The information contained on this page is a commentary on the GDPR, as Chatfuel interprets it, as of the date of publication. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. As a result, this information is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. CHATFUEL MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION ON THIS PAGE. This information is provided “as-is”. Information and views expressed here, including URL and other Internet website references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Chatfuel product. You may copy and use this information for your internal, reference purposes only.
What is GDPR?
On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years went into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
As a result of this change, many organizations that have access to and process the personal data of EU-based users are subject to the rules and regulations that come into effect along with GDPR. Since many of our bot creators are based in the EU, while many of those outside the EU have EU-based bot users, we need to address these rules and regulations accordingly.
What has Chatfuel done to comply?
Chatfuel is a company headquartered in the U.S., but we have customers and bot users located in the EU. Despite the fact that we do not have any physical locations in the EU, we recognize the fact that many of our users are directly affected by the GDPR and expect us to comply in order to continue using our product and have the confidence that they can do it in accordance with the new legislation.
Therefore, we’ve addressed the GDPR requirements that would apply to us as processors (and in some cases subprocessors) of personal data by implementing specific legal, technical and organizational measures aimed to address data privacy and security concerns:
We’ve put in place the contractual measures in the form of a Data Processing Agreement in accordance with the GDPR requirements that would come into effect the day GDPR comes into force and all platform users will be asked to accept the terms prior to that date.
We’ve ensured that we have appropriate contractual measures in place with each of our data subprocessors such as cloud service and analytics providers.
We’ve implemented and outlined specific technical and organizational measures (Appendix 2 to the DPA) to ensure data privacy and security and have put in place internal protocols and processes to ensure that we can address the GDPR requirements with regards to storage, processing, and control of personal data.
GDPR Compliance Webinar
Watch the recording of the GDPR compliance webinar we held on April 26, 2018 to go over the specifics of the legislation and how it applies to Chatfuel, our customers, and the bot users. We also discuss the measures we have taken towards compliance with the requirements.
Q: Who are data controllers, processors, and sub-processors?
A data controller is the entity/person that determines purposes and means of processing personal data of the EU resident. For eg. Chatfuel is a data processor and, depending on their function, Chatfuel’s customers (bot creators) are either controllers or primary processors in relation to personal data subject to GDPR.
The GDPR applies to both data controllers and processors. Controllers collect data from the end-user who is, in most cases, the EU resident for purposes clearly stated and with appropriate consent. Data processors provide services to the controller in accordance with each controller's instructions.
Another category called sub-processors or third-party businesses performing data processing for other companies are also accountable for protection of personal data, according to the GDPR
Q: How to ensure compliance if I am using 3rd party integrations (Zapier, Integromat, etc)
If you elect to integrate a 3rd party service to pass your bot users’ data to, you need to ensure that the service has taken all the necessary measures to be compliant with GDPR. Since bot admins have direct access to data and control how data gets to Chatfuel as well as where the data goes outside of Chatfuel, they would be bound by GDPR rules as either a controller or a processor of data. Talk to your legal counsel to evaluate your exposure to GDPR and any additional steps you need to take to be in compliance.
Q: Can I continue using Chatfuel after May 25, 2017 and be sure that I’m in compliance with GDPR requirements?
We have taken all the necessary steps for Chatfuel to be in compliance with the requirements of GDPR. Accepting the DPA agreement from Chatfuel is an important step towards your compliance. Talk to your legal counsel to evaluate your individual organizational processes and understand what you may need to do in addition to ensure full compliance.
Please refer to Facebook’s GDPR Portal as well as GDPR guidance from the Messenger Platform for additional resources and FAQs.
If you have any additional questions or concerns, please let us know: email@example.com