GDPR

1. Is there a GDPR certification?

Currently there is no GDPR certification issued by the European Commission. Salesforce will be monitoring any certifications that are released after the GDPR becomes effective and will get certified, if it deems them to be appropriate.

2. What constitutes personal data?

GDPR aims to protect individual’s data that includes a wide range of personal identifiers including name, identification number, location data or online identifiers that reflect changes in technology and the way organisations collect information about people. In other words, all those identifiers that helps to identify an individual are included within the definition of ‘personal data’ for GDPR.

3. Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent – and what is the difference?

The conditions for consent have been strengthened, as companies are no longer able to utilize long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. This means that it must be unambiguous.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt-in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

4. What is the difference between the “right to restrict processing” and “consent management?

The right to restrict processing refers to the right of Data Subjects to request that a data controller blocks or suppresses the processing of their personal data.
Consent Management refers to the ability of organizations to manage individual’s consent preferences. In order to process personal data, organizations must have a lawful basis to process the data. Under the GDPR, there are six legal bases which organizations can rely on to lawfully process personal data. One of these is the consent of the data subject. If an organization is relying on consent, and the individual requests a restriction of processing of their personal data, depending on the circumstance of the request, organizations may also consider updating the individual’s consent preferences. This change would include their intent to restrict all processing of their personal data.
Organizations should seek legal counsel to understand what legal bases they are relying on to lawfully process personal data and their obligations under the GDPR, in order to design their process.

5. Who is a Data Protection Officer (DPO)?

A Data Protection Officer is the professional responsible for the data protection activities and measures inside the company. He/she holds the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
Our information security manager will be our DPO. If you want more details, you can reach out via email at data-protection-officer@screen-magic.com.

6. How should we notify customers of these new rights?

The European Commission has a website with guidance for its citizens on GDPR.

7. Is Screen Magic GDPR compliant?

Yes, Screen Magic is GDPR compliant.

8. What does GDPR mean for customers?

Screen Magic understands that meeting the GDPR requirements may take a lot of time and effort. As your partner, we want to help you make your process as seamless as possible, so you can focus on running your business. Some of our product enhancements will make it easier for you to: 

  • Provide access controls
  • Encrypt, anonymize, or delete user data
  • Perform data audits or assessments using data processing logs
  • Create provisions for data subjects’ rights
  • Enhance security for user data

9. How does GDPR impact Screen Magic and its customers?

The GDPR regulates the “processing” of personal data of any EU resident (who is referred to as a “data subject”). “Processing” includes the collection, storage, transfer, or use, of personal data. This means that any company that processes the personal data of any data subject, regardless of where the company is based, is subject to the rules of the GDPR. Additionally, the GDPR defines personal data very broadly, and includes name, email, demographic information, real-time location, online activity, and health information, to name a few. As the messaging service platform, Screen Magic receives billions of data points from all over the globe, including data points that are or contain personal data from data subjects. This means that both Screen Magic and our customers sending us data will need to comply with the requirements of the GDPR.

10. Is Screen Magic collecting data?

Screen Magic is the “data processor” for its customer’s data. Our customers therefore are the “data controller”. These terms are defined under the GDPR. The data controller collects data from data subjects (i.e., customer) and says how and why personal data is processed. The data processor receives the data from the data controller and acts upon instruction from the data controller.

11. What data does Screen Magic process?

While registering for our product/services we request you to provide us with such information like the first name, last name, company business name, address, website address, email address. This is the basic data of yours that we process and store. We also store Billing contact (email address), Billing address, shipping address, Contact number for billing, Point Of Contact for rest of the conversation (Name, email, phone), address of the company as well as any additional address to whom invoice needs to be communicated.
We also store SMS data that is SMS content and phone numbers.
All information stored is in encrypted format. Along with the business related data,  account related information, such as customer id, company and fields is also stored.
You can find a full description of the data processing practices in our Privacy Policy: https://www.sms-magic.com/privacy-policy/

12. Do I need to sign a Data Processing Agreement/Addendum (DPA)?

Regardless of being a data controller or a data processor, when you transfer the personal data to us (and you do so using our services) you may need to enter into a Data Processing Agreement (DPA) with us if you are transferring any EU citizens personal data.

13. Will Screen Magic sign a Data Processing Agreement (“DPA”) with me?

Yes. We understand the GDPR has robust requirements and obligations for both data collectors and data processors and we are committed to helping our customers use screen magic in a compliant manner. We have made our DPA available online so that our customers can be confident that their data is processed in a lawful manner.

14. How should we notify customer of these new rights?

The European Commission has a website with guidance for its citizens on GDPR.

15. Can customer data in Screen Magic be encrypted?

Yes. Screen Magic chose to leverage standard encryption to demonstrate their security measures and to serve as an additional layer of precaution against a data breach.

16. What level of access does Screen Magic have within the customers’ Salesforce org?

Screen Magic personnel do not have access to our customers’ Salesforce org. Our customer support agents may need temporary access to a customer’s org for troubleshooting or setting up the SMS-Magic platform. Our support agent will only access a customer’s Salesforce org after receiving explicit consent from the customer via email. Customers are recommended to give limited profile access which is only needed for setup and troubleshooting purposes.

The SMS-Magic platform has API access to our customers’ Salesforce org, which is used programmatically for updating SMS transaction data in the customer’s Salesforce org and retrieving SMS aggregate data for quality checks. This API access is granted using OAuth by a particular user of the customer’s org. The SMS-Magic platform will have the same access level as the OAuth user but the platform only accesses SMS-Magic objects. It’s recommended that customers only grant limited access to SMS-Magic users.

17. When you delete a person record (Contact / Lead / Person Accounts) from your database, are all the associated records/objects deleted?

When a person record is deleted in the Screen Magic database, all the associated records are automatically deleted. However, additional steps may need to be taken in order to delete the personal data from other fields, like calendar events, tasks.

18. Is your server/data centre located in EU?

Yes, Screen Magic has a data centre in Europe hosted with Amazon AWS in Dublin, Ireland. If you are an existing EU customer of Screen-Magic, you can place a request to move your data from our US data centre to our Europe data centre.

19. What is your data retention/deletion policy?

Screen Magic has defined policy for data retention as well as deletion. Customer data is retained for the period of 6 months after which it is archived.
To delete data, customer has to send out a data deletion request to security@screen-magic.com . Once proper authentication of the request is completed, the data will be completely erased from the Screen Magic server.

20. How do you manage customer consent for sending text messages?

For SFDC, we have an opt-out and opt-in mechanism you can use.

If you are using our portal to send SMS, you can use the subscription feature to manage customer consent.
You can get in touch with our customer support at https://www.sms-magic.com/support/.