contact and request to be provided with all their registered data. If a deletion was made directly on an unsubscribe request, it would be difficult to comply with the law’s requirements for full details regarding registered and recorded information.

After a person, a contact has been deleted following GDPR processes, he or she may wish to be re-registered. This can either be done through an MarketingPlatform web form where the person completes the form and receives an email for confirmation or through the special Resubscribe feature that also sends a message to the person and asks for confirmation of the desire to be re-registered.

We cannot see your data

All data you enter into MarketingPlatform naturally belongs to you and your company. We are just your data processor. This data can be exported from our platform at any time.

Around 40% of the email address or the mobile number will always be replaced with an asterisk.

In addition, we have made it impossible for our employees to identify the people behind your contacts in MarketingPlatform. An automated rule removes 40% of the email address or mobile number – and replaces it with an asterisk.

We also can not export the data without your prior approval.

In this way, we secure the safety of people that make up your company data in the best possible way. It is neither a requirement in the Danish Data Protection Act nor the GDPR, but an additional protection we have chosen to provide at MarketingPlatform. Furthermore, of course, the data is encrypted in our databases.

And so the ring has ended from signing up over security to re-registration.

Encryption on disk level

Furthermore all content on harddrives (all types of storage) are encrypted. So below the pseudo encryption is a real strong encryption.

https://cloud.google.com/security/encryption-at-rest