The information contained on this page is a commentary on the GDPR, as Chatfuel interprets it, as of the date of publication. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. As a result, this information is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. CHATFUEL MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION ON THIS PAGE. This information is provided “as-is”. Information and views expressed here, including URL and other Internet website references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Chatfuel product. You may copy and use this information for your internal, reference purposes only.
What is GDPR?
On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years went into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
As a result of this change, many organizations that have access to and process the personal data of EU-based users are subject to the rules and regulations that come into effect along with GDPR. Since many of our bot creators are based in the EU, while many of those outside the EU have EU-based bot users, we need to address these rules and regulations accordingly.
What has Chatfuel done to comply?
Chatfuel is a company headquartered in the U.S., but we have customers and bot users located in the EU. Despite the fact that we do not have any physical locations in the EU, we recognize the fact that many of our users are directly affected by the GDPR and expect us to comply in order to continue using our product and have the confidence that they can do it in accordance with the new legislation.
Therefore, we’ve addressed the GDPR requirements that would apply to us as processors (and in some cases subprocessors) of personal data by implementing specific legal, technical and organizational measures aimed to address data privacy and security concerns:
- We’ve put in place the contractual measures in the form of a Data Processing Agreement in accordance with the GDPR requirements that would come into effect the day GDPR comes into force and all platform users will be asked to accept the terms prior to that date.
- We’ve ensured that we have appropriate contractual measures in place with each of our data subprocessors such as cloud service and analytics providers.
- We’ve implemented and outlined specific technical and organizational measures (Appendix 2 to the DPA) to ensure data privacy and security and have put in place internal protocols and processes to ensure that we can address the GDPR requirements with regards to storage, processing, and control of personal data.
GDPR Compliance Webinar
Watch the recording of the GDPR compliance webinar we held on April 26, 2018 to go over the specifics of the legislation and how it applies to Chatfuel, our customers, and the bot users. We also discuss the measures we have taken towards compliance with the requirements.
Update: Facebook has released additional policy updates for Messenger related to new EU privacy laws. These changes are effective as of December 16, 2020. Visit our Messenger policy guide to find out how they may impact your chatbot.
Q: What is personal data?
- Any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as - name, email address or location, and also online identifiers like IP address, types of website cookies and other device identifiers.
Q: Who are data controllers, processors, and sub-processors?
- A data controller is the entity/person that determines purposes and means of processing personal data of the EU resident. For eg. Chatfuel is a data processor and, depending on their function, Chatfuel’s customers (bot creators) are either controllers or primary processors in relation to personal data subject to GDPR.
The GDPR applies to both data controllers and processors. Controllers collect data from the end-user who is, in most cases, the EU resident for purposes clearly stated and with appropriate consent. Data processors provide services to the controller in accordance with each controller's instructions.
Another category called sub-processors or third-party businesses performing data processing for other companies are also accountable for protection of personal data, according to the GDPR
Q: Does the GDPR require EU data to stay (be hosted/stored) in the EU?
- No, the GDPR does not require EU personal data to stay in the EU, nor does it materially change the landscape for data transfers outside the EU.
Data transfers from the EU to outside can be legitimized in many ways including:
- EU-US Privacy Shield
- Model or Contractual clauses
- Binding Corporate Rules (BCR)
Q: Does GDPR apply only to the EU residents’ personal data?
- GDPR does not only cover EU resident’s data. For example, data of US residents would also fall under GDPR to the extent an EU-established entity processes such data in the EU.
Q: Does GDPR apply to territories outside the EU?
- GDPR can apply any time personally identifiable information of any EU resident is stored and processed. It does not depend on the physical location / territory. Also, establishments in the EU are subject to GDPR regardless of where personal data comes from.
Q: How to ensure compliance if I am using 3rd party integrations (Zapier, Integromat, etc)
- If you elect to integrate a 3rd party service to pass your bot users’ data to, you need to ensure that the service has taken all the necessary measures to be compliant with GDPR. Since bot admins have direct access to data and control how data gets to Chatfuel as well as where the data goes outside of Chatfuel, they would be bound by GDPR rules as either a controller or a processor of data. Talk to your legal counsel to evaluate your exposure to GDPR and any additional steps you need to take to be in compliance.
Q: How do I handle user data deletion requests?
- If your users ask you to delete their personal data, you can simply delete those users from the ‘People’ tab in your bot’s dashboard. All of their data will be removed from our databases for that particular Facebook page. If you’ve passed any of your users’ data to any 3rd party services (Zapier, Integromat, a CRM service, etc), you are responsible for ensuring that the user data is deleted from those services as well.
Q: Can I continue using Chatfuel after May 25, 2017 and be sure that I’m in compliance with GDPR requirements?
- We have taken all the necessary steps for Chatfuel to be in compliance with the requirements of GDPR. Accepting the DPA agreement from Chatfuel is an important step towards your compliance. Talk to your legal counsel to evaluate your individual organizational processes and understand what you may need to do in addition to ensure full compliance.
Q: How to best communicate the steps Chatfuel has taken to be GDPR-compliant
- We’ve implemented specific legal, technical and organizational measures aimed to address data privacy and security concerns, such as:
- put in place the contractual measures in the form of a Data Processing Agreement in accordance with the GDPR requirements
- ensured that we have appropriate contractual measures in place with each of our data subprocessors such as cloud service and analytics providers
- implemented and outlined specific technical and organizational measures to ensure data privacy and security
Q: How do bot users opt-in and opt-out of sharing their data / manage consent?
- The way Messenger team answers this questions is:
“The GDPR defines several possible legal bases for processing information. Depending on your use-case, you may need to rely on users' explicit consent to process their data. The way you obtain consent may vary, for example you may want to ask for consent when a user is talking to your bot via message or a webview. We suggest you confer with legal counsel to determine the requirements for your business.”
When you collect any personal data from the bot users, you are responsible for establishing the proper ‘opt in’ mechanics as may be appropriate with regards to GDPR. If your users elect to opt-out, please reach out to us and we will remove their data individually.