GDPR Update for Corevist Clients
In February 2018, we published Part I of our GDPR series for Corevist clients. We gave a brief overview of the scope of GDPR and how it may affect your business. We also explained our commitment to our portion of GDPR compliance and the first steps we were taking to ensure that compliance.
In this post, I’ll give you a progress report on GDPR compliance at Corevist.
GDPR counsel engaged
To ensure that we fully cover our responsibilities under GDPR, Corevist has engaged legal counsel versed in GDPR. We’ve been working with this legal counsel to assess Corevist’s role and obligations under GDPR, given what we do, our target market, and our application. We’ve spent extensive time going through the Corevist Commerce app, dissecting its data usage, and mapping that to GDPR requirements.
Our legal counsel has helped us to come to the following conclusions about Corevist’s GDPR responsibilities.
1. Corevist is a data processor, not a data controller
We’ve concluded that Corevist is not a data controller under GDPR, but a data processor. There are no scenarios in which we’re acting as a data controller on behalf of our clients. Some companies function as both, but we are clearly in the processor space. The client, and not Corevist Commerce, maintains ownership and control over the personal data that is generated under our e-commerce services.
At the time of this writing, we have almost completed our meetings with clients regarding GDPR. In all cases, we have started the meetings discussing Corevist’s role as a processor under GDPR. Every client we have spoken to agrees, and our legal counsel also agrees on this.
2. Corevist’s data processing does not revolve around consent
On the advice of our legal counsel, we’ve also taken the position that our justification for data processing does not revolve around consent. Rather, it revolves around the fact that the information we collect and process is necessary for us to deliver the goods and services that we’re contracted to provide to our clients.
3. Corevist will provide opt-out links for our business intelligence software
Corevist Commerce collects data in two business intelligence platforms: FullStory and Pendo. We will provide links from each vendor allowing end users to opt out of each of these analytics platforms. If the user clicks the link, it sends a cookie to that analytics vendor telling them not to track that user. We will take each vendor’s opt-out functionality and offer that within Corevist Commerce.
4. Corevist will provide GDPR addendums to all contracts
Every business affected by GDPR that has a contract with Corevist will receive an addendum to that contract. This includes clients, partners, vendors, and subcontractors. We are currently drafting these contracts and will provide them when they’re available.
Moving forward: Preparing for May 25
We will continue to update you on GDPR as it affects your Corevist Commerce initiative. As usual, if you have any questions or concerns, don’t hesitate to reach out to us directly. In the meantime, subscribe to our blog to keep up with this crucial topic.