The General Data Protection Regulation, or GDPR, has been a core topic in the business world for quite a few months now; and whether you are a business owner, or a user looking out for its right to privacy, its a subject that you are probably aware of and that matters to your online wellbeing.
GDPR is a regulation in EU law that seeks to ensure data protection and privacy for all individuals within the European Union. However, due to its wide and overall complete approach to the matter, it is being globally applied as a standard in any business that provides online services both within the European Union, and in the rest of the world.
At its core, GDPR enables you to opt-in or out of any data gathering and gives you the right to know what’s the purpose and destination behind each data handling process, with the option to access, port, modify, or delete/anonymize their personal information.
At Prey we have always cheered for transparent data handling and user privacy has been one of our core values since the very beginning. As a service, Prey doesn’t require other Personally Identifiable Information (pii) from its users than their name and email, and all of the device’s and account data is only available for its respective user, and not for ourselves or any external actor.
Following this trend, Prey is making all necessary adjustments to fully comply with the European General Data Protection Regulation. This will apply to all Preyans, globally, not in the EU region only, by May 25th of this year, GDPR’s enforcement date.
In general, this is a fine-tuning process with minor tweaks that won’t affect the service, since most regulations established by this law were already contemplated by our platform. It’s certain that transparency will be boosted, and our users -you!- will gain further power over the usage, maintenance, and destiny of their data.
Below you can find an explanatory table that showcases each aspect of GDPR that relates to our services, and how Prey complies with it:
|GDPR Article||What it means||How Prey complies with this law|
Lawful basis of processing
|Article 6, GDPR|
In order to justify the processing of personal data, one of the following must apply: The individual has given you consent; the processing is necessary to fulfill a contract; there is a legal obligation behind the processing; there are vital interests; the processing aids a public task; or there is a legitimate interest from you or a third party involved.
|Regarding the processing of personal data, Prey’s justification is contractual. This applies for any relationship between Prey Inc. and our users: the Prey application, the online panel, and the services provided. Our Terms of Services and Privacy Policies are at hand for our users to review before creating a Prey account utilizing their basic personal information (Email, name). We will continue to simplify these documents and make accessible and interactive resources to make a positive experience -instead of a real pain- to read and understand these policies.|
At this point, Prey is obligated by contract to provide its services according to the type of user and account that entered the platform. By default, Prey doesn’t actively utilize or generate user data, it’s an on-demand process activated by the user itself who requests the service Prey is obliged to provide.
On the other hand, when it comes to data processing instances like our website’s cookies, Prey’s newsletters, website interactions, and our Forum Community, users are informed of the data’s gathering purpose with a disclaimer and prompted to give, or don’t give, their consent.
|Cookies are considered as personal data that can identify a user and leave online traces that are to be protected.|
Therefore, the user needs to be given notice of their use, and their consent is required for those that are non-essential cookies (ad tracking, e.g).
Essential cookies are those which are necessary for the correct functioning of a website, application, and/or service.
Non-essential cookies refer to data gathered with purposes not related to functions, but to analytics and interaction trackers for marketing purposes.
|At the Online Panel: Users will be informed about and prompted to opt-in to all non-essential cookies, meaning all trackers that aren’t necessary for the service’s proper functioning. These will be listed and the collection’s purpose explained.|
At our Website: Users will be informed and prompted to opt-in to all non-essential cookies, with a detailed look into their use and the data’s destination.
To learn more about which cookies are utilized both in the panel and in our website, please visit the following link.
|Art. 7, (3), GDPR|
Users have the right to withdraw his or her consent at any time, when it comes to data processing that is based on user consent.
|Cookies: Users who have opted into non-essential cookies they no longer want Prey to utilize can access the Cookies Opt-out hub to turn these trackers off. This hub will be present at all times in our website’s navigation, for an easy access.|
Email: All automatic email communications offer an unsubscribe option, both for email notifications regarding the Online Panel (notification settings), and commercial or marketing email listings and communications (unsubscribe). Direct communications from Prey to users regarding the service’s functioning, contractual changes, and/or service modifications remain untouched by this regulation.
Services: If necessary, users can fully opt-out from Prey’s services by deleting their accounts at any given moment.
|Art. 15, 16, 17, 18, GDPR|
Access: Right to know what personal data are contained in a file.
Rectification: Right to rectify incorrect or incomplete data in a file.
Cancellation: Right to cancel and block incorrect data in a file.
Opposition: Right to oppose certain, specific processing of personal data within a file.
|Access: Prey only handles basic personal data the user enters to create the Prey account, therefore it is directly accessible through the account’s Settings.|
Rectification: All personal data related to the account, email and name, can be directly modificated through the account’s Settings.
Cancellation: An user can cancel or block its basic personal data by deleting their Prey account using the Online Panel. As for all data generated by Prey’s use and applications, see Deletion, below.
Opposition: It doesn’t apply to the personal data handled by Prey’s service (name and email). However as it was mentioned before, users can opt-out of any data processing that is not directly necessary to the service’s proper functioning (cookies, mailing lists, notifications). When it comes to personal data generated by the app (device location), Prey acts only when requested and the user can stop its use at any given moment and block any automatic actions, for example, by disabling constant tracking.
|Art. 20 GDPR|
Users have the right to request and receive all personal data concerning him or her that has been provided to a controller. This data has to be delivered in a structured, commonly used and machine-readable format with the proper rights to export said data onto a new platform without any obstructions.
|We make sure that all of our third-party vendors connected to our platform provide the pertinent portability portals to comply with the user’s right to request and access to any navigation and website generated data.|
On the other hand, Prey will add the Portability setting to the user’s online panel itself, so that any user can request all data that concerns he or she, which will be complied and delivered automatically by Prey.
|This certification by the U.S Department of Commerce and the European Commission provides companies on both the US and EU a framework that ensures they comply with all data protection requirements when transferring personal data from the European Union to the United States.||Prey is currently going through the process of requesting and obtaining the Privacy Shield certification.|
|As said before, Prey stands as a promoter of the proper and transparent handling of data, being an Open Source platform since the very beginning.||Therefore, we will continue to provide transparent and public information regarding Prey’s practices. Both our Terms & Conditions, and our Privacy Policies will reflect all necessary knowledge regarding the gathering, use, and destiny of all personal data. We’re looking to simplify these documents and make accessible resources for anyone to learn and understand how our Policies affect them.|
These documentations will continue to be updated in the future as new necessities and concerns arrive, and our users will be informed diligently.
|Art. 17, GDPR||Both Prey and its third-party integrations will offer the proper platform to request the erasure of all personal data.|
When requested, all data from third-party databases will be deleted, while user-generated data and interactions stored in Prey’s servers will also be wiped permanently.
Third-Party Integrations Compliance
|All third-party providers and integrations have been reviewed to ensure their works regarding all GDPR regulations are in line with Prey’s efforts.|
|Art. 35 GDPR|
Data protection impact assessment
|Prey’s data protection officer combined its efforts with the legal team to assess all current security and protections standards, the results stated that the current measures taken where in compliance with GDPR’s requirements. Security audits will continue to be carried out by this team.|
DISCLAIMER: This information doesn’t constitute legal advice by Prey regarding GDPR’s implementation and legal courses of action to be taken by businesses or individuals in favor or against of these regulations. This article is merely to inform Prey’s process of compliance and efforts to protect its user’s privacy.