No, currently there is no GDPR certification issued by the European Commission. Salesforce will be monitoring any certifications that are released after the GDPR becomes effective and will get certified, if it deems them to be appropriate.
GDPR aims to protect individual’s data that includes a wide range of personal identifiers including name, identification number, location data or online identifiers that reflect changes in technology and the way organisations collect information about people. In other words, all those identifiers that helps to identify an individual are included within the definition of ‘personal data’ for GDPR.
Yes. The conditions for consent have been strengthened, as companies are no longer able to utilize long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. This means that it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt-in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
The right to restrict processing refers to the right of Data Subjects to request that a data controller blocks or suppresses the processing of their personal data. Consent Management refers to the ability of organizations to manage individual’s consent preferences. In order to process personal data, organizations must have a lawful basis to process the data. Under the GDPR, there are six legal bases which organizations can rely on to lawfully process personal data. One of these is the consent of the data subject. If an organization is relying on consent, and the individual requests a restriction of processing of their personal data, depending on the circumstance of the request, organizations may also consider updating the individual’s consent preferences. This change would include their intent to restrict all processing of their personal data. Organizations should seek legal counsel to understand what legal bases they are relying on to lawfully process personal data and their obligations under the GDPR, in order to design their process.
A Data Protection Officer is the professional responsible for the data protection activities and measures inside the company. He/she holds the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
Our information security manager will be our DPO. If you want more details, you can reach out via email at email@example.com.
Yes, Screen Magic is GDPR compliant.
Screen Magic understands that meeting the GDPR requirements may take a lot of time and effort. As your partner, we want to help you make your process as seamless as possible, so you can focus on running your business. Some of our product enhancements will make it easier for you to:
- Provide access controls
- Encrypt, anonymize, or delete user data
- Perform data audits or assessments using data processing logs
- Create provisions for data subjects’ rights
- Enhance security for user data
The GDPR regulates the “processing” of personal data of any EU resident (who is referred to as a “data subject”). “Processing” includes the collection, storage, transfer, or use, of personal data. This means that any company that processes the personal data of any data subject, regardless of where the company is based, is subject to the rules of the GDPR. Additionally, the GDPR defines personal data very broadly, and includes name, email, demographic information, real-time location, online activity, and health information, to name a few. As the messaging service platform, Screen Magic receives billions of data points from all over the globe, including data points that are or contain personal data from data subjects. This means that both Screen Magic and our customers sending us data will need to comply with the requirements of the GDPR.
Screen Magic is the “data processor” for its customer’s data. Our customers therefore are the “data controller”. These terms are defined under the GDPR. The data controller collects data from data subjects (i.e., customer) and says how and why personal data is processed. The data processor receives the data from the data controller and acts upon instruction from the data controller.
Yes. Regardless of being a data controller or a data processor, when you transfer the personal data to us (and you do so using our services) you may need to enter into a Data Processing Agreement (DPA) with us if you are transferring any EU citizens personal data.
Yes. We understand the GDPR has robust requirements and obligations for both data collectors and data processors and we are committed to helping our customers use Screen Magic in a compliant manner. We have made our DPA available online so that our customers can be confident that their data is processed in a lawful manner.
The European Commission has a website with guidance for its citizens on GDPR.
Yes. Screen Magic chose to leverage standard encryption to demonstrate their security measures and to serve as an additional layer of precaution against a data breach.
Screen Magic personnel do not have access to our customers’ Salesforce org. Our customer support agents may need temporary access to a customer’s org for troubleshooting or setting up the SMS-Magic platform. Our support agent will only access a customer’s Salesforce org after receiving explicit consent from the customer via email. Customers are recommended to give limited profile access which is only needed for setup and troubleshooting purposes. The SMS-Magic platform has API access to our customers’ Salesforce org, which is used programmatically for updating SMS transaction data in the customer’s Salesforce org and retrieving SMS aggregate data for quality checks. This API access is granted using OAuth by a particular user of the customer’s org. The SMS-Magic platform will have the same access level as the OAuth user but the platform only accesses SMS-Magic objects. It’s recommended that customers only grant limited access to SMS-Magic users.
Yes. When a person record is deleted from the Screen Magic database, all the associated records are automatically deleted. However, additional steps may need to be taken in order to delete the personal data from other fields, like calendar events, tasks.
Yes, Screen Magic has a data centre in Europe hosted with Amazon AWS in Dublin, Ireland. If you are an existing EU customer of Screen-Magic, you can place a request to move your data from our US data centre to our Europe data centre.
Screen Magic has defined policy for data retention as well as deletion. Customer data is retained for the period of 6 months after which it is archived.
To delete data, customer has to send a data deletion request to firstname.lastname@example.org. Once proper authentication of the request is completed, the data will be completely erased from the Screen Magic server.
For SFDC, we have an opt-out and opt-in mechanism you can use.
If you are using our portal to send SMS, you can use the subscription feature to manage customer consent.
You can get in touch with our customer support team at https://www.sms-magic.com/support/.
a. Yes, you can configure a Separate Consent for Service & Marketing Messages using the Content-Type functionality of Consent Management.
b. Consent Management offers features to map Templates to Consent Types, which enables you to categorize consent based on different content types.
a. If you have chosen Sender ID as an attribute while setting up consent management, each consent is mapped to a specific Sender ID. If the ‘Opt-Out’ request is received, it will be for that specific Sender ID. You can still send messages using another Sender ID.
b. If you receive a blanket ‘Opt-Out’, you will not be able to send messages using any Sender ID.
It would be sufficient if you are taking explicit consent to send messages via SMS on the Website.
Double opt-in is not mandatory but recommended as a best practice. As far as you are taking initial consent to text & have provision to Opt them Out if they want to, Double Opt in is not needed.
b. Setup a flow to cater to both TCPA and GDPR compliances. SMS-Magic offers both and it is easy for us to handle it.
SMS-Magic Provides you Compliance Framework that you configure to be TCPA & GDPR Complaint.
No, At this moment we do not have this feature. You need to have a clean database to avoid sending to DND & Plaintiffs.
Yes you can take Consent on Phone. TCPA / GDPR & Other Compliance Policies require you to maintain a log of how you have taken the consent. As far as you are storing evidence in the form of call task / recording / MOM of call etc, consent on phone can be taken. It is however recommended that you seek consent using Opt In Text so that you have proper logs in your System in the form of incoming messages or Consent Records.
For Version 1.59 & above, Consents are stored as Salesforce Records (Consent Object). You can mass import consent using Dataloader / Workbench. For Versions before 1.59, Consents are marked as Checkbox on associated object record. For example, Opt In field on Lead Object. You can mass update Opt in / Opt out field to mark consent.
You can find out if the recipients have opted in if they have replied with “subscribe”, “Opt-IN” etc. in your previous messages.
We would need double opt-in if the customer has filled in the webform and has given consent for receiving messages. It is recommended that we ask for optin in text as well.
It is always customers call for compliance but as the best practice, we recommend to use the Compliance framework.
Yes, SMS Magic is a HIPPA compliant.
SMS Magic is a HIPPA compliant. We can setup the configurations with respect to either the semder ID or the mobile number wise or with both the configurations in salesforce. You can write down to email@example.com to know more.