LAST UPDATE: 25 May 2018

GDPR Guideline

With this Guidline we give your more background information about the GDPR.
We also give you more insight into our Data Security measures.

Summary

The General Data Protection Regulation (GDPR) is a privacy legislation which applies throughout the European Union as of May 25th 2018. We at Spotzi are commited to assist you in being GDPR compliant. Therefore we have written this guideline.

When you add a name to our address, real estate or business listings database this will become privacy features under the law of the GDPR. According to the GDPR processing of names and addresses is only allowed when:

– You have a contractual relationship or are in the phase of signing a contract.
– You have consent from the person involved.
– Process is necessary for compliance with a legal obligation
– To protect the vital interests of a data subject or another person.
– Performing authority tasks.
– You have a legitimate interest like Direct Marketing.

Regarding Direct Marketing (via e-mail, phone and mail) however there are a few rules you need to oblige. In general it means you comply with the GDPR when:

– You target your own clients.
– You target people who have given their consent to target them.
– You asked for an opt-in when using e-mail marketing.
– You provide a way to opt-out for your marketing campaign.

When you use our other datasets (like Postal Codes) or only aggregate the data we provide the GDPR doesn’t affect you.

The GDPR allows you to selectively send advertising on the basis of target group segmentation and personas. It is allowed to for instance only target your clients of which their property starts at a certain value. However you may not limit the freedom of choice of an individual, exclude or discriminate against him. For instance based on your profile you are not allowed to increase the price of your product for certain clients. You are also not allowed to refuse an online credit application based on a fully automated decision. You must do a manual check.

The person living at an address can always require you to delete them from your marketing database. Just like unsubscribing from a newsletter. Also against the use of certain features (like housing values) people can object.

Where possible, Spotzi will assist you in fulfilling the obligations to handle requests of exercising the rights of natural persons living within the European Economic Zone. This assistance consists of marking data delivered by Spotzi for which a request to change or delete personal data has been issued by the natural person. The way in which this will be marked will be documented in the accompanying documentation of the supplied data.

Data Security is also part of the GDPR and was always on top of our minds. Regarding Data Security Spotzi has done a number of things. We have raised awareness across the organization through frequent discussions in our internal channels and informed employees to handle data appropriately. We have put together a personal data inventory that includes all the roles Spotzi assumes, such as a data controller and processor. This includes various categories of personal data processed by our organization and helped us to determine which department is getting access to which data and for what purpose. We have improved our data security methods and processes. We are constantly assesing new security methods and processes to keep your data secure and private. When needed, breach notifications will be done in accordance with our internal Privacy Incident Response policy.

Spotzi data and the GDPR

When you are a company based in Europe or when you have clients that live in Europe the GDPR may affect the way you use the following datasets we offer:

– The Spotzi Real Estate Database.
– The Spotzi Address Database of Canada and Western Europe
– The Spotzi Business Listings.

These datasets will be privacy features under the law of the GDPR when you add a name to that address. Processing of names and addresses is always allowed when:

– Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
– Processing is necessary for compliance with a legal obligation.
– Processing is necessary to protect the vital interests of a data subject or another person.
– Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When you have a legitimate interest you are also allowed to use that address and the personal information that comes with that address. What is legitimate interest? Legitimate interests are those uses of personal data that are deemed necessary. For instance when you need the address for invoicing or delivery of the product to the right address.

Direct Marketing

The GDRP is very clear regarding Direct Marketing. This is accepted as a legitimate interest. So you can call, e-mail and send information by post to the people in your database. However there are a few rules you need to oblige.

Rule 1: Compatibility

The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. What does this mean? If you for instance retrieved a name and address to deliver your pizzas you cannot sell this information to your neighboring business owner who owns a Chinese take out. It is only allowed when a person has given its explicit consent to do so. This also applies to personal information you gathered online or in any other way. People need to know that thier information is being sold or handed over to someone else.

When you add a name or other personal information to an address, real estate object or business listing we provide you are responsible to check whether you are compatible to use this name or other personal information. The compatibility check is now an obligation in our revised terms and conditions and is therefore part of the contractual agreement you have with us.

Rule 2: Opt-in for e-mail marketing

There are special rules for e-mail marketing. You can only send an e-mail when that person has given its consent via opt-in. No default check-boxes and no hidden consent in your terms and conditions.

Rule 3: Existing clients

You can always target your existing clients. Even by e-mail. No opt-in is needed in that case! However your e-mail campaign needs to offer products and information similar to what your clients originally purchased.

Rule 4: Opt-out

The person living at an address can always require you to delete them from your marketing database. Just like unsubscribing from a newsletter. Also against the use of certain features (like housing values) people can object. Spotzi will assist you in finding whether a person objected. How we do that is outlined in the next paragraph.

Spotzi opt out procedure

Where possible, we will assist you in fulfilling the obligations to handle requests of exercising the rights of natural persons living within the European Economic Zone. This assistance consists of marking data delivered by Spotzi for which a request to change or delete personal data has been issued by the natural person. The way in which this will be marked will be documented in the accompanying documentation of the supplied data. You will still be responsible for the correct acceptance of the marked attribute (change or delete). Spotzi can support you if Spotzi has access to this (personal) data in the context of our underlying assignment.

Profiling

The GDPR allows you to selectively send advertising on the basis of target group segmentation and personas. This is being called profiling. Especially when you use our real estate database you are probably profiling your clients. When you for instance target your clients of which their property starts at a certain value you are profiling. In this case you will exlude a certain group of people. Not receiving an advertisement is not considered “striking an individual to an appreciable extent”. The interest of an individual is not harmed because he or she has received an advertising message or not. The same applies to making choices about which content you want to show first to a visitor on your website, based on personas.

However you can not limit the freedom of choice of an individual to a large extent or exclude or discriminate against him. For instance based on your profile you are not allowed to increase the price of your product for certain clients. You are also not allowed to refuse an online credit application based on a fully automated decision. You can still manually decide however not to offer your product.

Data Security

Data Security is also part of the GDPR and was always on top of our minds. Regarding Data Security Spotzi has done a number of things. We have raised awareness across the organization through frequent discussions in our internal channels and informed employees to handle data appropriately. They now understand the importance of information security and the high standards set by GDPR.

We have put together a personal data inventory that includes all the roles Spotzi assumes, such as a data controller and processor. This includes various categories of personal data processed by our organization and helped us to determine which department is getting access to which data and for what purpose.

We are assessing our sub-processors (third party service providers, partners) and streamlining the contract process with them to ensure they address the pressing needs of the current security and privacy world.

We are constantly in the process of earning additional security certifications and data privacy seals. We are also documenting our processes and procedures, down to the tiniest details of what we do.

Our application teams have embraced the concept of privacy by design and are working to provide you more control over the data you store in our systems. These provisions may vary based on the product’s characteristics and domain. Our teams are working on these features and enhancements, which will be rolled out in phases.

We have added a Data Processing Addendum to our contracts to be compliant with the data processing requirements of GDPR.

We conducted Data Protection Impact Assessments (DPIA). Based on the results, putt in place appropriate controls on data processing and management.

We have improved our data security methods and processes. We are constantly assesing new security methods and processes to keep your data secure and private.

When needed, breach notifications will be done in accordance with our internal Privacy Incident Response policy. Customers will be notified of a breach within 72 hours after Spotzi becomes aware of it. For general incidents, we will notify users through our blogs, forums and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address). We will in this case also inform the Dutch Authorities.

We have revised our Privacy Policy to incorporate the requirements of the applicable privacy laws based on our data inventory, data flows, and data handling practices.